A shadowy anti-Iranian hacking group known as “Predatory Sparrow” has claimed responsibility for a cyberattack on one of Iran’s largest cryptocurrency exchanges, Nobitex, destroying nearly $90 million in digital assets. The operation, announced early Wednesday, marks the second attack by the group in as many days, as cyber tensions escalate in parallel with rising regional hostilities between Israel and Iran.
Nobitex, often viewed as a critical gateway for the Iranian government to bypass global financial sanctions, was forced to take its website and mobile app offline in response to what it described as “unauthorised access.” The platform did not respond to enquiries via its Telegram support channel, and its services remained down as of Wednesday evening.
“Funds Burned to Send a Message”
According to blockchain analysis firms TRM Labs and Elliptic, the attack began in the early morning hours when Nobitex funds were moved into hacker-controlled wallets, many of which carried messages condemning Iran’s Islamic Revolutionary Guard Corps (IRGC).
TRM Labs pegged the total loss at approximately $90 million, spread across multiple cryptocurrencies. However, the hackers never attempted to cash out the assets. Instead, they directed the funds to wallets configured in such a way that no one, not even the hackers, could access them.
Elliptic said in a blog post that the funds were “effectively burned,” concluding that the attack was less about financial gain and more about making a political statement. “The hackers structured the wallets so the crypto is permanently inaccessible,” the firm wrote. “This was a symbolic strike aimed at Nobitex and what it allegedly represents.”
Ties to Sanctioned Groups and Iranian State Interests
The attack on Nobitex comes amid longstanding accusations that the platform facilitates illicit finance for Iran and its regional allies. Blockchain forensics firms have previously linked Nobitex to wallets affiliated with Hamas, Palestinian Islamic Jihad, and Yemen’s Houthi groups that have launched attacks against Israel in recent years.
Those concerns reached Washington last month. U.S. Senators Elizabeth Warren and Angus King flagged Nobitex in a letter to senior Biden administration officials, citing 2022 reporting by Reuters. The senators argued the exchange has enabled Iranian efforts to evade sanctions and launder funds through the global cryptocurrency ecosystem.
Andrew Fierman, head of national security intelligence at Chainalysis, told Reuters that Nobitex has a documented history of facilitating cash-outs for ransomware operators affiliated with the IRGC. “We’ve previously seen IRGC-affiliated ransomware actors leveraging Nobitex to cash out proceeds,” Fierman noted, reinforcing suspicions that the platform plays a direct role in state-linked financial operations.
Predatory Sparrow’s Trail of Attacks
Predatory Sparrow, known by its Persian name Gonjeshke Darande, is no stranger to high-impact cyber strikes. In 2021, the group crippled Iran’s national gas station network, leading to nationwide outages. A year later, it targeted an Iranian steel mill, resulting in significant physical damage and a fire. Wednesday’s operation appears to be the group’s most financially costly act of cyberwarfare to date.
Though Israel has never formally acknowledged its connection to Predatory Sparrow, Israeli media widely report the group as aligned with Israeli intelligence interests. Wednesday’s attack follows another incident just one day earlier, when the same group claimed to have compromised data at Iran’s state-owned Bank Sepah.
Nobitex has not issued a full technical post-mortem of the incident but acknowledged in a social media post on X that it was investigating a breach of its systems. The company’s silence and the magnitude of the losses raise questions about the resilience of Iran’s digital financial infrastructure in the face of mounting cyber threats.
The New Front Line: Crypto and Cyberwar
As geopolitical conflict increasingly extends into the digital realm, cryptocurrency platforms are becoming high-value targets, particularly in states subject to international sanctions. The Nobitex attack underscores how virtual currencies, once heralded for decentralisation and anonymity, have become battlegrounds for geopolitical messaging and disruption.
By targeting a critical pillar of Iran’s workaround to global financial isolation, Predatory Sparrow’s latest strike is as symbolic as it is strategic. With nearly $90 million effectively erased, the hackers sent a loud and costly message: the digital lifelines that support Iran’s regime are not beyond reach.
