The hacker group known as Predatory Sparrow, reportedly linked to Israel, has intensified its cyber operations against Iran, executing some of the most disruptive attacks recorded. This group has previously caused significant damage by disabling thousands of gas station payment systems across Iran and even igniting a fire at a steel mill. In light of the ongoing conflict between the two nations, their focus now has shifted towards undermining Iran’s financial infrastructure.
Operating under the Farsi name Gonjeshke Darande, Predatory Sparrow announced on its social media account that it had launched an operation against Nobitex, a prominent Iranian cryptocurrency exchange. The group accused Nobitex of facilitating sanctions violations and financing terrorism on behalf of the Iranian government. According to blockchain analysis firm Elliptic, this attack resulted in the destruction of over $90 million worth of assets held by Nobitex, setting a rare precedent where hackers opted to erase crypto assets rather than simply expropriate them.
The group conveyed its rationale through a statement, asserting that Nobitex’s activities as a vital tool for the Iranian regime rendered it a legitimate target, jeopardizing the safety of user assets associated with financing terrorism and evading sanctions.
On the same day, Predatory Sparrow targeted Sepah Bank, alleging it had obliterated all data within the institution, a move seen as retaliation for the bank’s connections to Iran’s Islamic Revolutionary Guard Corps. The group published documents that reportedly displayed formal agreements linking the bank to the Iranian military. In their statement, they warned that interacting with entities aiding in sanction evasion and the support of Iran’s military ambitions could be detrimental to users’ financial health.
Following the attack, the website of Sepah Bank experienced downtime, although it was reportedly functional again shortly after. Despite inquiries from various news outlets, including WIRED, the bank did not provide comments on the incident. Meanwhile, Nobitex remained inaccessible during the same timeframe, with the company unable to be reached for further information.
The full impact of these cyber assaults remains elusive, particularly in the chaotic context of an evolving conflict. Hamid Kashfi, a cybersecurity researcher based in Sweden, indicated that local contacts reported significant disruptions affecting Sepah Bank’s online services, impacting civilians’ access to their funds. He noted that while the bank’s services may primarily support military operations, they also play a crucial role for everyday citizens.
Analysis of the attack on Nobitex reveals that the cryptocurrency seized by Predatory Sparrow was routed to various addresses marked with anti-Iran sentiment, suggesting a clear political motive behind the operation. Unlike traditional heists, these addresses lacked any means for fund recovery, which reinforces the view that the hackers were focused on destroying digital assets. According to Tom Robinson, a co-founder of Elliptic, the hackers’ actions were driven by political objectives rather than financial gain, effectively rendering the stolen cryptocurrency as effectively ‘burned.’
The tactics employed in these attacks can be contextualized through the MITRE ATT&CK framework, which identifies various adversarial strategies like initial access, privilege escalation, and data destruction. By leveraging such methodologies, Predatory Sparrow exemplifies the transformative nature of contemporary cyber warfare that prioritizes disruption and politicized aims over simple financial theft.
