Predatory Sparrow: The pro-Israel group that stole $90 million from Iran's biggest crypto exchange

A hacking group calling itself Predatory Sparrow — or Gonjeshke Darande in Persian — has claimed responsibility for a cyberattack on Nobitex, Iran’s largest cryptocurrency exchange.

The attack, which reportedly took place on Wednesday (June 18, 2025), led to the removal or irreversible “burning” of roughly $90 million in digital assets.

The incident marks yet another high-profile operation by the shadowy group, believed to be connected to Israeli interests, as part of a sustained digital offensive against Iranian financial and infrastructure systems.

This targeted strike on Iran’s cryptocurrency backbone follows an attack a day earlier on Iran’s state-run Bank Sepah, also claimed by the same group, and comes amid increasing tensions between Israel and Iran.

More from Explainers

Trump ready to attack Iran? Plan approved, officials preparing for military strike soon, says report Is China secretly helping Iran in battle against Israel?

How Nobitex was compromised

In the early morning hours of Wednesday, cryptocurrency holdings amounting to nearly $90 million were siphoned from Nobitex's systems and moved into wallets controlled by the hackers.

TRM Labs, a blockchain forensics firm, confirmed the movement of funds and reported that the wallets used to receive the stolen cryptocurrency contained messages denouncing the Islamic Revolutionary Guard Corps (IRGC).

12 hours ago
8 burn addresses burned $90M from the wallets of the regime's favorite sanctions violation tool, Nobitex.

12 hours from now
The source-code of Nobitex will be open to the public, and Nobitex’s walled garden will be without walls. Where do you want your assets to be?…

— Gonjeshke Darande (@GonjeshkeDarand) June 18, 2025

Soon after, the Nobitex website went offline. The company acknowledged “unauthorised access” and stated via X that it had deactivated both its website and mobile application while investigating the breach.

Editor’s Picks

1

How Op Rising Lion is Netanyahu’s boldest gamble 2

Rungs of ruin: Probable scenarios on the Iran-Israel escalation ladder

Attempts to reach Nobitex through its Telegram support channel yielded no response, and the hacker group also remained silent to media queries.

An analysis from blockchain security firm Elliptic later revealed a unique twist in the operation. The group reportedly transferred the stolen crypto into wallets that they themselves would be unable to access, essentially making the funds irretrievable.

Elliptic concluded: “The hackers effectively burned the funds in order to send Nobitex a political message.”

While the exact method of the breach remains undisclosed, this act of irreversible crypto “burning” has highlighted the symbolic rather than monetary intention behind the attack.

The goal, analysts say, appears to be damage to Iran’s ability to use crypto infrastructure to circumvent sanctions, rather than personal enrichment.

What we know about Predatory Sparrow

Predatory Sparrow has developed a reputation for bold and destructive cyberattacks targeting the Iranian regime and its critical infrastructure.

The group operates under a pseudonym that is widely interpreted as a linguistic counterpoint to “Charming Kitten,” a well-known Iranian cyber-espionage unit. The choice of name is believed to indicate a direct adversarial stance against Iranian cyber operations.

Though no nation has publicly claimed association with Predatory Sparrow, several Israeli media reports have characterised the group as being aligned with Israeli strategic interests.

The Israeli government has officially maintained ambiguity regarding the group’s ties to the state, though in 2022, media leaks following a major cyberattack on Iranian steel infrastructure prompted then-Defence Minister Benny Gantz to order an internal probe into potential breaches of Israel’s covert operations policy.

The group has left a long trail of notable digital attacks:

June 2022 steel factory incident: Predatory Sparrow claimed responsibility for a cyber operation that disrupted three Iranian steel plants. The group released video footage purportedly showing the moment molten steel spewed from a machine, causing a fire.

CCTV footage captured factory workers evacuating the site, followed by scenes of the blaze being doused with hoses.

The hackers stated on Telegram: “These companies are subject to international sanctions and continue their operations despite the restrictions. These cyber-attacks, being carried out carefully to protect innocent individuals.”

