Hackers with alleged links to Israel have drained more than $90 million from Nobitex, Iran’s largest cryptocurrency exchange, according to blockchain analytics firms.

The group that claimed responsibility for the hack leaked on Thursday what it said was the company’s full source code. “ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN,” the group wrote on its Telegram account.

The stolen funds were transferred to addresses bearing messages that criticized Iran’s Islamic Revolutionary Guard Corps, Blockchain analytics firm Elliptic wrote in a blog post. It said the attack likely was not financially motivated, as the wallets the hackers had poured the money into “effectively burned the funds in order to send Nobitex a political message.”

The hacker group, Gonjeshke Darande — “Predatory Sparrow” in Persian — accused Nobitex of having helped Iran’s government to evade Western sanctions over the country’s rapidly advancing nuclear program and to transfer money to proxy terror groups, in a post on X claiming the attack.

“The Nobitex exchange is at the heart of the regime’s efforts to finance terror worldwide, as well as being the regime’s favorite sanctions violation tool. Nobitex doesn’t even pretend to abide by sanctions. In fact, it publicly instructs users on how to use its infrastructure to bypass sanctions,” Gonjeshke Darande said in a post on X.

“Bypassing sanctions doesn’t pay,” Gonjeshke Darande added in a separate post, attaching screenshots purportedly showing seized crypto funds worth tens of millions of dollars.

Nobitex appeared to have confirmed the attack. Its app and website were down as it assessed “unauthorized access” to its systems, it said in a post on X.

The theft spanned a range of cryptocurrencies, including Bitcoin, Ethereum, Dogecoin, and more, said head of national security intelligence at Chainalysis Andrew Fierman. The breach is “particularly significant given the comparatively modest size of Iran’s cryptocurrency market,” he added.

The hack appears to be motivated by escalating tensions in the Israel-Iran conflict, which broke out last week when Israel struck Iran’s nuclear and military sites, drawing barrages of ballistic missiles from Tehran, largely at Israeli population centers. The group also said it had destroyed data in a cyberattack against Iran’s state-controlled Bank Sepah on Tuesday.

Elliptic said that relatives of Iran’s Supreme Leader Ali Khamenei were linked to the exchange and that sanctioned Revolutionary Guard operatives had used Nobitex. It shared evidence that the exchange had sent and received funds from cryptocurrency wallets controlled by Iranian allies, including Yemen’s Houthis and Hamas.

US senators Elizabeth Warren and Angus King last year raised concerns about Iran’s use of cryptocurrencies to evade sanctions.

Gonjeshke Darande has previously claimed responsibility for other high-level cyberattacks against Iran, including a 2021 operation that paralyzed gas stations and a 2022 effort against a steel mill that sparked a large fire.

In recent years, Iran has seen a series of cyberattacks on its filling stations, railway system, and industries. Surveillance cameras in government buildings, including prisons, have also been hacked in the past.

The country disconnected much of its government infrastructure from the internet after the Stuxnet computer virus — widely believed to be a joint US-Israeli creation — disrupted thousands of Iranian centrifuges in the country’s nuclear sites in the late 2000s.

Iran, long sanctioned by the West over its nuclear program, faces difficulties in getting up-to-date hardware and software, often relying on Chinese-manufactured electronics or older systems no longer being patched by manufacturers, making them easier for a potential hacker to target. Pirated versions of Windows and other software are common across Iran.