Inside the Nobitex Breach: What the Leaked Source Code Reveals About Iran’s Crypto Infrastructure

TRM BlogInsights
Inside the Nobitex Breach: What the Leaked Source Code Reveals About Iran’s Crypto Infrastructure

On June 18, 2025, Nobitex, Iran’s largest cryptocurrency exchange, was hit by a sophisticated cyberattack attributed to the group Predatory Sparrow. Roughly USD 90 million was drained from hot wallets, with funds routed to addresses containing anti-regime slogans—suggesting a symbolic, politically motivated operation rather than one focused on theft for profit. But the breach took on far greater significance two days later, when the exchange’s entire source code, infrastructure documentation, and internal privacy R&D were leaked online.

TRM Labs analysts reviewed the leaked materials and uncovered an extraordinarily detailed blueprint of how a crypto exchange in a sanctioned jurisdiction can operate with global scale, privacy engineering, and tight integration with the domestic banking system. This is not just a postmortem on a hack—it is a forensic map of an exchange designed to operate in defiance of sanctions, surveillance, and regulatory oversight. Below are the key findings.

A Segmented Wallet Infrastructure Built for Scale

The source code revealed a multi-layered wallet architecture, separating hot and cold wallets across internally routed servers—such as coldui.nxbo.ir and wallet.nobitex1.ir. Each component handled a different part of the transaction lifecycle, with APIs and keys managed discretely. Parameters like LOAD_LEVEL and fallback node handling added built-in redundancy.

But segmentation was not absolute. Internal IP-based routing created a potential weakness: once inside, attackers could move laterally between environments. The architecture resembled that of large global exchanges, suggesting that the same risks—and attack surfaces—apply broadly.

Integration with Iran’s Domestic Banking System

Perhaps most critically, TRM’s analysis showed that Nobitex was deeply embedded within Iran’s fiat payment ecosystem. Live API credentials for platforms like Shetab, PAY.IR, Vandar, and IDPay were hard-coded into the source, enabling real-time fiat deposits, withdrawals, and account verification within the country’s heavily sanctioned financial system.

This wasn’t just an exchange—it was a full-service financial bridge. Users could move funds between Iranian Rials/Toman and crypto seamlessly, bypassing the international banking system. The code demonstrated how crypto rails and domestic banking infrastructure can be fused in sanctioned jurisdictions to create resilient, borderless payment systems.

Privacy Engineering to Evade Surveillance

Nobitex’s developers treated privacy not as a feature, but as a strategic imperative. The leaked source code reveals a suite of anti-surveillance modules—like owshen, zpk, and incentivized_mixer—designed to undermine the use of blockchain intelligence. These tools introduced stealth address generation, transaction batching, output splitting, and real-time endpoint switching, all aimed at defeating clustering and traceability techniques. While it's unclear whether these modules were fully deployed in production, they were deeply integrated into the wallet architecture, suggesting they could be activated selectively. This is supported by internal documentation titled Nobitex Privacy, which outlines a deliberate strategy to evade FinCEN and US Based Blockchain Intelligence company's detection tools through behavior anonymization, timing obfuscation, and blockchain-specific testing.

Screenshot of Nobitex internal privacy memo leaked alongside the source code. The text outlines Nobitex’s efforts to evade US financial regulations, specifically those enforced by FinCEN, by developing tools to increase transaction anonymity and obscure user identities. According to the memo, the goal was to prevent the use of blockchain analytics for tracing wallet activity or linking users to sanctioned entities in order to reduce the likelihood of identification.

Notably, according to TRM analysts, VIP users were routed through privileged logic that bypassed standard compliance checks, potentially insulating politically sensitive or sanctioned users from scrutiny. This dual-track system suggests Nobitex wasn't just shielding flows, but actively targeting the blind spots of global monitoring frameworks. The design of this privacy stack was adversarial by nature—meant not merely to protect user data, but to frustrate regulators and analytics providers at scale. For enforcement agencies, this represents a serious escalation: exchanges building in obfuscation by default, capable of masking flows and selectively toggling compliance protections without external visibility.

Cross-Chain Footprint Spanning 25+ Blockchains

Operationally, Nobitex supported over 25 blockchain networks, including Bitcoin, Ethereum, TRON, Solana, XRP, TON, and several newer chains like Avalanche, Cosmos, NEAR, and Aptos. It also integrated with multiple block explorers and data services such as Etherscan, Moralis, and Toncenter.

This cross-chain reach amplified the complexity of tracing flows. A single user or VIP pathway could touch multiple ecosystems, making it harder for compliance teams to detect patterns—especially on chains where analytics coverage is thin or fragmented.

Security Measures with Critical Weaknesses

TRM analysts observed a mature platform when it came to operational tooling and user-facing features. Encryption was widely used, particularly for API secrets and wallet data. Sentry.io was integrated for error monitoring, and Telegram was used extensively for internal alerts.

But development branches told a different story. Master encryption keys were stored in environment variables; plaintext credentials and Telegram bot tokens were exposed in non-production environments. These OPSEC gaps likely played a role in enabling such a deep compromise.

Custom Matching Engine and VIP Logic

The codebase also included a proprietary trading and settlement engine, complete with fraud detection, cancellation logic, and fiat-tuned parameters. Many functions were governed by feature flags—such as DISABLE_RECAPTCHA and ALLOW_SMALL_ORDERS—which could be toggled across environments or user types. VIPs again received specialized treatment in how their orders and withdrawals were processed.

This modular structure made the system scalable—but also vulnerable. The same logic that allowed for rapid deployment and configuration could be exploited if misconfigured or accessed by attackers.

Blueprint for Duplication

The modular, well-organized nature of Nobitex’s source code makes it easily forkable. Wallet engines, fiat APIs, and privacy tools are separated into discrete components—offering a plug-and-play model for other exchanges, including those in similarly sanctioned jurisdictions. This raises the risk of code proliferation, where rogue operators reuse Nobitex’s architecture to launch new platforms, extending Iran’s financial influence and creating additional blind spots in the global crypto economy.

A New Intelligence Frontier

The Nobitex breach represents more than a theft—it marks a turning point in crypto-related geopolitical intelligence. It provides unprecedented visibility into how a high-functioning, privacy-aware crypto exchange in a sanctioned regime operates. For federal agencies and compliance teams alike, the case offers critical insights into wallet architecture, privacy defenses, cross-chain operations, and integration with domestic fiat systems.

At TRM Labs, we continue to monitor and map these evolving infrastructures in order to equip stakeholders with the intelligence to trace illicit finance, surface hidden connections, and anticipate the next iteration of this playbook. As actors adapt, so must our tools—and the Nobitex leak offers a rare glimpse into what those adaptations look like in practice.

This is some text inside of a div block.
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
No items found.