Behind the Nobitex Hack: A Pattern of Suspicious Fund Movements
The $90 million hack of Iran’s biggest crypto exchange, Nobitex, was bad enough. But now, it looks like the breach might have revealed something even messier. Fresh blockchain data suggests the exchange was moving user funds in ways that—well, let’s just say they don’t look great.
According to a forensic report from Global Ledger, months before the June 18 attack, Nobitex was shuffling Bitcoin around using methods often tied to money laundering. Not exactly the kind of thing you’d expect from a platform people trust with their money.
Peel Chains and One-Time Addresses
The report points to something called “peelchaining”—where large amounts of Bitcoin get split into smaller chunks and bounced through short-lived wallets. It’s a common trick for making money harder to trace. In Nobitex’s case, analysts noticed BTC being moved in steady 30-coin batches, over and over.
Then there were the temporary deposit addresses. These one-use wallets acted like middlemen, funneling funds into new destinations while obscuring the trail. It’s a technique known as “chip-off” transactions, and it’s not exactly standard practice for a legit exchange.
What’s odd is that this wasn’t a reaction to the hack. The patterns were there long before.
The “Rescue Wallet” That Wasn’t
After the breach, Nobitex claimed it moved remaining funds to a new wallet for safety. On the surface, that made sense—blockchain data showed a sweep of 1,801 BTC (around $187.5 million) into a fresh address.
Except the wallet wasn’t fresh at all. Turns out, it had been active since October 2024, quietly collecting those same suspicious 20–30 BTC transfers. So much for emergency measures.
Post-Hack Moves: Business as Usual?
Hours after the hack, Nobitex shifted funds from its compromised hot wallet to another internal address. A full-balance sweep like that usually means the exchange still had control. Then, on June 19, another 1,783 BTC moved to a new destination—matching Nobitex’s public statements about securing assets.
But here’s the thing: the flows didn’t change. The same peel-chain patterns kept happening, almost like the hack was just a blip in their usual routine.
A pro-Israel hacking group, Gonjeshke Darande, later leaked files exposing Nobitex’s internal wallet structure. And the data paints a picture of an exchange that had been cycling funds this way for months. Old wallets linked to Nobitex kept sending Bitcoin to new ones, breaking it into smaller amounts, then repeating the process.
One wallet, bc1q…rrzq, stood out—receiving user deposits before splitting them into those telltale 20–30 BTC chunks.
The Takeaway
The hack didn’t force Nobitex to change its habits. If anything, it just pulled back the curtain on how the exchange had been operating all along. Whether that points to incompetence or something shadier—well, that’s for regulators (or users) to decide.
But one thing’s clear: when an exchange’s emergency measures look exactly like its pre-hack activity, it’s probably not a coincidence.
