Pro-Israel Hackers Target Iran’s Largest Crypto Exchange, Destroying Millions
In a significant cyberattack escalating alongside rising Middle East tensions, a hacking collective known as “Predatory Sparrow” (Gonjeshke Darande) claims to have crippled one of Iran’s largest cryptocurrency exchanges, resulting in the destruction of an estimated $90 million in digital assets.
The targeted platform, Nobitex, reportedly serving over 10 million users in Iran, went offline following the incident. Predatory Sparrow announced the operation on social media, stating their motive was to disrupt a “key regime tool for financing terrorism and violating sanctions.”
$90 Million ‘Burned’ in Unique Political Statement
Blockchain analysis firms monitoring the activity confirmed that approximately $90 million worth of various cryptocurrencies, including Bitcoin and Dogecoin, were moved from Nobitex’s hot wallets. However, in an unusual move for a cyberattack, the funds were not transferred to wallets controlled by the hackers for personal gain.
Instead, the assets were intentionally sent to inaccessible blockchain addresses, effectively “burning” or permanently destroying them. Experts note that this act was highly symbolic, serving as a political message rather than a traditional theft. Evidence suggests some of the burn addresses even included explicit anti-Iran or anti-Islamic Revolutionary Guard Corps (IRGC) messages. One analyst described the method as unprecedented, stating they had “never seen a hack that has occurred in the way that this one has.”
This method underscores that the attack was “most likely geopolitically motivated,” aiming to inflict damage and send a clear message rather than acquire financial resources.
Allegations of Sanctions Evasion and Terrorism Financing
Predatory Sparrow’s justification for targeting Nobitex centers on the exchange’s alleged role in helping the Iranian government bypass international sanctions and finance illicit activities globally. This claim is supported by external analysis and past reports.
Blockchain data analyzed by firms like Elliptic and Chainalysis has reportedly linked the Nobitex platform to entities hostile to Israel, including cryptocurrency wallets associated with militant groups such as Hamas, Palestinian Islamic Jihad, and Yemen’s Houthis. Furthermore, reports suggest the exchange has been leveraged by IRGC-affiliated actors and even linked to sanctioned Iranian nationals using the platform for money laundering. Concerns about Nobitex’s potential role in enabling Iranian sanctions evasion were previously raised by U.S. Senators in a 2024 letter to the Biden administration.
Predatory Sparrow’s History and Potential Israel Link
Gonjeshke Darande, or Predatory Sparrow, is described as an established hacking group with a history of sophisticated cyber operations targeting Iranian infrastructure. Prior notable attacks claimed by the group include causing widespread gas station outages in 2021 and a 2022 strike on an Iranian steel mill that resulted in significant physical damage.
The group emerged publicly in 2021 and is widely reported by Israeli media as having ties to Israel, although the Israeli government has never formally acknowledged any connection. The timing of the Nobitex attack, occurring just days after the group claimed to have destroyed data at Iran’s state-owned Bank Sepah and amidst increasing hostilities and missile exchanges between Israel and Iran, further places the incident within the broader context of the ongoing cyber and physical conflict in the region.
Nobitex Response and Future Threats
Following the attack, Nobitex confirmed detecting “unauthorized access” to its systems, including a portion of customer funds stored in hot wallets. The exchange took its website and app offline for review and investigation.
Nobitex released a statement assuring users that the vast majority of assets held in cold storage were unaffected. The company also indicated it had proactively emptied its hot wallets and maintained sufficient financial reserves to cover potential losses.
Beyond destroying funds, Predatory Sparrow has threatened to publish Nobitex’s source code and internal systems, aiming to remove what they called the “walled garden” around the exchange’s operations. They also advised Nobitex users to withdraw their assets promptly.
The incident highlights the increasing intersection of cryptocurrency platforms and geopolitical conflict, demonstrating how digital assets and cyber warfare are becoming tools in state-level disputes and proxy conflicts.
