Verify a decision

{"actor":"system:backfill","investigation_id":"f0b8d42e-a7c3-4496-9ac1-4b897646124e","kind":"publish","page_slug":"predatory-sparrow-gonjeshke-darande","published_at":"2026-06-15T17:38:36.994Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Predatory Sparrow (Gonjeshke Darande)","sections":[{"content":"Predatory Sparrow (Persian: Gonjeshke Darande) is a threat actor that publicly emerged in July 2021. The group presents itself as composed of Iranian anti-government hacktivists opposed to the Islamic Republic, communicating in Farsi and framing attacks as responses to regime abuses, sanctions violations, and support for proxy forces. Despite this self-portrayal, cybersecurity researchers and intelligence analysts widely assess the group to be operating with Israeli government backing. Anonymous U.S. defense officials told the New York Times in 2021 that Israel conducted the October 2021 fuel-system attack attributed to the group. Following the June 2022 steel mill attacks, Israeli Defense Minister Benny Gantz reportedly ordered an investigation into media leaks that identified the group as state-affiliated, which researchers interpreted as indirect confirmation. The Israeli government has not officially acknowledged any connection to Predatory Sparrow. Security researcher Juan Andres Guerrero-Saade of SentinelLabs described the group's operations as distinguished by 'restraint' that signals 'greater capabilities' — a hallmark more consistent with state-directed operations than independent hacktivism. The group is tracked on the Malpedia threat actor database and has been analyzed by multiple major cybersecurity firms including SentinelOne, Elliptic, Chainalysis, and Halborn.","heading":"Background and Identity","severity":"high","sources":[{"credibility":2,"name":"Predatory Sparrow — Wikipedia","type":"other","url":"https://en.wikipedia.org/wiki/Predatory_Sparrow"},{"credibility":2,"name":"Predatory Sparrow (Threat Actor) — Malpedia / Fraunhofer FKIE","type":"research","url":"https://malpedia.caad.fkie.fraunhofer.de/actor/predatory_sparrow"},{"credibility":2,"name":"Savvy Israel-linked hacking group reemerges amid Gaza fighting — CyberScoop","type":"news_article","url":"https://cyberscoop.com/predatory-sparrow-israel-gaza-cyber/"},{"credibility":2,"name":"Pro-Israeli Hacktivist Group 'Predatory Sparrow' Reappears — Dark Reading","type":"news_article","url":"https://www.darkreading.com/threat-intelligence/pro-israeli-hacktivist-group-predatory-sparrow-reappears"}]},{"content":"Predatory Sparrow's documented operations span Iranian railway, fuel, media, steel, and financial infrastructure. On July 9–10, 2021, the group disrupted Iran's national railway system, causing widespread train delays and displaying messages on station boards directing passengers to call the office of Supreme Leader Ayatollah Ali Khamenei. The following day, the group also attacked the website of Iran's Ministry of Roads and Urban Development. In October 2021, the group conducted a major cyberattack on Iran's national fuel payment system, disabling approximately 4,300 gas stations — roughly 80% of the country's total — by attacking the intranet-based system used to process government-subsidized fuel purchases using smart cards. Digital highway billboards in Tehran were hijacked to display 'Khamenei, where is our fuel?' In January 2022, the group claimed responsibility for a wiper attack against the Islamic Republic of Iran Broadcasting (IRIB), Iran's national public broadcaster. On June 27, 2022, the group executed coordinated cyberattacks against three Iranian steel companies — Khuzestan Steel, Mobarakeh Steel, and Hormozgan Steel — all alleged to be affiliated with the IRGC or the Basij. The attack caused operations at Khuzestan Steel to be suspended, released CCTV footage of equipment damage and a fire caused by molten steel spillage, and was accompanied by a tranche of alleged internal documents. The group stated the companies were 'subject to international sanctions and continue their operations despite the restrictions.' On December 18, 2023, the group struck Iran's fuel distribution network again, disrupting approximately 70% of the country's gas stations, prompting Iranian Oil Minister Javad Owji to confirm the attack. The group stated the action was 'in