More than $90 million in Bitcoin, Ether, Dogecoin and other coins vanished from Iran’s Nobitex exchange as hackers tied to the Israeli-linked Predatory Sparrow group took credit for an audacious strike that thrust the Israel-Iran cyber shadow war onto center stage.
Investigators say the hackers siphoned Bitcoin, Ether, Dogecoin and five other coins from Iran’s largest cryptocurrency bank and dumped them into vanity blockchain wallets with addresses that taunted Iran’s Islamic Revolutionary Guard Corps.
The Predatory Sparrow hackers then burned the assets by locking them in accounts with no private-key access. In one stroke, the attackers vaporized more than $90 million in value and exposed source code the exchange had guarded for years, Chainalysis said in a bulletin published Thursday.
The stunning $90 million destruction marks a brazen escalation in the covert cyber war that has simmered between Israel and Iran for more than a decade.
Nobitex is the biggest cryptocurrency exchange in Iran and a central pillar of the country’s digital asset ecosystem. Operating in a heavily sanctioned environment, it has become the go-to platform for Iranian users seeking access to global crypto markets, facilitating the majority of on-chain exchange activity originating in the country.
The cryptocurrency destruction was seen just 24 hours after Predatory Sparrow claimed it used cyber means to erase data and cripple services at Iran’s state-owned Bank Sepah, briefly snarling fuel and payment systems around the country.
Iranian officials publicly acknowledged “technical disruptions” but blamed foreign “sabotage cells” without naming Israel. These high-profile hacks are happening alongside Israel’s kinetic strike on Iranian nuclear and missile sites that began June 13 and triggered Tehran’s first direct missile barrage at Tel Aviv two days later.
“While this is the first hack of this scale exclusively for geopolitical purposes, this is not the first time there’s been increased activity during windows of high geopolitical tensions between Israel and Iran,” Chainalysis said.
The hacks are causing chaos in Iran, according to numerous reports. The Central Bank has ordered every domestic crypto platform to restrict operating hours to daylight, beef up cold-storage safeguards and report large transfers in real time.
Chainalysis said blockchain data shows Nobitex had moved more than $11 billion in assets in recent years and served wallets tied to Iran’s government, Hamas-affiliated Gaza Now media, and sanctioned Russian exchanges like Garantex and Bitpapa.
Predatory Sparrow, publicly documented as a hacktivist group, was previously linked to a 2022 malware attack on an Iran steel company and a 2021 intrusion that shut down 4,000 gas stations and splashed Supreme Leader Ayatollah Khamenei’s images across disabled pumps. The group has also used wiper malware in hits against Iran’s national media network.
Security researchers say cyberattacks from Tehran have been muted, despite security vendor Radware reporting a massive spike in Iranian-linked DDoS and wiper attacks against Israeli ministries, universities and hospitals since the airstrikes began.
The US government’s cybersecurity agency CISA has long warned that Iranian hackers can cause major damage to critical infrastructure. In November 2023, the agency said Iranian hackers using the persona “CyberAv3ngers” began actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) and human machine interfaces (HMIs).
In the US, organizations are cautiously bracing for blowback, noting that Iranian actors have been caught enabling ransomware attacks against western countries.
Two national information-sharing groups (IT-ISAC and Ag-ISAC) issued memos this week urging members to be on high-alert for network probes and other signs of intrusions.
“Now is the time for companies to become familiar with Iranian-affiliated threat actors and their TTPs, assess their own cybersecurity posture, strengthen their defenses, begin heightened monitoring for suspicious activity, and remind employees to report suspicious emails and links,” the Food and Agriculture ISAC said.
“Even attacks not directly targeting the US could have indirect effects and cause disruptions to companies [here]. Given the interconnectedness of networks, it is possible that cyber attacks targeting Israel itself could cause collateral damage to U.S. companies, even if the U.S. companies themselves are not the intended target,” it added.
Related: Cyberattack Forces Iran Steel Company to Halt Production
Related: Iran State TV Hacked With Image of Supreme Leader in Crosshairs
Related: Suspected Cyberattack Paralyzes the Majority of Gas Stations Across Iran
Related: Wiper Used in Attack on Iran National Media Network