October 2021 fuel system hack: The group claimed responsibility for taking down Iran’s national fuel payment infrastructure.

They also hacked into roadside digital billboards to display the message: “Khamenei, where is our fuel?” — a direct reference to Iran’s Supreme Leader, Ayatollah Ali Khamenei.

Iranian emergency services were reportedly warned in advance to mitigate chaos.

Railway system disruption: In another public operation, hackers caused significant delays and confusion by tampering with Iran’s national train station displays.

Information boards were hijacked to inform passengers of delays and cancellations and suggested they contact Khamenei directly.

Code similarities with Indra: Cybersecurity firm Check Point found that some of the malware used by Predatory Sparrow contained code resembling that of another anti-Iranian group, Indra, which conducted a July 2021 attack on Iranian train systems.

These incidents suggest that Predatory Sparrow may be a tightly regulated and disciplined team of military-grade hackers.

Their actions appear to involve careful planning, timing and in some cases, even forewarning of emergency services to avoid civilian casualties — characteristics often associated with state-sponsored operations.

Why Nobitex was targeted

The crypto platform has been under scrutiny for its alleged role in helping the Iranian government and IRGC-affiliated actors launder funds and evade international sanctions.

Nobitex’s reported financial transactions have shown linkages to cryptocurrency wallets operated by organisations such as Hamas, Palestinian Islamic Jihad and Yemen’s Houthis — all entities hostile to Israel.

A 2022 investigative report by Reuters highlighted Nobitex’s links to these groups and its use as a platform for Iran’s illicit financial operations.

In May 2024, US Senators Elizabeth Warren and Angus King raised concerns in a letter addressed to the Biden administration, calling for scrutiny over the platform’s role in helping Iran bypass sanctions. The senators cited the Reuters report as supporting evidence.

Andrew Fierman, who heads national security intelligence at Chainalysis, confirmed in an email to Reuters that “the value of the attack was roughly $90 million and that it was likely geopolitically motivated, given that the money was burned.”

He added that Chainalysis had “previously seen IRGC-affiliated ransomware actors leveraging Nobitex to cash out proceeds, and other IRGC proxy groups leveraging the platform.”

This growing body of financial and technical evidence suggests that the recent cyberattack on Nobitex was not an isolated incident but part of a long-standing effort to disable or expose the digital infrastructure underpinning Iran’s shadow economy.

What we know about the Bank Sepah attack

Just a day prior to the Nobitex breach, Predatory Sparrow also claimed responsibility for another major operation — this time targeting Iran’s Bank Sepah. The group claimed to have erased key data from the bank’s systems.

They posted on X: “This is what happens to institutions dedicated to maintaining the dictator’s terrorist fantasies.”

Destruction of the infrastructure of the Islamic Revolutionary Guard Corps “Bank Sepah”
We, “Gonjeshke Darande”, conducted cyberattacks which destroyed the data of the Islamic Revolutionary Guard Corps’ “Bank Sepah”.

“Bank Sepah” was an institution that circumvented… pic.twitter.com/1r4XyDmXcJ

— Gonjeshke Darande (@GonjeshkeDarand) June 17, 2025

Customers in Iran reportedly faced serious disruptions in accessing accounts, withdrawing funds, and using bank cards.

Iranian media outlets warned that these problems could ripple out to the country’s fuel distribution systems, which depend on Bank Sepah for processing transactions.

This assault marked a rare instance of a cyberattack affecting core financial infrastructure in the middle of a regional conflict, raising concerns about the cyber front of the ongoing Israel-Iran standoff.

Bank Sepah was sanctioned by the US Treasury Department in 2018 for aiding Iran’s Ministry of Defense and Armed Forces Logistics.

Experts have noted that while hackers often exaggerate their impact, the consequences of the attack on Bank Sepah appear to be both real and widespread.

Former NSA official Rob Joyce commented on X: “Disrupting the availability of this bank’s funds, or triggering a broader collapse of trust in Iranian banks, could have major impacts there.”

Also Watch:

With inputs from agencies