In an escalation of the shadow cyberwar between Israel and Iran, the hacker group Predatory Sparrow, known in Farsi as Gonjeshke Darande, has struck at the core of Iran’s financial infrastructure, targeting its banking sector and cryptocurrency exchanges.
This campaign, detailed in a recent Wall Street Journal report, underscores the group’s sophisticated capabilities and its apparent alignment with Israeli interests amid heightened regional tensions.
By crippling Iran’s state-owned Bank Sepah and obliterating over $90 million in assets from the Nobitex cryptocurrency exchange, Predatory Sparrow has demonstrated not only technical prowess but also a strategic intent to destabilize Iran’s economy and expose its vulnerabilities.
Predatory Sparrow’s latest offensive began with a cyberattack on Bank Sepah, one of Iran’s largest financial institutions, accused by the hackers of funneling funds to Iran’s Islamic Revolutionary Guard Corps (IRGC) and supporting the regime’s ballistic missile and nuclear programs.
The group claimed to have erased “all” of the bank’s data, causing widespread disruptions, including non-functional ATMs and halted payment systems, which reportedly impacted gas stations across the country.
Local reports indicated that some government employees and security personnel faced delays in receiving salaries, amplifying the chaos.
The attack was accompanied by the release of documents purportedly showing ties between Bank Sepah and the Iranian military, a move designed to justify the hackers’ actions and expose the bank’s role in evading international sanctions.
Just a day later, Predatory Sparrow turned its sights on Nobitex, Iran’s largest cryptocurrency exchange, in a strike that vaporized over $90 million in digital assets, including Bitcoin, Ethereum, Dogecoin, and others.
Unlike typical cyber heists where hackers siphon funds for profit, Predatory Sparrow transferred the stolen assets to so-called “vanity” blockchain wallets with addresses beginning with phrases like “FuckIRGCterrorists.”
These addresses, as blockchain analysis firm Elliptic noted, are computationally infeasible to control, effectively “burning” the funds to send a political message rather than stealing them.
The group accused Nobitex of enabling sanctions evasion and financing terrorism, with Elliptic confirming links between the exchange and sanctioned entities like the IRGC, Hamas, and Yemen’s Houthi rebels.
These attacks mark a significant escalation in Predatory Sparrow’s campaign against Iran, a group believed to have ties to Israel’s military or intelligence agencies.
Over the past five years, the hackers have targeted Iran’s critical infrastructure with devastating effect, from paralyzing thousands of gas stations in 2021 and 2023 to triggering a catastrophic fire at the Khouzestan steel mill in 2022 by hijacking industrial control systems.
Their ability to cause physical destruction through cyberattacks—such as the steel mill incident, where molten steel spilled, narrowly sparing workers—sets them apart as one of the most aggressive cyberwarfare actors globally.
The timing of these financial sector attacks, coinciding with Israel’s airstrikes on Iranian nuclear and military targets, suggests a coordinated effort to weaken Iran on multiple fronts.
Iran’s response has been to downplay the damage, with officials attributing disruptions to “technical issues” or foreign “sabotage cells” while imposing internet slowdowns and restricting crypto exchange operations.
However, the impact on ordinary Iranians has been significant.
Cybersecurity professional Hamid Kashfi noted that many Iranians rely on cryptocurrencies like USD-pegged stablecoins to hedge against economic instability, meaning the Nobitex hack could hurt civilians as much as the regime.
Predatory Sparrow’s actions highlight the evolving nature of cyberwarfare, where state-linked actors use sophisticated tools to achieve geopolitical goals.
While the group’s precise origins remain unclear, its operations bear the hallmarks of government-backed campaigns, with professionals like Rafe Pilling from Sophos pointing to their alignment with Israel’s regional priorities.
As Iran faces economic and military pressure, Predatory Sparrow’s cyberattacks serve as a reminder of the vulnerabilities in its digital infrastructure and the high stakes of the Israel-Iran conflict in cyberspace.