What if the June 18, 2025 cyberattack on Iran's largest cryptocurrency exchange wasn't really about destroying $90 million in digital assets, but rather about exposing and disrupting a massive money laundering operation run by Iran's security forces? New evidence suggests the spectacular hack that grabbed international headlines may have been precisely targeted to destroy funds belonging to the Islamic Revolutionary Guard Corps (IRGC) while leaving ordinary citizens' deposits untouched. The investigation reveals a sophisticated financial pipeline that moved approximately $800 million through cryptocurrency channels between March 2024 and August 2025, with nearly $100 million flowing directly into Nobitex in the months before the attack.

The Attack That Shocked Tehran On the morning of June 18, 2025, Nobitex users woke up to find the exchange's website down and their funds inaccessible. Within hours, the pro-Israel hacking group Gonjeshke Darande (Predatory Sparrow) claimed responsibility for what would become one of the most politically charged cyberattacks in cryptocurrency history. The hackers didn't just steal the money – they destroyed it. By sending the funds to "burner" addresses with provocative names like "FuckIRGCTerroristsNoBiTEX," they ensured the $90 million would be permanently removed from circulation. This wasn't a heist for profit; it was digital warfare with a message. But here's what the headlines missed: the amount destroyed – approximately $90 million – appears to match almost exactly the amount of IRGC-linked funds that had recently flowed into the exchange.

Following the Money: The USDT Pipeline My investigation has uncovered a major money laundering route that Iranian intelligence agencies used to move funds through the cryptocurrency ecosystem. The operation centered on USDT (Tether), a dollar-linked stablecoin particularly popular in Iran as a hedge against the collapsing rial. The key wallet in this scheme was: *TU6VdVR7EFjMHZBWaC634r3BboiRWNtFnM* Between March 29, 2024, and August 23, 2025, approximately $800 million in USDT moved through this network. The funds eventually made their way to Nobitex through another critical wallet address: *TPJVEvxsNDp2dNFUmUUUHprUim72Ek5me1* This wallet served as a direct conduit for intelligence agency funds into Nobitex. Between November 16, 2024, and May 3, 2025 – just weeks before the hack – approximately $98 million was transferred through this channel. The timing is no coincidence. The hackers appear to have known exactly how much dirty money was sitting in Nobitex's wallets and targeted that precise amount for destruction.

The Man Behind the Curtain: Meet Shahram Zakeri At the heart of this massive money laundering operation stands one man:

Shahram Zakeri (National ID: 2649613580).


Embedded image
Zakeri wasn't just another user or employee – he was THE key figure responsible for coordinating the entire flow of funds between Iran's intelligence agencies and Nobitex's cryptocurrency operations. He served as the critical bridge between the IRGC's financial networks and the exchange, facilitating the movement of tens of millions of dollars in illicit funds. What makes Zakeri's position even more revealing is the special treatment he received: unlike every other Nobitex user who must undergo rigorous Know Your Customer (KYC) verification, Zakeri operated with complete impunity. No identity checks. No source of funds verification. No questions asked. This isn't just preferential treatment – it's smoking gun evidence of Nobitex's double standards and deep collaboration with the Iranian regime. While ordinary citizens face increasing scrutiny and restrictions, the man moving security agency money through the platform operated in the shadows with the exchange's full knowledge and cooperation. Zakeri's exemption from KYC requirements proves that Nobitex wasn't just complicit – it was an active partner in the regime's financial crimes.

A Pattern of Preferential Treatment The Nobitex hack didn't occur in isolation. Just one day earlier, on June 17, 2025, the same hacking group targeted Bank Sepah, disrupting services across Iran. While ordinary citizens couldn't withdraw their salaries or access their accounts, my sources indicate that security personnel received priority treatment – their payments were processed through alternative channels at the expense of regular customers. This pattern of putting security forces first while citizens suffer has become endemic in Iran's financial system. When the lights go out due to power shortages caused by IRGC-controlled Bitcoin mining operations, military bases stay powered. When banks fail, security personnel get paid first. And when Nobitex holds approximately $400 million in various crypto assets, the regime's interests take precedence over individual depositors.

The Bigger Picture: Crypto as a Sanctions Lifeline Nobitex's role in Iran's sanctions evasion ecosystem cannot be overstated. With over $11 billion in total inflows – more than the next ten Iranian exchanges combined – it has become the primary gateway for moving money in and out of Iran's isolated economy. Blockchain analytics firms have extensively documented Nobitex's links to illicit actors: Chainalysis (June 2025) identified connections to: - IRGC-affiliated ransomware operators - Entities tied to Houthi and Hamas-affiliated networks identified by Israel's National Bureau for Counter Terror Financing (NBCTF) - Sanctioned pro-Hamas media outlet Gaza Now - Sanctioned Russian crypto exchanges Garantex and Bitpapa Elliptic (June 2025) found: - Use of Nobitex by sanctioned IRGC operatives Ahmad Khatibi Aghda and Amir Hossein Niakeen Ravari - Direct bitcoin transfers from these sanctioned individuals accused of ransomware operations TRM Labs reported that the TRON blockchain, which processes 65% of Iran's incoming crypto volume, has become the preferred network for these operations due to its lower fees and faster transaction times compared to Bitcoin or Ethereum.

What This Means for Ordinary Iranians While international headlines focus on the geopolitical implications, the real victims of this shadow war are Iranian citizens who use cryptocurrency as their only means of protecting savings from a collapsing currency. The rial lost 37% of its value against the dollar in 2024 alone, driving millions to seek refuge in digital assets. Now these citizens find themselves caught between a regime that uses their exchange for illicit purposes and international actors willing to destroy millions in assets to send a message. The Central Bank of Iran's response – restricting exchange operating hours to 10 AM to 8 PM – does nothing to address the fundamental problem of state capture of the crypto ecosystem.

A Call to Action The evidence is clear: Nobitex holds approximately $400 million in various digital assets. This is your money, not the regime's slush fund. Every Iranian with funds on the exchange should consider the following: 1. Withdraw immediately: The regime has shown it will prioritize compensating security and intelligence forces over protecting citizen deposits. Don't wait for the next crisis. 2. Document everything: Keep records of all your transactions, deposits, and attempted withdrawals. This documentation may be crucial if the exchange faces further attacks or restrictions. 3. Demand transparency: Nobitex must explain why certain users like Shahram Zakeri bypass KYC requirements while ordinary citizens face increasing scrutiny.