Inside the $100 Million Nobitex Hack

In its weekly roundup, Information Security Media Group highlights recent cybersecurity incidents involving digital assets. This week, attention turns to Iran’s leading crypto exchange, which has come under scrutiny for using privacy and evading sanctions, as Europol and Spanish law enforcement take down a vast cryptocurrency fraud network that has defrauded victims of 460 million euros. Additionally, a stablecoin called Resupply fell victim to a $9.5 million exploit, a Pennsylvania man received an eight-year prison sentence for a $40 million Ponzi scheme, and U.S. authorities uncovered a North Korean scheme targeting cryptocurrency and employment fraud.

See Also: OnDemand | NSM-8 Deadline July 2022: Keys for Quantum-Resistant Algorithms Implementation

Nobitex, a prominent Iranian cryptocurrency exchange, faces significant challenges following a complex breach that resulted in a $100 million loss and subsequent exposure of its source code. Analysts from TRM Labs have highlighted that the leaked code reveals sophisticated methods designed to circumvent sanctions while integrating seamlessly with Iran’s banking system for operational stealth.

The exchange’s infrastructure features a segmented wallet system leveraging both hot and cold wallets; however, vulnerabilities in internal routing allowed unauthorized lateral movement post-breach. Notably, deep integration with local payment platforms facilitated seamless transactions between crypto and fiat, effectively bypassing international regulations.

Privacy considerations were central to Nobitex’s design, with modules like owshen and zpk enabling transaction obfuscation and stealth addressing to thwart blockchain analysis efforts often employed by U.S. regulators. VIP users received bespoke treatment, appearing to exempt them from standard compliance checks, raising broader concerns about accountability in digital asset exchanges.

The platform supports over 25 blockchains, complicating tracing efforts for illicit funds. Despite employing extensive encryption and monitoring systems, critical flaws such as plaintext API keys in non-production environments potentially facilitated the breach.

Nobitex’s modular design means its components—including its matching engine and fraud detection systems—could easily be adapted or replicated by other exchanges, thereby increasing the likelihood of similar entities emerging in regions under economic sanctions.

In a significant operation, authorities from Spain’s Guardia Civil, with support from Europol and international partners in Estonia, France, and the U.S., arrested five suspects linked to a cryptocurrency investment fraud that targeted over 5,000 individuals worldwide, amassing losses of approximately 460 million euros. Law enforcement officials executed multiple searches across locations in Madrid and the Canary Islands. Europol, which has been involved since 2023, coordinated intelligence efforts, provided operational assistance, and dispatched a cryptocurrency specialist to support the investigation. Authorities believe that the criminal network utilized a complex web of associates to siphon illicit funds via various means, including bank transfers and crypto transactions, suggesting sophisticated operational planning.

The stablecoin protocol Resupply recently experienced a significant breach, losing approximately $10 million due to an attack that manipulated exchange rates associated with cvcrvUSD, a token linked to Curve USD within Convex Finance. The attacker inflated cvcrvUSD’s value by engaging in price manipulation methods, leading to distorted calculations by Resupply’s smart contract, ResupplyPair. This exploitation allowed the attacker to borrow $10 million in Resupply’s native stablecoin, reUSD, using a minimal amount of collateral. After securing the borrowed funds, the attacker converted them into various assets on external platforms to realize profits. In response, Resupply has paused the vulnerable contract to mitigate further risks.

Dwayne Golden, of Pennsylvania, was sentenced to eight years in prison for orchestrating a Ponzi scheme that defrauded investors of $40 million through various cryptocurrency ventures. Alongside co-conspirators Gregory Aggesen and Marquis Egerton, Golden operated EmpowerCoin, ECoinPlus, and Jet-Coin from April to August 2017, falsely promising high returns from international digital asset trading. The U.S. Department of Justice described the operations as characteristic of classic Ponzi schemes, which utilized funds from new investors to pay returns to earlier participants. Following the scheme’s collapse, Golden and his associates attempted to obstruct inquiries by destroying evidence and misleading federal authorities. Golden is required to forfeit $2.46 million in illicit gains, while other conspirators await sentencing.

The U.S. Department of Justice has charged several North Korean nationals with executing schemes aimed at stealing cryptocurrency and sensitive information by masquerading as American employees. Allegations indicate that these individuals siphoned over $900,000 in cryptocurrency while laundering the funds through platforms like Tornado Cash. The investigation revealed 29 financial accounts linked to these operations. North Korea has a history of leveraging cyber theft to fund various state initiatives, including weapons development. The suspects remain at large, highlighting the ongoing challenges associated with cybersecurity in the context of international threats.