Israel-linked group hacks iranian cryptocurrency exchange in $90m heist

Sophisticated Hackers Hit Iranian Crypto Exchange in $90M Heist, 'Burning' Funds Permanently

A hacking group calling itself "Predatory Sparrow" (Gonjeshke Darande) has claimed responsibility for a significant cyberattack targeting Iran, asserting a $90 million (£67 million) theft from the cryptocurrency exchange Nobitex and simultaneous data destruction at state-owned Bank Sepah.

This incident marks a dramatic escalation in cyber activities linked to regional geopolitical tensions, specifically between Israel and Iran. While there is no official confirmation of Predatory Sparrow's identity or nationality, the group is widely described in Israeli media as being Israel-linked.

According to analysis by Elliptic, a consultancy specializing in crypto-related crime, over $90 million in cryptocurrency was indeed transferred from Nobitex wallets to addresses controlled by the hackers. What sets this heist apart is the method used to handle the stolen funds: the hackers appear to have effectively "burned" the assets, rendering them permanently inaccessible.

How do you 'burn' $90 million in cryptocurrency? The hackers achieved this by sending the funds to "vanity addresses." These are cryptocurrency wallet addresses specifically crafted to contain recognizable patterns, in this case, variations of the term "F*ckIRGCterrorists." The critical detail is that the hackers claim to have stored the funds in these addresses *without* retaining the corresponding cryptographic private keys. Without the private key, accessing funds sent to any address, including a vanity address, is computationally infeasible. As one expert noted, it would take current computer technology billions of years to brute-force the key pairs needed to recover the funds.

By sending the funds to these publicly visible, yet inaccessible, addresses, Predatory Sparrow has not only deprived Nobitex of the assets but also made a clear, public, and seemingly irreversible political statement directly embedded within the blockchain transaction data.

The group announced their actions via posts on social media, stating they had targeted Nobitex and planned to release its source code and internal information. This suggests the attack went beyond mere financial theft and involved deep infiltration of the exchange's systems.

Simultaneously, Predatory Sparrow claimed to have "destroyed the data" of Bank Sepah, accusing the bank of providing financing to the Iranian military. This aspect of the attack targets a different pillar of the Iranian state, suggesting a broader agenda than purely financial gain.

Cybersecurity experts evaluating Predatory Sparrow's actions note characteristics often associated with government-backed operations. The sophistication of the attacks, the choice of targets (critical financial and military-linked institutions), and the clear political messaging embedded in the actions all point towards capabilities and motivations beyond typical criminal hacking groups.

One threat intelligence director highlighted that while concrete technical links proving state sponsorship are often elusive, the nature and alignment of the group's operations strongly align with the regional priorities of countries like Israel, making them a plausible, though unconfirmed, candidate.

Nobitex acknowledged experiencing a "security incident" and stated they were actively working on a recovery plan, indicating the severity of the disruption caused by the hack.

In a related development, global internet activity trackers reported a near-total internet blackout across Iran around the same time. While initially raising suspicions, Iranian government officials attributed the slowdown to efforts aimed at maintaining network stability and defending against cyberattacks, suggesting the blackout was a defensive measure, possibly unrelated directly to the Predatory Sparrow incidents, rather than a consequence of the hacks themselves.

This dual attack on a cryptocurrency exchange and a state bank, coupled with the technically sophisticated method of 'burning' stolen funds for political messaging, underscores the evolving landscape of cyber warfare. It highlights how digital assets and financial infrastructure are increasingly becoming strategic targets in geopolitical conflicts. The incident serves as a stark reminder of the potential for state-aligned actors to leverage cyber capabilities for disruptive, politically charged operations that impact both financial systems and critical state functions.

For anyone involved in digital finance or observing international relations, this event demonstrates the critical intersection of technology, finance, and state-level conflict. The use of cryptocurrency as both a target and a medium for political communication in such sophisticated attacks demands close attention and robust defensive strategies.