Predatory Sparrow (Farsi: Gonjeshke Darande) is a highly skilled hacker group widely believed to have links to Israel. The group has escalated its cyber operations against Iran in June 2025, targeting major financial institutions and causing significant disruption and financial loss.
Recent Attacks (June 2025)
Nobitex Crypto Exchange Hack
• On June 18, 2025, Predatory Sparrow claimed responsibility for a cyberattack that stole and destroyed approximately $90 million from Nobitex, Iran’s largest cryptocurrency exchange.
• The hackers transferred the stolen crypto assets to wallet addresses containing anti-IRGC (Islamic Revolutionary Guard Corps) messages, making the funds irretrievable—a deliberate act of destruction rather than theft for profit.
• Nobitex suspended operations and took its website offline while investigating the breach.
• The group accused Nobitex of helping Iran evade international sanctions and finance illicit activities.
Bank Sepah Data Wipe
• Just one day earlier, Predatory Sparrow claimed to have erased data from Iran’s state-run Bank Sepah, citing the bank’s alleged ties to the IRGC as justification.
• The attack caused widespread outages, with many ATMs in Tehran reported out of service or out of cash.
• Iranian state media warned that disruptions could affect gas stations, as Bank Sepah processes fuel payments.
Tactics and Impact
• Destructive Motives: Unlike typical cybercriminals, Predatory Sparrow’s operations are politically motivated, aiming to disrupt Iran’s financial infrastructure and send a message rather than profit directly.
• Technical Sophistication: The group used “vanity” crypto addresses with custom anti-IRGC messages, a technique that makes it computationally infeasible for anyone—including the hackers—to recover the funds, effectively “burning” the money.
• Escalating Cyber Conflict: These attacks represent a significant escalation in the ongoing cyberwar between Israel and Iran, with both sides targeting each other’s critical infrastructure.
History and Attribution
• Track Record: Predatory Sparrow has previously claimed responsibility for high-profile attacks on Iranian infrastructure, including:
• Disabling gas station payment systems nationwide (twice)
• Shutting down railway systems
• Causing a major fire at a steel mill in 2022
• Attribution: While the group presents itself as an anti-government Iranian hacktivist entity, most cybersecurity experts believe it operates with support or direct ties to Israeli intelligence or military agencies.
Broader Context
• The attacks come amid heightened military tensions and missile exchanges between Israel and Iran, with cyber operations appearing to complement physical strikes.
• The Iranian government has responded by warning citizens about potential cybersecurity risks, including advising against using WhatsApp due to espionage fears.