response to the aggression of the Islamic Republic and its proxies in the region,' including a reference to the post-October 7 Gaza conflict. Across all operations, the group has stated it takes precautions to limit collateral damage to emergency services.","heading":"Operational History: Infrastructure Attacks (2021–2023)","severity":"high","sources":[{"credibility":1,"name":"MeteorExpress: Mysterious Wiper Paralyzes Iranian Trains with Epic Troll — SentinelLabs","type":"research","url":"https://www.sentinelone.com/labs/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/"},{"credibility":2,"name":"Iranian steel facilities suffer apparent cyberattacks — CyberScoop","type":"news_article","url":"https://cyberscoop.com/iran-cyberattack-israel-hacktivist-steel-ics/"},{"credibility":2,"name":"Large cyberattack on Iranian industrial sector targets three steel plants — Times of Israel","type":"news_article","url":"https://www.timesofisrael.com/large-cyberattack-on-iranian-industrial-sector-targets-three-steel-plants/"},{"credibility":2,"name":"Predatory Sparrow claim cyberattack on Iran's gas stations — CNBC","type":"news_article","url":"https://www.cnbc.com/2023/12/18/pro-israel-hackers-claim-cyberattack-disrupting-irans-gas-stations.html"},{"credibility":2,"name":"Iran points at Israeli-linked group as cyberattack disrupts fuel network — Al Jazeera","type":"news_article","url":"https://www.aljazeera.com/news/2023/12/18/iran-says-cyberattack-disrupts-petrol-stations-across-country"},{"credibility":2,"name":"Iran gas stations reopen but payment issues persist — Times of Israel","type":"news_article","url":"https://www.timesofisrael.com/iran-gas-stations-reopen-but-payment-issues-persist-after-alleged-hack-chokes-supply/"},{"credibility":2,"name":"Predatory Sparrow massively disrupts steel factories while keeping workers safe — Malwarebytes / ThreatDown","type":"research","url":"https://www.threatdown.com/blog/predatory-sparrow-massively-disrupts-steel-factories-while-keeping-workers-safe/"}]},{"content":"In June 2025, coinciding with an active Israel-Iran military exchange, Predatory Sparrow escalated into direct cryptocurrency infrastructure targeting. On June 17, 2025, the group claimed to have attacked Bank Sepah, a major Iranian state-owned bank with alleged IRGC ties. The group stated it deployed wiper malware to disable endpoints and data centers, released documents alleging military financial agreements, and caused widespread disruption to ATM networks, internet banking, and mobile banking services. Reports from Iran International indicated that banking data at both Bank Sepah and Bank Pasargad was destroyed, with primary data centers going dark and monitoring dashboards frozen. On June 18, 2025, Predatory Sparrow claimed responsibility for breaching Nobitex, Iran's largest cryptocurrency exchange, which had been processing the majority of on-chain digital asset activity originating from Iran. The group stated it stole approximately $90 million across multiple blockchains — including Bitcoin, Ethereum, Dogecoin, XRP, Solana, Tron, and TON, per Chainalysis — by compromising private keys for the exchange's hot wallets on EVM-compatible networks and the Tron network. Rather than retaining the stolen funds, the attackers transferred the assets to vanity wallet addresses whose public keys contained variations of the phrase 'F*ckIRGCterrorists.' Because the private keys for such vanity addresses cannot be computationally derived, the funds were permanently inaccessible — effectively burned. The group also stated it had obtained Nobitex's internal source code and configuration data, and threatened to publish it. Blockchain analytics firm Elliptic confirmed the breach, noting on-chain evidence that Nobitex wallets had transacted with entities associated with Hamas, Palestinian Islamic Jihad, Houthi organizations, and IRGC-linked ransomware actors. Elliptic estimated approximately $366 million in sanctions-linked activity had passed through Nobitex; Chainalysis estimated approximately $68 million, and Crystal Intelligence approximately $22 million in direct transfers from sanctioned wallets. Nobitex's CEO denied any IRGC affiliation. In June 2026, OFAC formally sanctioned Nobitex and three other Iranian crypto exchanges — Wallex, Bitpin, and Ramzinex — for sanctions