- calendar_today September 3, 2025
Following one of the most damaging cyberattacks in the history of Iran, its financial system is in disarray. The Israel-linked hacker group Predatory Sparrow revealed on Wednesday that it had conducted two significant attacks—one on Sepah Bank, a big financial institution connected to the Iranian military, and another on Nobitex, the leading cryptocurrency exchange. The attacks were not only disruptive; they were meant to destroy, so as to convey to Tehran and the world the rising relevance of cyberwarfare.
For Nobitex, the attack was unheard of. Unlike most cyberattacks meant to pilfer digital assets, this one had a rather different objective: destruction. A London-based blockchain analytics company called Elliptic claims that hackers purposefully burned almost $90 million in bitcoin. The digital assets were transferred to a sequence of unrecoverable wallet addresses—vanity wallets—that carried inflammatory language like “FuckIRGCterrorists.” These wallets are made such that once money is moved to them, the assets are essentially gone permanently.
Co-founder of Elliptic, Tom Robinson, verified the rare character of the attack. “The hackers obviously have political rather than financial motives,” he said. “The crypto they grabbed has essentially burned.” Predatory Sparrow claimed in its public post that Nobitex was a “key regime tool” used by the Iranian government to evade sanctions and direct funds to militant groups. They cautioned consumers that hanging around sites endorsing regime-linked activity puts assets in grave danger.
Elliptic’s investigation supported these assertions by exposing links between Nobitex and approved organizations, including IRGC agents, Hamas, Yemen’s Houthi rebels, and the Palestinian Islamic Jihad. Moving to burn crypto instead of stealing marks a fresh, symbolic front in cyber conflict—a digital protest with financial consequences.
The second component of the cyber assault landed much closer. Declaring to have erased all of Sepah Bank’s internal data, Predatory Sparrow said it had attacked the bank. The group distributed allegedly supporting documentation showing Sepah engaged in financial transactions with the Islamic Revolutionary Guard Corps (IRGC). Besides these revelations came another sinister warning: “Caution: Your long-term financial situation suffers when you support the instruments of the government for avoiding sanctions and fund its nuclear program and ballistic missiles. Who next?
Sepah Bank’s website went down in the aftermath, but then seemed to come back. But Nobitex stayed out of reach. Neither institution has publicly responded to the assaults; their silence has only encouraged rumors on the whole extent of the damage.
One already senses the civilian effect. Living in Sweden and starting the company DarkCell, Iranian cybersecurity researcher Hamid Kashfi said that contacts inside Iran claimed that Sepah’s online banking services and ATMs were down, depriving many Iranians of access to their own money. “There’s a lot of collateral damage,” Kashfi remarked. “It just seems to be straightforward, damaging, and chaotic.” Indeed, they assist the military with services. They also do for millions of ordinary people, though.
The cyber CV of Predatory Sparrow is absolutely nasty. In a 2022 operation, the group took over the systems of a steel plant, resulting in molten steel spilling and almost killing workers in a fiery blaze. Previously, the group disabled gas station systems across Iran, wrecked railway networks. Considered among the most physically dangerous cyberattacks ever documented, that attack is also shown in a video uploaded by the group.
Though Predatory Sparrow presents itself as a domestic Iranian resistance group, cybersecurity experts mostly agree that the group has close ties to Israel’s military or intelligence services. Their sophisticated activities and sensitive targets point especially to a degree of access and coordination outside the reach of regular hacktivists.
“This actor is really serious and very capable,” said Google’s threat intelligence division chief analyst John Hultquist. Many of the performers will be making threats. This one can carry through on those threats.
Predatory Sparrow’s message goes not only to the Iranian government but also to those backing or interacting with its financial wings. These are deliberate acts of cyberwarfare, meant to disable Iran’s infrastructure and warn others of the repercussions of affiliation—they are not random cyberattacks. One thing is obvious as the area keeps heating militarily and politically: the war is no longer limited to the borders. On screens, servers, and blockchains, it is playing out.





