A sophisticated Israeli-linked hacking group drained more than $90 million from Iran’s largest cryptocurrency exchange in what appears to be a state-sponsored cyberattack targeting the country’s sanctions-evasion infrastructure, as the two nations entered their sixth day of direct military conflict.
The group known as Predatory Sparrow, or Gonjeshke Darande in Persian, claimed responsibility Wednesday for the devastating hack of Nobitex, which has served as a critical financial lifeline for Iran under heavy international sanctions. The hackers accused Nobitex of being “at the heart of the regime’s efforts to finance terror worldwide” and serving as Iran’s “favorite sanctions violation tool.”
Blockchain analysis firm Elliptic confirmed that over $90 million was sent from Nobitex hot wallets to hacker-controlled addresses, using provocative wallet names containing anti-Iranian messaging. The stolen funds were moved across multiple blockchain, including Bitcoin, Ethereum, Tron, and Dogecoin.
The attack represents a dramatic escalation in the cyber dimension of the Israel-Iran conflict, which erupted Friday when Israel launched unprecedented strikes on Iranian nuclear facilities. The strikes killed over 200 Iranian civilians and targeted key atomic sites, including the Natanz nuclear facility, prompting Iranian retaliation with ballistic missiles targeting Israeli cities.
Predatory Sparrow is believed to be linked to Israeli Military Intelligence and has previously claimed responsibility for cyberattacks that forced Iranian steel companies to halt production and paralyzed gas stations across the country. Anonymous US defense officials have told media outlets that previous operations targeting Iranian gas stations were carried out by Israel.
Research by multiple blockchain intelligence firms has documented Nobitex’s central role in helping Iran circumvent international sanctions. Reuters reported that nearly $8 billion flowed between Nobitex and cryptocurrency exchange Binance from 2018 to 2022, with Nobitex offering guidance on its website for skirting sanctions.
Open source investigations have identified relatives of Supreme Leader Ali Khamenei and IRGC-linked business partners as connected to Nobitex, while the exchange has facilitated transactions with sanctioned operatives accused of ransomware operations. Analysis shows the platform has processed transactions with Hamas, Palestinian Islamic Jihad, and Houthi-affiliated networks.
The Nobitex hack came one day after Predatory Sparrow claimed responsibility for disrupting Iran’s state-owned Bank Sepah, which serves the Islamic Revolutionary Guard Corps. The banking attack allegedly “destroyed all data” and left customers unable to access accounts or receive government salaries.
The group warned it would release Nobitex’s source code and internal documents within 24 hours, claiming that working at the exchange “is considered equivalent to military service due to its importance to Iran’s financial infrastructure.”
The cyber assault occurred as President Donald Trump weighs whether to authorize US military strikes on Iran’s deeply buried Fordow nuclear facility, which only American bunker-busting weapons could effectively destroy. The Israeli attacks began the day after expiration of a two-month US deadline for Iran to reach a nuclear deal.
Nobitex confirmed the security breach and promised full compensation to affected users through insurance funds. The exchange said the majority of user assets remained secure in cold storage systems offline.
Information for this story was found via the sources and companies mentioned. The author has no securities or affiliations related to the organizations discussed. Not a recommendation to buy or sell. Always do additional research and consult a professional before purchasing a security. The author holds no licenses.
