Pro-Israel hackers hit Iran’s Nobitex exchange, draining $90M in politically charged cyberattack
Hacker group Predatory Sparrow claims $90M crypto attack on Iran’s Nobitex, tied to IRGC and state-linked wallets.
Nobitex, the largest cryptocurrency exchange in Iran, reportedly lost approximately $90 million in a cyberattack that occurred on Wednesday, blockchain analytics firm Elliptic said. Gonjeshke Darande—known internationally as “Predatory Sparrow”—a pro-Israel hacking group with a history of attacks on Iranian infrastructure claimed responsibility for the attack.
Elliptic explained some funds appeared to be stolen from the platform's wallets and sent to addresses containing anti-government slogans referencing the Islamic Revolutionary Guard Corps (IRGC), signifying the operation was politically motivated instead of a simple theft. Nobitex went offline as soon as the attack occurred.
ALSO SEE: Donald Trump says the U.S. won't target Ali Khamenei for now: "We know where he is hiding"
Predatory Sparrow claims responsibility
Predatory Sparrow publicly claimed the breach and threatened to release the exchange’s source code. The same group also took credit for a recent cyberattack on Iran’s state-owned Bank Sepah, amid intensifying conflict between Israel and Iran, which escalated further after exchanges of missile fire late last week.
According to Elliptic, although the stolen funds haven’t been conclusively tied to the group, the transactions were routed to wallet addresses that the hackers are unlikely to control. This suggests the attackers may have destroyed the crypto assets deliberately, using them as a form of protest rather than for financial gain.
Predatory Sparrow conducts politically motivated operations; this group also hacked Bank Sepah. Photo: JASON Institute
Ties to sanctioned entities and militant networks
Elliptic's analysis connects Nobitex to the IRGC, an elite elite Iranian army force designated by the U.S., U.K., EU, and Canada as a terrorist group. Previous investigations have connected the exchange to people and organizations tied to ransomware operations and Iranian Supreme Leader Ayatollah Ali Khamenei.
Blockchain records also show that Nobitex has previously transacted and sometime interacted with wallets connected to other regional groups like Hamas, Palestinian Islamic Jihad, and the Houthis. After the breach Elliptic stated it has updated its compliance monitoring tools, and will continue to track asset movements connected to Iranian entities as cyber threats the region become more sophisticated.