evasion and terrorist financing, an action that analysts noted was compounded by the prior Predatory Sparrow attack.","heading":"Cryptocurrency and Financial Infrastructure Attacks (2025)","severity":"critical","sources":[{"credibility":2,"name":"Pro-Israel hackers hit Iran's Nobitex exchange, burn $90M in crypto — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/pro-israel-hackers-hit-irans-nobitex-exchange-burn-90m-in-crypto/"},{"credibility":1,"name":"Iranian crypto exchange Nobitex hacked for over $90 million by pro-Israel group — Elliptic","type":"research","url":"https://www.elliptic.co/blog/iranian-crypto-exchange-nobitex-hacked-pro-israel-group"},{"credibility":2,"name":"Predatory Sparrow Burns $90 Million on Iranian Crypto Exchange in Cyber Shadow War — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/predatory-sparrow-burns-90-million-on-iranian-crypto-exchange-in-cyber-shadow-war/"},{"credibility":1,"name":"Pro-Israel hackers take credit after $90 million stolen from Iran's largest crypto exchange — CNN","type":"news_article","url":"https://www.cnn.com/2025/06/18/middleeast/pro-israel-hackers-iran-crypto"},{"credibility":1,"name":"Pro-Israel hackers attack Iran's largest crypto exchange, destroying $90 million — NBC News","type":"news_article","url":"https://www.nbcnews.com/world/middle-east/hackers-attack-irans-largest-crypto-exchange-destroying-90-million-rcna213920"},{"credibility":2,"name":"Explained: The Nobitex Hack (June 2025) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-nobitex-hack-june-2025"},{"credibility":1,"name":"Predatory Sparrow's operations against Iranian financial cyber infrastructure (2025) — CCDCOE Cyber Law Toolkit","type":"other","url":"https://cyberlaw.ccdcoe.org/wiki/Predatory_Sparrow%E2%80%99s_operations_against_Iranian_financial_cyber_infrastructure_(2025)"},{"credibility":2,"name":"Predatory Sparrow Hacks Iran's Financial System — Hudson Institute","type":"research","url":"https://www.hudson.org/cybersecurity/predatory-sparrow-hacks-irans-financial-system-michael-doran-zineb-riboua"},{"credibility":2,"name":"Wartime cyberattack wiped data from two major Iranian banks — Iran International","type":"news_article","url":"https://www.iranintl.com/en/202507192001"},{"credibility":1,"name":"U.S. sanctions Nobitex crypto exchange used by Iranian ransomware actors — BleepingComputer","type":"regulatory","url":"https://www.bleepingcomputer.com/news/security/the-us-sanctions-nobitex-crypto-exchange-used-by-ransomware/"},{"credibility":2,"name":"US sanctions Nobitex, Iran's largest cryptocurrency exchange — CoinDesk","type":"news_article","url":"https://www.coindesk.com/policy/2026/06/02/u-s-sanctions-iranian-crypto-exchanges-in-ongoing-war-against-country"},{"credibility":1,"name":"OFAC Sanctions Nobitex and Iranian Cryptocurrency Exchanges — Chainalysis","type":"regulatory","url":"https://www.chainalysis.com/blog/ofac-sanctions-iranian-crypto-exchanges-june-2026/"}]},{"content":"Predatory Sparrow's technical toolkit has been analyzed by multiple security firms and shows consistent use of destructive wiper malware. The July 2021 railway attack was conducted using a wiper dubbed 'Meteor' (also referred to as the MeteorExpress campaign by SentinelOne), which accepted an encrypted JSON configuration file with 23 configurable parameters. The malware suite included: a primary wiper (env.exe) for filesystem encryption and process termination; a screen locker (mssetup.exe) creating full-screen lockouts; and an MBR corruptor (nti.exe) reportedly overwriting sectors in a manner similar to the NotPetya wiper. Additional capabilities included shadow copy deletion, password changes for all users, boot configuration corruption, event log clearing, and domain removal. SentinelOne researchers classified the toolkit as intermediate-level — sophisticated in target reconnaissance and operational effect, but showing OPSEC imperfections such as verbose debug strings and development artifacts remaining in binaries compiled six months before deployment. The 2022 steel mill attacks included deployment of ICS-targeted malware capable of interfering with human-machine interface (HMI) software used to control industrial equipment. The 2025 Bank Sepah attack similarly deployed wiper malware to overload and crash endpoints and data center