In June 2025, Iran’s largest cryptocurrency exchange, Nobitex, was breached in one of the most politically charged hacks the industry has ever witnessed. Nearly $90 million in digital assets were drained from its hot wallets, only to be deliberately burned in a symbolic attack against Iran’s regime.

Unlike traditional financially motivated exploits, this attack was cyber warfare with cryptocurrency as collateral.

At Cobo, we view the Nobitex incident not just as a cautionary tale but as a defining moment. This event is reshaping how exchanges, asset managers, and regulators approach custody, infrastructure security, and resilience in an increasingly politicized threat landscape.

A New Threat Paradigm: Crypto as a Battlefield

The Nobitex hack was not about profit. The attackers, a hacktivist group known as Predatory Sparrow, sent stolen funds to custom “burn” addresses, effectively destroying the assets instead of laundering them. This marked a clear shift in motive: from monetary gain to ideological sabotage.

This is not just a routine security incident. It is a blueprint for state-aligned digital sabotage, where crypto infrastructure becomes a high-value target. The implications are vast:

• Exchanges are now frontline assets in geopolitical cyber warfare.

• Custody infrastructure is now a matter of national security.

• Cold wallets are no longer optional, they are foundational.

Hot Wallets Are the Weakest Link — And They Always Have Been

At the heart of the Nobitex breach was a compromised private key to the exchange’s hot wallets across multiple chains (BTC, ETH, TRON, DOGE, SOL, and others). The attack did not involve any complex smart contract exploits. It was a basic failure in operational security and key storage hygiene, yet the consequences were extraordinary.

This scenario is not new. From Coincheck to GDAC, exchange breaches have repeatedly stemmed from the same vulnerability: hot wallet keys exposed through compromised infrastructure or lax access controls.

Cobo has long advocated for a tiered wallet architecture:

• Cold wallets (90–95% of funds) stored in secure, geographically distributed hardware modules.

• Warm wallets with policy-based approval processes.

• Hot wallets with strict transaction limits and real-time monitoring.

Each of these wallet tiers is built on a highly secure foundation with stringent network isolation and access controls. 

In addition, an independent risk control system, integrated with Cobo’s proprietary security tool Cobo Guard, ensures that every transaction undergoes rigorous scrutiny, maximizing asset security. These measures ensure that even if a hot wallet is compromised, the “crown jewels” remain unreachable.

Source Code Leaks: A Secondary Disaster

In Nobitex’s case, the breach went even deeper. Attackers exfiltrated and released the platform’s entire source code, including server configurations, wallet logic, and infrastructure documentation. This disclosure effectively opened the door for follow-on attacks — not just against Nobitex, but potentially against any entity using similar architectures.

This echoes a key lesson from the Bybit breach in February 2025. In that incident, the manipulation occurred at the user interface (UI) layer, tricking operators into blindly signing malicious transactions through a compromised front-end. The takeaway is clear: software-level integrity matters as much as key security.

Cobo’s security team recommends the following best practices to protect against these multi-layered threats:

• Strict security controls on employee devices enable immediate threat detection and response. Integrated Data Loss Prevention (DLP) systems prevent attackers from exfiltrating sensitive data.

• Standardized, least-privilege access management processes with multi-party approval eliminate single points of failure. This ensures personnel are granted only the minimum permissions required, and that all access is fully auditable and traceable.

• Comprehensive monitoring and real-time alerts on sensitive operations allow the security team to react immediately to any anomalies. Regular security audits and baseline inspections of logs, permissions, and alerts help uncover potential risks early and keep systems safe and stable.

• Regular penetration testing and layered infrastructure hardening ensure the platform remains highly resistant to attacks. Even if source code is leaked, these measures make it extremely difficult for attackers to inflict any material damage on the systems.

• Transaction co-signing provides an additional layer of validation, ensuring that even a compromised interface cannot unilaterally authorize a malicious transaction.

• Independent verification of transaction details before signing eliminates blind-signing risks.

• Real-time risk controls — such as address whitelisting, smart contract logic enforcement, and transaction parameter validation — provide a final layer of defense against unauthorized or abnormal transactions.

Lessons for Smaller and Regional Exchanges

Nobitex was not a small player; it had processed over $11 billion in inflows and served more than 7 million users. However, its role in Iran’s sanctions-evasion pipeline made it a strategic target.

Smaller exchanges in politically sensitive or high-risk jurisdictions should take heed:

• Being regional does not mean immunity. Political motivations can turn even “local” platforms into global targets.

• Multi-chain hot wallet exposure multiplies risk. Exchanges that maintain liquidity across multiple chains without proper segregation are especially vulnerable.

• Source code and infrastructure documentation must be locked down. Attackers are not just after assets — they want the playbook.

• Real-time response capabilities matter. Nobitex’s CEO noted that government-imposed internet throttling delayed his team’s response, highlighting the need for decentralized monitoring and out-of-band alerts.

The Custody Wake-Up Call: MPC and WaaS to the Rescue

The Nobitex breach is a stark reminder that traditional hot wallet setups are inadequate. The industry needs institutional-grade custody infrastructure that can withstand both technical failures and geopolitical stressors.

At Cobo, our Wallet-as-a-Service (WaaS) provides precisely that:

• MPC Wallets eliminate single points of failure by splitting key control across multiple parties. Even if one component is compromised, assets remain secure.

• Custodial Wallets hold assets in secure cold storage while still enabling operational liquidity through programmable warm layers.

• Smart Contract and Exchange Wallets integrate seamlessly with policy enforcement tools and transaction monitoring systems.

The Path Forward: From Reactive to Resilient

The Bybit hack taught us that UI-level manipulation can deceive even hardware wallet users. The Nobitex breach shows that geopolitical agendas can likewise weaponize vulnerabilities for destructive purposes.

Security is no longer just about defending against profit-seeking attackers. It is about resilience in a world where code, custody, and currency have become tools of influence.

Crypto exchanges, asset managers, and fintech platforms must evolve from reactive to resilient. That means:

• Adopting MPC + co-signing architectures.

• Enforcing off-chain risk controls, not just on-chain security.

• Treating infrastructure documentation and internal code as high-value assets.

• Preparing for attacks that seek not to steal, but to destroy.

Final Thoughts: Cobo’s Commitment to Securing the Future

As the crypto industry matures, the stakes will only grow higher. Exchanges will not just be judged by the assets they hold, but by the security they uphold.

At Cobo, we remain committed to building the most secure, scalable, and resilient wallet infrastructure in the industry. Since our founding in 2017, we have maintained a zero-breach record and now support over 80 blockchain networks and 3,000+ tokens. We continue to serve as the trusted crypto custody partner for institutions worldwide.

The Nobitex incident is not just a warning — it is a watershed moment. It is time for the industry to re-architect its assumptions around trust, infrastructure, and intent.

When cryptocurrency becomes collateral in a geopolitical conflict, only the secure survive.