Predatory Sparrow - SparTech Software

Predatory Sparrow (Farsi: Gonjeshke Darande) is a highly sophisticated hacking group known for executing politically motivated cyberattacks against Iranian targets. The group is widely reported to have links to Israel, though the Israeli government has never officially acknowledged any connection.

Notable Operations

Nobitex Crypto Exchange Hack (June 2025)

• Predatory Sparrow claimed responsibility for hacking Nobitex, Iran’s largest cryptocurrency exchange, siphoning and destroying nearly $90 million in various cryptocurrencies. The funds were sent to blockchain wallets with anti-government slogans and then irreversibly burned, signaling a political rather than financial motive.
• The group accused Nobitex of helping the Iranian government evade sanctions and fund militant groups.
• Following the hack, Predatory Sparrow also released the exchange’s source code, exposing further vulnerabilities.

Bank Sepah Attack (June 2025)

• Just before the Nobitex breach, the group claimed to have destroyed data at Iran’s state-owned Bank Sepah, targeting the institution for allegedly financing Iranian military operations.

Past Attacks

• 2021: Attributed with a cyberattack that paralyzed gas stations across Iran.
• 2022: Claimed responsibility for an attack on an Iranian steel mill that caused a significant fire and physical damage, an incident rare for its real-world impact.

Tactics and Motivations

• Political Messaging: Predatory Sparrow’s operations are characterized by their overt political messaging, often targeting institutions linked to the Iranian regime or its military apparatus. Their attacks are designed to disrupt, embarrass, and weaken the Iranian state, especially in the context of ongoing conflict and sanctions.
• Destructive Techniques: The group has a track record of not just stealing data or funds but also destroying them—either by wiping data or burning cryptocurrency assets—making recovery impossible and maximizing disruption.
• Public Disclosure: They often publicize their exploits on social media, sometimes leaking stolen data or source code to further damage their targets and expose vulnerabilities

Synonyms:

Gonjeshke Darande

Iran prepars for cyberwar, shuttong off nearly all Internet access across the country.
Iran has recently slowed and, in some areas, nearly shut off internet access across the country in what officials describe as a “temporary, targeted, and controlled” measure to prevent cyberattacks, particularly from Israel, as regional tensions escalate. The move follows a series of missile exchanges and cyber operations between Israel and Iran, with both sides engaging in digital warfare alongside physical military actions.
Iran’s largest cryptocurrency exchange has been hacked,losing over $90 million in crypto.
Seems like Iran was a bit late to lockdown worldwide Internet access amidst the Israel/Iran/USA? was. Nobitex, Iran’s largest cryptocurrency exchange, was hacked on June 18, 2025, resulting in the theft of over $90 million in cryptocurrency assets. The cyberattack targeted the exchange’s “hot wallet” infrastructure, which is connected to the internet for quick transactions. The stolen funds included Bitcoin, Dogecoin, and more than 100 different cryptocurrencies across multiple blockchains including TRON, Ethereum, and Bitcoin.
Israel-based Predatory Sparrow gang is escalating its cyber operations against Iran, targeting major financial institutions.
Predatory Sparrow (Farsi: Gonjeshke Darande) is a highly skilled hacker group widely believed to have links to Israel. The group has escalated its cyber operations against Iran in June 2025, targeting major financial institutions and causing significant disruption and financial loss.
Those hackers that siphoned millions of Iranian crypto just burned the house down. $90 million in crypto vaporized alongside taunts against Iran’s Revolutionary Guard!
Remember those wily hackers that siphoned $90 million from Nobitex, Iran’s largest cryptocurrency exchange yesterday? Today, they taunted Iran's Revolutionary Guard Corps and then burned the entire pile of crypto. More than $90 million vaporized! The stunning $90 million destruction marks a brazen escalation in the covert cyber war that has simmered between Israel and Iran for more than a decade.

United States	~59% of ransomware attacks globally Thousands per year
Poland	1,000+ per week
Russia	Highest cybercrime threat level
China	Thousands per year
India	115% surge in attacks Q2 2024
Ukraine	Significant surge since 2022
Brazil	Among top countries for blocked attacks
Mexico	65% of businesses hit in 2024
Germany	High targeted rate (EU)
France	High targeted rate (EU)

AS Name	ASN
Bharat Sanchar Nigam Ltd	9829
No.31,Jin-rong Street	4134
CHINA UNICOM China169 Backbone	4837
DigitalOcean, LLC	14061
HUAWEI INTERNATIONAL PTE. LTD.	136907
Amazon.com, Inc.	14618
Alibaba (US) Technology Co., Ltd.	45102
Google LLC	396982
Amazon.com, Inc.	16509
3xK Tech GmbH	200373

IP Address	Notable Exploits/Context
104.238.159.149	SharePoint zero-day, broad exploitation
107.191.58.76	SharePoint zero-day, government targets
96.9.125.147	SharePoint, previously Ivanti exploits
139.162.47.194	Exploits on CitrixBleed 2
38.180.148.215	CitrixBleed 2 campaigns
185.224.128.17	High activity, Netherlands
89.248.163.200	High activity, Netherlands
15.235.218.150	Associated with APT, active C2
45.9.148.114	Associated with C2, malicious netflow
91.107.150.184	C2 infrastructure, recent IoC

Notable Operations

Nobitex Crypto Exchange Hack (June 2025)

Bank Sepah Attack (June 2025)

Past Attacks

Tactics and Motivations

Related