infrastructure. The Nobitex breach was attributed to compromised private key material, consistent with credential theft or insider compromise, rather than a direct protocol exploit.","heading":"Malware and Technical Capabilities","severity":"high","sources":[{"credibility":1,"name":"MeteorExpress: Mysterious Wiper Paralyzes Iranian Trains with Epic Troll — SentinelLabs","type":"research","url":"https://www.sentinelone.com/labs/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/"},{"credibility":2,"name":"Predatory Sparrow: Inside the Cyber Warfare Targeting Iran's Critical Infrastructure — Picus Security","type":"research","url":"https://www.picussecurity.com/resource/blog/predatory-sparrow-inside-the-cyber-warfare-targeting-irans-critical-infrastructure"},{"credibility":2,"name":"Hacktivist Group Gonjeshke Darande Attacks Iranian Steel Companies — Anvilogic","type":"research","url":"https://www.anvilogic.com/threat-reports/iranian-steel-firms-attacked"},{"credibility":2,"name":"Explained: The Nobitex Hack (June 2025) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-nobitex-hack-june-2025"}]},{"content":"Attribution of Predatory Sparrow to the Israeli government or military intelligence has been assessed as highly probable by multiple independent parties, though no official confirmation exists. Key attribution evidence includes: (1) Anonymous U.S. defense officials told the New York Times that Israel conducted the October 2021 fuel-system cyberattack claimed by the group. (2) Israeli Defense Minister Benny Gantz ordered an investigation into media leaks following the June 2022 steel mill attacks — an action widely interpreted by analysts as an implicit acknowledgment of Israeli operational involvement. (3) The operational sophistication, including pre-attack reconnaissance, ICS familiarity, and deliberate restraint to limit civilian casualties, is assessed to exceed typical hacktivist capabilities and is consistent with a state-level actor. (4) Israeli media has broadly reported the group as 'Israel-linked' without official denial. The group itself has never claimed Israeli government affiliation and presents as an independent hacktivist collective. The CCDCOE Cyber Law Toolkit, analyzing the June 2025 operations, notes that 'the government of Israel has not officially acknowledged any such connection' to Predatory Sparrow. Some researchers have speculatively linked the group to Israeli military intelligence units such as Unit 8200, though this connection has not been substantiated by any named source or official document. The group's pattern of operation — attacking entities linked to IRGC sanctions evasion and using messaging explicitly targeting the IRGC — aligns with known Israeli strategic objectives vis-a-vis Iran.","heading":"Attribution and State-Sponsorship Assessment","severity":"high","sources":[{"credibility":2,"name":"Predatory Sparrow — Wikipedia","type":"other","url":"https://en.wikipedia.org/wiki/Predatory_Sparrow"},{"credibility":1,"name":"Predatory Sparrow's operations against Iranian financial cyber infrastructure (2025) — CCDCOE Cyber Law Toolkit","type":"other","url":"https://cyberlaw.ccdcoe.org/wiki/Predatory_Sparrow%E2%80%99s_operations_against_Iranian_financial_cyber_infrastructure_(2025)"},{"credibility":2,"name":"Who is behind Predatory Sparrow's cyberattack on Iranian service stations? — L'Orient Today","type":"news_article","url":"https://today.lorientlejour.com/article/1361674/who-is-behind-predatory-sparrows-cyberattack-on-iranian-service-stations.html"},{"credibility":2,"name":"5 times Israel's Unit 8200 waged digital war on Iran — WION","type":"news_article","url":"https://www.wionews.com/world/5-times-israel-s-unit-8200-waged-digital-war-on-iran-1750497054192"},{"credibility":2,"name":"Savvy Israel-linked hacking group reemerges amid Gaza fighting — CyberScoop","type":"news_article","url":"https://cyberscoop.com/predatory-sparrow-israel-gaza-cyber/"}]},{"content":"The CCDCOE (NATO Cooperative Cyber Defence Centre of Excellence) Cyber Law Toolkit has analyzed Predatory Sparrow's 2022 steel mill operations and 2025 financial infrastructure attacks under international law frameworks. The 2022 steel operations were examined under scenarios covering cyber operations against industrial control systems. The 2025 Bank Sepah and