The $90 million hack from Nobitex, Iran’s largest crypto exchange, has created global headlines. However, newly emerging blockchain data shows that the violations exposed something greater.
A forensic report by blockchain intelligence firm Global Ledger found that, months before the June 18 attack, Nobitex was systematically moving user funds using techniques commonly associated with money laundering.
Did the funds of Iran’s Nobitex Exchange Laundering users provide funds before the hack?
On-chain data shows that Nobitex has adopted a method known as Peelchaining. This is when a large amount of Bitcoin is split into smaller chunks and routed through a short-lived wallet.
This technique is often used to make funds difficult to track and obscure the origins of money. In the case of Nobitex, analysts discovered a pattern in which BTC circulates in a consistent chunk of 30 coins.
Global Ledger also discovered that Nobitex uses temporary deposits and withdrawal addresses. This is an action known as a chip-off transaction. These number one use addressing the funnel BTC to a new wallet and disguise the liquidity trail.
Hacked Nobitex wallets had small chunks of bitcoin from their wallets that were suspicious over time. Source: Global Ledger
“Rescue Wallet” was nothing new
After the hack, Nobitex claimed that it had moved the remaining funds as a safety measure. On-chain activity showed 1,801 BTC sweep (equivalent to ~$187.5 million) in the newly created wallet.
However, this wallet was not new. Blockchain data tracks it Historical use until October 2024. Wallets have been collecting chip-off funds for a long time.
This “rescue wallet” received multiple 20-30 BTC transfers following the same washing-like pattern, even before the hack occurred.
Post-hack activity shows continuous control
A few hours after the violation, Nobitex moved the funds from the exposed hot wallet to another internal address. This perfect balance sweep demonstrated the operational controls held by Nobitex.
On June 19, investigators observed 1,783 BTCs had been transferred again to a new destination wallet. This coincided with Nobitex’s public claim to secure that asset, but now it has added a context.
Rather than responding to hacks, Flow suggests that Nobitex simply followed the existing money laundering playbook.
Gonjeshke Darande of the Pro Israel Hacking Group has published a file that exposes Nobitex’s internal wallet structure.
Hacks may have shocked users, but blockchain data nobitex had already moved funds this way for months.
Old wallets linked to exchanges would regularly send Bitcoin to new wallets. From there, the funds were split into small quantities and moved over and over again.
This method makes it difficult to track where your money ends. It’s similar to how some people hide their trucks when moving funds through Crypto.
The key is that this wasn’t what Novitex started after the hack. They were doing it a long time ago and they continued it –Like the standard procedure.
Especially one wallet –bc1q…rrzq– I’ll take a picture over and over again. It receives a lot of user deposits and these traces seem to be the starting point for many of the difficult fund movements.
Nobitex user funds will be transferred to a potential money laundering wallet. Source: Global Ledger
In short, the hacks did not change how Nobitex handled funds. It simply brought it Continuous behind-the-scenes activity is in the public eye.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
