The Israel-linked hacker group known as Predatory Sparrow has carried out some of the most disruptive and destructive cyberattacks in history, twice disabling thousands of gas station payment systems across Iran and once even setting a steel mill in the country on fire. Now, in the midst of a new war unfolding between the two countries, they appear to be bent on burning Iran’s financial system.
Predatory Sparrow, which often goes by its Farsi name, Gonjeshke Darande, in an effort to appear as a homegrown hacktivist organization, announced in a post on on its X account Wednesday that it had targeted the Iranian crypto exchange Nobitex, accusing the exchange of enabling sanctions violations and terrorist financing on behalf of the Iranian regime. According to cryptocurrency tracing firm Elliptic, the hackers destroyed more than $90 million in Nobitex holdings, a rare instance of hackers burning crypto assets rather than stealing them.
“These cyberattacks are the result of Nobitex being a key regime tool for financing terrorism and violating sanctions,” the hackers posted to X. “Associating with regime terror financing and sanction violation infrastructure puts your assets at risk.”
The incident follows another Predatory Sparrow attack on Iran’s finance system on Wednesday, in which the same group targeted Iran’s Sepah bank, claiming to have destroyed “all” the bank’s data in retaliation for its associations with Iran’s Islamic Revolutionary Guard Corps, and posting documents that appeared to show agreements between the bank and the Iranian military. “Caution: Associating with the regime’s instruments for evading sanctions and financing its ballistic missiles and nuclear program is bad for your long-term financial health,” the hackers wrote. “Who’s next?”
Sepah Bank’s website was offline yesterday but appeared to be working again today. The bank didn’t respond to WIRED’s request for comment. Nobitex’s website was offline today and the company couldn’t be reached for comment.
As is often in the case in the fog of an unfolding war and its accompanying cyberattacks, what effects Predatory Sparrow’s cyberattacks have had remain unclear. But Hamid Kashfi, an Iranian cybersecurity researcher living in Sweden and the founder of the cybersecurity firm DarkCell, says he has heard from contacts in Iran that Sepah’s online banking and ATMs have been offline since the attacks began, causing widespread disruption to civilians’ ability to access their funds. “There has been a lot of collateral damage,” Kashfi says. “It just seems to be straight up causing damage and chaos. I can’t think of what other logic would be behind it. Yes, they provide services to the military. But they do for millions of regular joes and civilians as well.”
In the Nobitex attack, blockchain analysis reveals some of the details of Predatory Sparrow’s sabotage: According to Elliptic, the eight-figure sum stolen from the exchange was moved to a series of crypto addresses that all started with variations on the phrase “FuckIRGCterrorists.” Those so-called “vanity” addresses typically can’t be created in any way that offers control or recovery of funds held there, so Elliptic concludes that moving funds to those addresses was instead a pointed method of destroying the money. “The hackers clearly have political rather than financial motivations,” says Tom Robinson, Elliptic’s cofounder. “The crypto they stole has effectively been burned.”
