Israel-Tied Predatory Sparrow Hackers Are Waging Cyberwar on Iran’s Financial System
Credit to Author: Andy Greenberg| Date: Wed, 18 Jun 2025 14:40:12 +0000
The Israel-linked hacker group known as Predatory Sparrow has carried out some of the most disruptive and destructive cyberattacks in history, twice disabling thousands of gas station payment systems across Iran and once even setting a steel mill in the country on fire. Now, in the midst of a new war unfolding between the two countries, they appear to be bent on burning Iran's financial system.
Predatory Sparrow, which often goes by its Farsi name, Gonjeshke Darande, in an effort to appear as a homegrown hacktivist organization, announced in a post on on its X account Wednesday that it had targeted the Iranian crypto exchange Nobitex, accusing the exchange of enabling sanctions violation and terrorist financing on behalf of the Iranian regime. According to cryptocurrency tracing firm Elliptic, the hackers destroyed more than $90 million in Nobitex holdings, a rare instance of hackers burning crypto assets rather than stealing them.
“These cyberattacks are the result of Nobitex being a key regime tool for financing terrorism and violating sanctions,” the hackers posted to X. “Associating with regime terror financing and sanction violation infrastructure puts your assets at risk.”
The incident follows another Predatory Sparrow attack on Iran's finance system on Wednesday, in which the same group targeted Iran's Sepah bank, claiming to have destroyed “all” the bank's data in retaliation for its associations with Iran's Islamic Revolutionary Guard Corps, and posting documents that appeared to show agreements between the bank and the Iranian military. “Caution: Associating with the regime's instruments for evading sanctions and financing its ballistic missiles and nuclear program is bad for your long-term financial health,” the hackers wrote. “Who's next?”
Sepah Bank's website was offline yesterday but appeared to be working again today. The bank didn't respond to WIRED's request for comment. Nobitex's website was offline today and the company couldn't be reached for comment.
As is often in the case in the fog of an unfolding war and its accompanying cyberattacks, what effects Predatory Sparrow's cyberattacks have had remain unclear. But Hamid Kashfi, an Iranian cybersecurity researcher living in Sweden and the founder of the cybersecurity firm DarkCell, says that he's heard from contacts in Iran that Sepah's online banking and ATMs have been offline since the attacks began, causing widespread disruption to civilians' ability to access their funds. “There has been a lot of collateral damage,” Kashfi says. “It just seems to be straight up causing damage and chaos. I can't think of what other logic would be behind it. Yes, they provide services to the military. But they do for millions of regular joes and civilians as well.”
In the Nobitex attack, blockchain analysis reveals some of the details of Predatory Sparrow's sabotage: According to Elliptic, the eight-figure sum stolen from the exchange was moved to a series of crypto addresses that all started with variations on the phrase “FuckIRGCterrorists.” Those so-called “vanity” addresses typically can't be created in any way that offers control or recovery of funds held there, so Elliptic concludes that moving funds to those addresses was instead a pointed method of destroying the money. “The hackers clearly have political rather than financial motivations,” says Tom Robinson, Elliptic's cofounder. “The crypto they stole has effectively been burned.”
Elliptic also confirmed in its blog post about the attack that crypto tracing shows Nobitex does in fact have links with sanctioned IRGC operatives, Hamas, Yemen's Houthi rebels, and the Palestinian Islamic Jihad group. “It's also an act of sabotage, by attacking a financial institution that was pivotal in Iran's use of cryptocurrency to evade sanctions,” Robinson says.
Predatory Sparrow has long been one of the most aggressive cyberwarfare-focused groups in the world. The hackers, who are widely believed to have links to Israel's military or intelligence agencies, have for years targeted Iran with an intermittent barrage of carefully planned attacks on the country's critical infrastructure. The group has targeted Iran's railways with data-destroying attacks and twice disabled payment systems at thousands of Iranian gas stations, triggering nationwide fuel shortages. In 2022, it carried out perhaps the most physically destructive cyberattack in history, hijacking industrial control systems at the Khouzestan steel mill to cause a massive vat of molten steel to spill onto the floor, setting the plant on fire and nearly burning staff there alive, as shown in the group's own video of the attack posted to its YouTube account.
Exactly why Predatory Sparrow has now turned its attention to Iran's financial sector—whether because it sees those financial institutions as the most consequential or merely because its banks and crypto exchanges were vulnerable enough to offer a target of opportunity—remains unclear for now, says John Hultquist, chief analyst on Google's threat intelligence group and a longtime tracker of Predatory Sparrow's attacks. Almost any conflict, he notes, now includes cyberattacks from hacktivists or state-sponsored hackers. But the entry of Predatory Sparrow in particular into this war suggests there may yet be more to come, with serious consequences.
“This actor is very serious and very capable, and that's what separates them from many of the operations that we'll probably see in the coming weeks or months,” Hultquist says. “A lot of actors are going to make threats. This is one that can follow through on those threats.”
Updated at 10:52 am, June 18, 2025: Added additional context and comments from cybersecurity researcher Hamid Kashfi.