Pro-Israel hackers take credit after $90 million stolen from Iran’s largest crypto exchange

Escalation in Cyberspace: Pro-Israel Hackers Strike Iran's Largest Crypto Exchange Amid Rising Tensions

The cyber front in the long-standing shadow war between Israel and Iran is heating up dramatically. In a series of impactful digital strikes this week, a group identifying itself as \"Predatory Sparrow\" has claimed responsibility for major disruptions targeting Iranian financial infrastructure, most notably hitting the country's largest cryptocurrency exchange.

The most significant incident unfolded on Wednesday when approximately $90 million worth of cryptocurrency was stolen from Nobitex, Iran's premier crypto exchange. Independent blockchain analysis firms quickly confirmed the substantial theft, tracing the funds' movement.

Predatory Sparrow, a pro-Israel hacking collective that has gained notoriety for previous attacks on Iranian infrastructure, swiftly took credit. In a public statement posted in Farsi on the platform X, the group asserted that the attack on Nobitex was justified because, they claimed, the exchange was being used by Iran to bypass international sanctions.

A peculiar and potentially unprecedented aspect of this hack, according to cybersecurity experts, is the fate of the stolen funds. Instead of attempting to cash out or retain control of the assets, the hackers reportedly transferred the cryptocurrency to digital wallets over which they apparently do not possess the private keys or control. These destination wallets were identified by crypto-tracking firms Elliptic and TRM Labs and were notably labeled with an expletive referencing Iran's Islamic Revolutionary Guard Corps (IRGC). This action suggests the primary motivation may not have been financial gain, but rather disruption and symbolic defiance, effectively destroying the value of the stolen crypto by rendering it inaccessible to anyone, including themselves.

Nobitex acknowledged the incident on its official website, announcing a precautionary suspension of exchange services until further notice as they address the breach. The disruption underscores the vulnerability of digital assets and financial platforms, especially in politically charged environments.

This attack on Nobitex was not an isolated event this week. Just the day prior, Predatory Sparrow claimed another successful operation targeting Iran's state-owned Bank Sepah. In that instance, the hackers stated they destroyed data within the bank's systems, justifying the action by alleging that IRGC members were users of the bank's services. The impact of this banking sector hack was quickly felt by ordinary citizens; reports from Tehran indicated widespread issues with ATM functionality, with a source telling CNN they found numerous machines non-functional or depleted of cash.

These coordinated and impactful cyberattacks represent a clear escalation in the digital conflict that has long simmered between Israel and Iran. Both nations, or groups aligned with them, have engaged in cyberespionage and disruptive attacks for years, seeking tactical advantages in their broader geopolitical struggle.

Further illustrating the breadth of the digital targeting, Iran's state-owned television broadcaster also experienced a hack on Wednesday. During this incident, footage was reportedly aired calling for a public uprising against the Iranian government. While there was no immediate claim of responsibility for the broadcaster hack, it aligns with the pattern of disruptive and psychologically impactful operations observed recently.

Predatory Sparrow has emerged as a significant player in this cyber theater over the past half-decade. Their previous claimed operations include disrupting an Iranian steel mill's operations and causing payment system failures at gas stations across the country. While the group portrays itself as anti-government Iranian hacktivists, the consensus among many cybersecurity experts is that the sophistication and targeting of their attacks strongly suggest ties to, or support from, Israeli intelligence or military cyber units.

The consequences of these attacks extend beyond the targeted entities and alleged IRGC connections. Hamid Kashfi, a cybersecurity expert specializing in the region, highlighted to CNN that attacks like the one on Nobitex inevitably impact ordinary Iranians. Amidst severe international sanctions and the economic pressures exacerbated by the current conflict, many Iranians have increasingly turned to cryptocurrency as a means of safeguarding assets and conducting transactions. The disruption and potential loss of funds from a major exchange directly harm these individuals.

Beyond direct infrastructure attacks, the cyber skirmishes also appear to be aimed at psychological warfare, sowing confusion and panic among populations. Recent examples include mass text messages sent to Israelis, falsely claiming bomb shelters were unsafe, and the Iranian government issuing warnings against using WhatsApp, alleging Israeli data collection – claims Meta, WhatsApp's parent company, has denied, emphasizing the platform's end-to-end encryption.

This week's events underscore the evolving nature of modern conflict, where digital battlegrounds are increasingly central to strategic objectives. The ability to disrupt financial systems, critical infrastructure, and public communication channels through cyber means offers potent, often deniable, levers of power in a heated geopolitical landscape. As tensions remain high, the digital domain is likely to continue being a primary arena for actions designed to exert pressure and cause disruption.