Predatory Sparrow (Gonjeshke Darande)

2021-07-09

Predatory Sparrow disrupts Iran's national railway system using Meteor wiper malware, displaying mocking messages on station boards directing passengers to call Supreme Leader Khamenei's office.

2021-07-10

Group attacks website of Iran's Ministry of Roads and Urban Development, one day after the railway attack.

2021-10-26

Major cyberattack disrupts approximately 4,300 Iranian fuel stations (roughly 80% of national total), disabling subsidized fuel payment systems and hijacking highway billboards. Group claims responsibility; anonymous U.S. defense officials later attribute the operation to Israel.

2022-01-27

Group claims responsibility for a wiper attack against Islamic Republic of Iran Broadcasting (IRIB), Iran's national public broadcaster.

2022-06-27

Coordinated cyberattacks hit three Iranian steel companies (Khuzestan Steel, Mobarakeh Steel, Hormozgan Steel) affiliated with the IRGC. Video footage of equipment damage, including a fire caused by molten steel spillage, is released. Khuzestan Steel suspends operations. Alleged internal documents are leaked.

2023-10-10

Group reemerges after a nine-month hiatus, posting 'Do you think this is scary? We returned' on Telegram and X, coinciding with the aftermath of the October 7 Hamas attack on Israel.

2023-12-18

Attack disrupts approximately 70% of Iranian gas stations during the December 2023 campaign. Iranian Oil Minister Javad Owji confirms the disruption. Group states the attack is in response to Islamic Republic aggression and its regional proxies.

2025-06-17

Group claims to have attacked Bank Sepah, an Iranian state-owned bank with alleged IRGC ties, deploying wiper malware to destroy data at the primary data center. ATM and mobile banking services are disrupted across Iran. Operation occurs amid active Israel-Iran missile exchanges.

2025-06-18

Group breaches Nobitex, Iran's largest cryptocurrency exchange, stealing approximately $90 million across multiple blockchains including Bitcoin, Ethereum, Dogecoin, XRP, Solana, Tron, and TON. Rather than retaining the funds, the group burns them by transferring to inaccessible vanity addresses bearing the phrase 'F*ckIRGCterrorists.' Elliptic confirms the breach and identifies Nobitex's prior transactions with IRGC-linked, Hamas-linked, and Houthi-linked wallets.

2025-07-19

Reports confirm that wartime cyberattacks wiped data from two major Iranian banks, Sepah and Pasargad, with Sepah's primary data center going dark and stored data apparently corrupted.

2026-06-02

OFAC formally designates Nobitex and three other Iranian crypto exchanges (Wallex, Bitpin, Ramzinex) for sanctions evasion and terrorist financing, actions that analysts noted were compounded by on-chain evidence surfaced during and after the Predatory Sparrow breach.