In a major cyber strike that’s sending shockwaves through both the cryptocurrency and geopolitical worlds, an anti-Iranian hacking group known as Gonjeshke Darande, or “Predatory Sparrow”, claimed responsibility for destroying nearly $90 million in cryptocurrency from Nobitex, one of Iran’s largest crypto exchanges.
The attack took place early Wednesday and comes just a day after the group claimed it wiped data from Iran’s state-owned Bank Sepah, as tensions escalate between Iran and Israel. While Israel has never formally acknowledged ties to the group, Israeli media widely describes Predatory Sparrow as “Israel-linked.”
Targeting Iran’s Digital Frontline
Nobitex, based in Tehran, is a major player in Iran’s crypto economy and has long been accused of helping the Iranian government bypass international sanctions. In a post on social media, the hackers alleged that Nobitex facilitates illicit global operations for Iran, specifically for groups like Hamas, Palestinian Islamic Jihad, and Yemen’s Houthis — all of which are hostile toward Israel.
According to blockchain analytics firms TRM Labs and Elliptic, the hackers drained roughly $90 million worth of crypto from Nobitex wallets. But instead of trying to profit, the stolen funds were moved into wallets that are essentially unspendable, a process known as “burning.” This effectively destroyed the funds permanently, sending what analysts believe is a political message to Iran’s regime and its elite Islamic Revolutionary Guard Corps (IRGC).
“This wasn’t about the money — it was a direct message to Nobitex and the IRGC,” said Andrew Fierman, head of national security intelligence at Chainalysis. “We’ve previously observed IRGC-linked actors using Nobitex to launder funds.”
Nobitex Responds With Silence
As of Wednesday afternoon, Nobitex’s website was offline, and attempts to contact the company via Telegram received no response. In a brief statement posted on X (formerly Twitter), the platform confirmed it had taken both its app and website offline due to “unauthorized access.”
Elliptic later released a blog post providing blockchain evidence that Nobitex had previously interacted with wallets tied to sanctioned militant groups, confirming suspicions raised in a 2024 letter from U.S. Senators Elizabeth Warren and Angus King. The letter had cited earlier Reuters investigations linking the exchange to Iranian sanctions evasion.
A Pattern of High-Impact Hacks
Predatory Sparrow has a track record of large-scale, high-impact attacks. In 2021, the group crippled Iran’s national fuel distribution network, causing chaos at gas stations across the country. A year later, it hacked an Iranian steel plant, causing a massive fire and widespread damage.
This latest cyberattack stands out not just for its financial scale, but for its symbolic intent. By burning nearly $90 million rather than stealing it, the hackers appear to be sending a chilling reminder to Iran’s cyber infrastructure and financial networks: you are being watched, and you are vulnerable.
