Nobitex Hack Blockchain Insights: What can we see from Blockchain data ?

On June 18th 2025, Iranian Exchange Nobitex was drained of over 100 million USD of assets including ETH, BSC, POL, AVAX, ARB, BTC, TRX among others. These are some facts obtained from blockchain analysis.

1. The incident started with unauthorized access of Nobitex controlled wallets, which were drained and burned to the following vanity addresses.

- TKFuckiRGCTerroristsNoBiTEXy2r7mNX

- 0xffFFfFFffFFffFfFffFFfFfFfFFFFfFfFFFFDead

- 1FuckiRGCTerroristsNoBiTEXXXaAovLX

- DFuckiRGCTerroristsNoBiTEXXXWLW65t

2. The reason why 100 million USD is as good as lost assets, is because in order to spend the assets from the above 4 vanity addresses, it would require the

knowledge of it's private key and its calculation would requires years of brute force computation.

Figure 1: Nobitex Compromised Wallets drained of ETH

Figure 2: Nobitex Potentially Implementing Safety Procedure

3. Using our proprietary tool CATV, that feeds from blockchain data, we are able to derive insights into the actions of the hacking group, and subsequent response from the Iranian Exchange. For instance, 262 ETH was burned from 2 compromised Nobitex wallets, and within a few hours Nobitex managed to restore approximately 6 ETH from the compromised wallets, and moved close to 10,000 ETH from its hot wallet to a potentially new wallet as safety

measure. This was observed across other tokens and EVM chains too.

Figure 3: More than 2000 Compromised Wallets drained

Figure 4: Nobitex Potentially Implementing Safety Procedure

4. Similarly, more than 2,000 compromised Bitcoin addresses containing small amounts of BTC were drained a total of approximately 18 BTC. Similar to EVM chain, we saw that around 1800 BTC were moved by Nobitex to a new address potentially as part of its safety procedure.

Figure 5: Zero Value Transactions from Vanity Address to VASPs.

Figure 6: TransferFrom() function invoked

5. Maximum losses were incurred from TRON blockchain, where more than 100,000 compromised wallets were drained, where each wallet held small USDT balances. The most interesting aspect from TRON is that on 20th June 2025, we observed attempts to withdraw funds from the vanity address using Tron's bonk Token TransferFrom() function. While TransferFrom allows another wallet to spend the vanity wallet's funds upon obtaining approval from the vanity address, in this case 0 value transactions were requested by another wallet to make it seem like funds were transferred to several exchanges. However, real spending from the vanity address would need its private key.