Nobitex operations were analyzed under Scenario 12 (cyber operations against computer data) and Scenario 18 (legal status of cyber operators during armed conflict), as the attacks occurred during an active military exchange between Israel and Iran in June 2025. The CCDCOE analysis notes significant legal ambiguity given the unconfirmed state affiliation of the group. The Nobitex exchange itself became the subject of formal U.S. regulatory action: on June 2, 2026, OFAC designated Nobitex along with three other Iranian cryptocurrency exchanges — Wallex, Bitpin, and Ramzinex — for sanctions evasion, terrorist financing, and enabling transactions by IRGC-affiliated entities. This regulatory action post-dated but was informed by on-chain evidence gathered in part following the Predatory Sparrow breach, which exposed internal transaction records. Predatory Sparrow itself has not been named in any publicly available U.S. government sanctions designation, indictment, or law enforcement action as of June 2026.","heading":"International Law and Regulatory Context","severity":"medium","sources":[{"credibility":1,"name":"Predatory Sparrow operation against Iranian steel maker (2022) — CCDCOE Cyber Law Toolkit","type":"other","url":"https://cyberlaw.ccdcoe.org/wiki/Predatory_Sparrow_operation_against_Iranian_steel_maker_(2022)"},{"credibility":1,"name":"Predatory Sparrow's operations against Iranian financial cyber infrastructure (2025) — CCDCOE Cyber Law Toolkit","type":"other","url":"https://cyberlaw.ccdcoe.org/wiki/Predatory_Sparrow%E2%80%99s_operations_against_Iranian_financial_cyber_infrastructure_(2025)"},{"credibility":1,"name":"OFAC Sanctions Nobitex and Iranian Cryptocurrency Exchanges — Chainalysis","type":"regulatory","url":"https://www.chainalysis.com/blog/ofac-sanctions-iranian-crypto-exchanges-june-2026/"},{"credibility":2,"name":"US Treasury Sanctions Iran's Largest Crypto Exchange Nobitex — Unchained Crypto","type":"news_article","url":"https://unchainedcrypto.com/us-treasury-sanctions-irans-largest-crypto-exchange-nobitex-along-with-three-other-iranian-platforms-under-economic-fury-campaign/"}]},{"content":"Predatory Sparrow presents an unusual risk profile from a crypto market perspective. The group itself is not a crypto scam, exchange, or token issuer — it is a threat actor that has conducted destructive cyberattacks against crypto infrastructure. Its June 2025 attack on Nobitex represents one of the largest single destruction events in cryptocurrency history, with approximately $90 million in assets permanently burned rather than stolen for financial gain. The group deliberately chose to make the theft irreversible by using vanity addresses as a political statement targeting the IRGC. Blockchain data confirmed the stolen assets included Bitcoin, Ethereum, Dogecoin, XRP, Solana, Tron, and TON. For users and institutions, the primary risk is indirect: exchanges or wallets that transacted with Nobitex prior to the breach may have exposure through association. Elliptic's post-breach analysis linked Nobitex wallets to sanctioned entities including the IRGC, Hamas, Palestinian Islamic Jihad, and Houthi organizations — creating potential secondary sanctions liability for any counterparties. The subsequent OFAC designation of Nobitex in June 2026 formalized this risk. Predatory Sparrow's demonstrated capability to compromise private keys and hot wallet infrastructure at a major exchange represents a credible threat model for other exchanges operating in sanctioned or adversarial environments.","heading":"Crypto Risk Profile","severity":"high","sources":[{"credibility":1,"name":"Iranian crypto exchange Nobitex hacked for over $90 million by pro-Israel group — Elliptic","type":"research","url":"https://www.elliptic.co/blog/iranian-crypto-exchange-nobitex-hacked-pro-israel-group"},{"credibility":2,"name":"Analysis: Gonjeshke Darande attack on Iran's Nobitex — Outpost24","type":"research","url":"https://outpost24.com/blog/gonjeshke-darande-attacks-iranian-nobitex/"},{"credibility":1,"name":"Pro-Israel hackers destroy $90 million in Iran crypto exchange breach — CNBC","type":"news_article","url":"https://www.cnbc.com/2025/06/18/pro-israel-hackers-iran-crypto.html"},{"credibility":2,"name":"Israel hacks Iranian crypto exchange for $90 million — Fortune","type":"news_article","url":"https://fortune.com/crypto/2025/06/18/nobitex-gonjeshke-darande-predatory-sparrow-iran-israel-hack/"},{"credibility":2,"name":"Iran's largest crypto exchange enables IRGC to move millions despite sanctions — Times of Israel","type":"news_article","url":"https://www.timesofisrael.com/irans-largest-crypto-exchange-enables-irgc-to-move-millions-despite-sanctions/"}]}],"sources_used":[{"credibility":2,"name":"Predatory Sparrow — Wikipedia","type":"other","url":"https://en.wikipedia.org/wiki/Predatory_Sparrow"},{"credibility":2,"name":"Predatory Sparrow (Threat Actor) — Malpedia / Fraunhofer FKIE","type":"research","url":"https://malpedia.caad.fkie.fraunhofer.de/actor/predatory_sparrow"},{"credibility":1,"name":"MeteorExpress: Mysterious Wiper Paralyzes Iranian Trains with Epic Troll — SentinelLabs","type":"research","url":"https://www.sentinelone.com/labs/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/"},{"credibility":2,"name":"Iranian steel facilities suffer apparent cyberattacks — CyberScoop","type":"news_article","url":"https://cyberscoop.com/iran-cyberattack-israel-hacktivist-steel-ics/"},{"credibility":2,"name":"Hacktivists claiming attack on Iranian steel facilities dump tranche of documents — CyberScoop","type":"news_article","url":"https://cyberscoop.com/gonjeshke-darande-israel-hackers-iran-steel-hacktivist/"},{"credibility":2,"name":"Large cyberattack on Iranian industrial sector targets three steel plants — Times of Israel","type":"news_article","url":"https://www.timesofisrael.com/large-cyberattack-on-iranian-industrial-sector-targets-three-steel-plants/"},{"credibility":2,"name":"Predatory Sparrow claim cyberattack on Iran's gas stations — CNBC","type":"news_article","url":"https://www.cnbc.com/2023/12/18/pro-israel-hackers-claim-cyberattack-disrupting-irans-gas-stations.html"},{"credibility":2,"name":"Iran points at Israeli-linked group as cyberattack disrupts fuel network — Al Jazeera","type":"news_article","url":"https://www.aljazeera.com/news/2023/12/18/iran-says-cyberattack-disrupts-petrol-stations-across-country"},{"credibility":2,"name":"Savvy Israel-linked hacking group reemerges amid Gaza fighting — CyberScoop","type":"news_article","url":"https://cyberscoop.com/predatory-sparrow-israel-gaza-cyber/"},{"credibility":1,"name":"Iranian crypto exchange Nobitex hacked for over $90 million by pro-Israel group — Elliptic","type":"research","url":"https://www.elliptic.co/blog/iranian-crypto-exchange-nobitex-hacked-pro-israel-group"},{"credibility":2,"name":"Pro-Israel hackers hit Iran's Nobitex exchange, burn $90M in crypto — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/pro-israel-hackers-hit-irans-nobitex-exchange-burn-90m-in-crypto/"},{"credibility":2,"name":"Predatory Sparrow Burns $90 Million on Iranian Crypto Exchange in Cyber Shadow War — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/predatory-sparrow-burns-90-million-on-iranian-crypto-exchange-in-cyber-shadow-war/"},{"credibility":1,"name":"Pro-Israel hackers take credit after $90 million stolen from Iran's largest crypto exchange — CNN","type":"news_article","url":"https://www.cnn.com/2025/06/18/middleeast/pro-israel-hackers-iran-crypto"},{"credibility":1,"name":"Pro-Israel hackers attack Iran's largest crypto exchange, destroying $90 million — NBC News","type":"news_article","url":"https://www.nbcnews.com/world/middle-east/hackers-attack-irans-largest-crypto-exchange-destroying-90-million-rcna213920"},{"credibility":2,"name":"Explained: The Nobitex Hack (June 2025) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-nobitex-hack-june-2025"},{"credibility":1,"name":"Predatory Sparrow's operations against Iranian financial cyber infrastructure (2025) — CCDCOE Cyber Law Toolkit","type":"other","url":"https://cyberlaw.ccdcoe.org/wiki/Predatory_Sparrow%E2%80%99s_operations_against_Iranian_financial_cyber_infrastructure_(2025)"},{"credibility":1,"name":"Predatory Sparrow operation against Iranian steel maker (2022) — CCDCOE Cyber Law Toolkit","type":"other","url":"https://cyberlaw.ccdcoe.org/wiki/Predatory_Sparrow_operation_against_Iranian_steel_maker_(2022)"},{"credibility":2,"name":"Predatory Sparrow Hacks Iran's Financial System — Hudson Institute","type":"research","url":"https://www.hudson.org/cybersecurity/predatory-sparrow-hacks-irans-financial-system-michael-doran-zineb-riboua"},{"credibility":2,"name":"Wartime