Iran's major encryption trading platform hacked, losing nearly 100 million dollars

On June 18, 2025, a major Iranian cryptocurrency trading platform was suspected of being attacked by a Hacker, resulting in abnormal transfers of large assets on multiple public chains. Security agencies confirmed that this incident involved TRON, EVM, and BTC networks, with preliminary estimated losses of approximately $81.7 million.

The trading platform subsequently released an announcement confirming that some infrastructure and hot wallets had indeed experienced unauthorized access, but emphasized that user funds were not affected. It is worth noting that the attackers not only transferred funds but also actively moved a large amount of assets to a special burn address, with the "burned" assets valued at nearly 100 million dollars.

The event timeline is as follows:

June 18:

• Security experts reveal that the Iranian encryption platform is suspected to have suffered a Hacker attack, with a large number of suspicious withdrawal transactions occurring on the TRON chain.
• The trading platform stated that its technical team detected that some infrastructure and hot wallets were illegally accessed, and it has immediately cut off external interfaces and initiated an investigation.
• A hacker organization claims responsibility for the attack and states that it will release the source code and internal data of the trading platform within 24 hours.

June 19:

• The trading platform has issued the fourth statement, stating that it has completely blocked external access paths to the server, and that the transfer from the hot wallet is an "active migration made by the security team to protect the funds."
• Official confirmation that the stolen assets have been transferred to wallets with non-standard addresses composed of arbitrary characters, which are used to destroy user assets, totaling approximately 100 million USD.
• A hacker organization claims to have burned approximately $90 million worth of encryption assets, referring to them as "sanctions evasion tools".
• Hacker organization publicly releases trading platform source code.

According to the leaked source code information, the core system of the trading platform is mainly written in Python and uses K8s for deployment and management. Analysis suggests that the attacker may have breached the operation and maintenance boundary, thereby entering the internal network.

The attacker used multiple seemingly legitimate yet uncontrollable "burn addresses" to receive assets. Most of these addresses comply with on-chain address format validation rules and can successfully receive assets, but once the funds are transferred in, it is equivalent to permanent destruction. At the same time, these addresses also contain emotional and provocative language, carrying an aggressive implication.

On-chain analysis shows that the attackers conducted a large number of transactions across multiple blockchain networks, including TRON, BSC, Ethereum, Arbitrum, Polygon, Avalanche, Bitcoin, Dogechain, Solana, TON, Harmony, and Ripple. The stolen assets include mainstream currencies from various ecosystems as well as multiple tokens such as UNI, LINK, and SHIB.

This incident once again reminds the industry: security is a whole, platforms need to further strengthen security protection and adopt more advanced defense mechanisms. For platforms using hot wallets for daily operations, it is recommended:

1. Strictly isolate the permissions and access paths of hot and cold wallets, and regularly audit the calling permissions of hot wallets.
2. Adopt an on-chain real-time monitoring system to timely obtain comprehensive threat intelligence and dynamic security monitoring.
3. Collaborate with the on-chain anti-money laundering system to promptly detect abnormal fund flows.
4. Strengthen the emergency response mechanism to ensure effective response within the golden window after an attack occurs.

The investigation into the incident is still ongoing, and the security team will continue to follow up and provide timely updates on the progress.