cyberattack wiped data from two major Iranian banks — Iran International","type":"news_article","url":"https://www.iranintl.com/en/202507192001"},{"credibility":2,"name":"Pro-Israel hacktivist group claims responsibility for alleged Iranian bank hack — TechCrunch","type":"news_article","url":"https://techcrunch.com/2025/06/17/pro-israel-hacktivist-group-claims-responsibility-for-alleged-iranian-bank-hack/"},{"credibility":1,"name":"OFAC Sanctions Nobitex and Iranian Cryptocurrency Exchanges — Chainalysis","type":"regulatory","url":"https://www.chainalysis.com/blog/ofac-sanctions-iranian-crypto-exchanges-june-2026/"},{"credibility":1,"name":"U.S. sanctions Nobitex crypto exchange used by Iranian ransomware actors — BleepingComputer","type":"regulatory","url":"https://www.bleepingcomputer.com/news/security/the-us-sanctions-nobitex-crypto-exchange-used-by-ransomware/"},{"credibility":2,"name":"US sanctions Nobitex, Iran's largest cryptocurrency exchange — CoinDesk","type":"news_article","url":"https://www.coindesk.com/policy/2026/06/02/u-s-sanctions-iranian-crypto-exchanges-in-ongoing-war-against-country"},{"credibility":2,"name":"Predatory Sparrow: Inside the Cyber Warfare Targeting Iran's Critical Infrastructure — Picus Security","type":"research","url":"https://www.picussecurity.com/resource/blog/predatory-sparrow-inside-the-cyber-warfare-targeting-irans-critical-infrastructure"},{"credibility":2,"name":"Analysis: Gonjeshke Darande attack on Iran's Nobitex — Outpost24","type":"research","url":"https://outpost24.com/blog/gonjeshke-darande-attacks-iranian-nobitex/"},{"credibility":2,"name":"2021 Iranian fuel cyberattack — Wikipedia","type":"other","url":"https://en.wikipedia.org/wiki/2021_Iranian_fuel_cyberattack"},{"credibility":2,"name":"Iran's largest crypto exchange enables IRGC to move millions despite sanctions — Times of Israel","type":"news_article","url":"https://www.timesofisrael.com/irans-largest-crypto-exchange-enables-irgc-to-move-millions-despite-sanctions/"},{"credibility":2,"name":"Israel hacks Iranian crypto exchange for $90 million — Fortune","type":"news_article","url":"https://fortune.com/crypto/2025/06/18/nobitex-gonjeshke-darande-predatory-sparrow-iran-israel-hack/"},{"credibility":2,"name":"Predatory Sparrow massively disrupts steel factories while keeping workers safe — Malwarebytes / ThreatDown","type":"research","url":"https://www.threatdown.com/blog/predatory-sparrow-massively-disrupts-steel-factories-while-keeping-workers-safe/"},{"credibility":2,"name":"Hacktivist Group Gonjeshke Darande Attacks Iranian Steel Companies — Anvilogic","type":"research","url":"https://www.anvilogic.com/threat-reports/iranian-steel-firms-attacked"},{"credibility":2,"name":"Wiper Used in Attack on Iran National Media Network — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/wiper-used-attack-iran-national-media-network/"}],"summary":"Predatory Sparrow, known in Persian as Gonjeshke Darande, is a hacking group active since at least July 2021 that has claimed responsibility for a series of destructive cyberattacks against Iranian critical infrastructure, financial institutions, and cryptocurrency exchanges. The group is widely believed by security researchers, Israeli media, and anonymous U.S. defense officials to have links to the Israeli government, though Israel has never formally acknowledged any connection. Their operations are politically motivated, targeting entities alleged to support Iran's Islamic Revolutionary Guard Corps (IRGC) and facilitate sanctions evasion, and have extended directly into the cryptocurrency space with the June 2025 destruction of approximately $90 million in digital assets stolen from Iran's largest crypto exchange, Nobitex.","timeline":[{"date":"2021-07-09","event":"Predatory Sparrow disrupts Iran's national railway system using Meteor wiper malware, displaying mocking messages on station boards directing passengers to call Supreme Leader Khamenei's office.","source":"SentinelLabs MeteorExpress Analysis","source_url":"https://www.sentinelone.com/labs/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/"},{"date":"2021-07-10","event":"Group attacks website of Iran's Ministry of Roads and Urban Development, one day after the railway attack.","source":"Predatory Sparrow — Wikipedia","source_url":"https://en.wikipedia.org/wiki/Predatory_Sparrow"},{"date":"2021-10-26","event":"Major cyberattack disrupts approximately 4,300 Iranian fuel stations (roughly 80% of national total), disabling subsidized fuel payment systems and hijacking highway billboards. Group claims responsibility; anonymous U.S. defense officials later attribute the operation to Israel.","source":"2021 Iranian Fuel Cyberattack — Wikipedia","source_url":"https://en.wikipedia.org/wiki/2021_Iranian_fuel_cyberattack"},{"date":"2022-01-27","event":"Group claims responsibility for a wiper attack against Islamic Republic of Iran Broadcasting (IRIB), Iran's national public broadcaster.","source":"Wiper Used in Attack on Iran National Media Network — SecurityWeek","source_url":"https://www.securityweek.com/wiper-used-attack-iran-national-media-network/"},{"date":"2022-06-27","event":"Coordinated cyberattacks hit three Iranian steel companies (Khuzestan Steel, Mobarakeh Steel, Hormozgan Steel) affiliated with the IRGC. Video footage of equipment damage, including a fire caused by molten steel spillage, is released. Khuzestan Steel suspends operations. Alleged internal documents are leaked.","source":"Iranian steel facilities suffer apparent cyberattacks — CyberScoop","source_url":"https://cyberscoop.com/iran-cyberattack-israel-hacktivist-steel-ics/"},{"date":"2023-10-10","event":"Group reemerges after a nine-month hiatus, posting 'Do you think this is scary? We returned' on Telegram and X, coinciding with the aftermath of the October 7 Hamas attack on Israel.","source":"Savvy Israel-linked hacking group reemerges amid Gaza fighting — CyberScoop","source_url":"https://cyberscoop.com/predatory-sparrow-israel-gaza-cyber/"},{"date":"2023-12-18","event":"Attack disrupts approximately 70% of Iranian gas stations during the December 2023 campaign. Iranian Oil Minister Javad Owji confirms the disruption. Group states the attack is in response to Islamic Republic aggression and its regional proxies.","source":"Predatory Sparrow claim cyberattack on Iran's gas stations — CNBC","source_url":"https://www.cnbc.com/2023/12/18/pro-israel-hackers-claim-cyberattack-disrupting-irans-gas-stations.html"},{"date":"2025-06-17","event":"Group claims to have attacked Bank Sepah, an Iranian state-owned bank with alleged IRGC ties, deploying wiper malware to destroy data at the primary data center. ATM and mobile banking services are disrupted across Iran. Operation occurs amid active Israel-Iran missile exchanges.","source":"Pro-Israel hacktivist group claims responsibility for alleged Iranian bank hack — TechCrunch","source_url":"https://techcrunch.com/2025/06/17/pro-israel-hacktivist-group-claims-responsibility-for-alleged-iranian-bank-hack/"},{"date":"2025-06-18","event":"Group breaches Nobitex, Iran's largest cryptocurrency exchange, stealing approximately $90 million across multiple blockchains including Bitcoin, Ethereum, Dogecoin, XRP, Solana, Tron, and TON. Rather than retaining the funds, the group burns them by transferring to inaccessible vanity addresses bearing the phrase 'F*ckIRGCterrorists.' Elliptic confirms the breach and identifies Nobitex's prior transactions with IRGC-linked, Hamas-linked, and Houthi-linked wallets.","source":"Iranian crypto exchange Nobitex hacked for over $90 million by pro-Israel group — Elliptic","source_url":"https://www.elliptic.co/blog/iranian-crypto-exchange-nobitex-hacked-pro-israel-group"},{"date":"2025-07-19","event":"Reports confirm that wartime cyberattacks wiped data from two major Iranian banks, Sepah and Pasargad, with Sepah's primary data center going dark and stored data apparently corrupted.","source":"Wartime cyberattack wiped data from two major Iranian banks — Iran International","source_url":"https://www.iranintl.com/en/202507192001"},{"date":"2026-06-02","event":"OFAC formally designates Nobitex and three other Iranian crypto exchanges (Wallex, Bitpin, Ramzinex) for sanctions evasion and terrorist financing, actions that analysts noted were compounded by on-chain evidence surfaced during and after the Predatory Sparrow breach.","source":"OFAC Sanctions Nobitex and Iranian Cryptocurrency Exchanges — Chainalysis","source_url":"https://www.chainalysis.com/blog/ofac-sanctions-iranian-crypto-exchanges-june-2026/"}]},"v":1}