A hacking group reportedly connected to Israel has claimed responsibility for a cyberattack on Iran’s largest cryptocurrency exchange, Nobitex, destroying nearly $90 million (£71 million) in digital assets.
The group, known as Gonjeshke Darande or “Predatory Sparrow,” also threatened to release the platform’s source code in what analysts say is a politically motivated act of cyberwarfare.
The attack, which took place in the early hours of Wednesday, marks the second such operation by the group within 48 hours.
On Tuesday, Gonjeshke Darande claimed to have crippled data systems at Iran’s state-owned Bank Sepah amidst rising tensions and ongoing missile exchanges between Israel and Iran.
Nobitex, the Tehran-based crypto platform, is alleged by the hackers to facilitate sanctions evasion and illicit financing for the Iranian regime, including ties to the Islamic Revolutionary Guard Corps (IRGC).
Blockchain research firm TRM Labs confirmed that approximately $90 million in cryptocurrency had been transferred to hacker-controlled wallets, with the attackers publicly denouncing the IRGC.
Cybersecurity firm Elliptic noted that the hackers appear to have intentionally rendered the stolen funds inaccessible – effectively “burning” the assets as a form of political messaging rather than profit.
As of Wednesday, Nobitex’s official website was offline, with the company acknowledging “unauthorised access” in a statement on X (formerly Twitter). Attempts to contact the firm via its Telegram support channel went unanswered, and Gonjeshke Darande has yet to respond to media inquiries.
The group is known for previous high-impact cyberattacks against Iranian infrastructure, including a 2021 incident that disabled petrol stations across the country and a 2022 strike on a steel mill that caused a major fire.
Although the Israeli government has not formally confirmed any connection, local media have widely reported Gonjeshke Darande as being backed by Israeli intelligence.
Further analysis from Elliptic reveals that Nobitex has previously processed transactions involving wallets linked to hostile groups such as Hamas, Palestinian Islamic Jihad, and Yemen’s Houthi rebels.
In May 2024, US Senators Elizabeth Warren and Angus King expressed concern over Nobitex’s role in enabling Iranian sanctions evasion in a letter to President Biden’s top officials, citing past investigative reporting.
Andrew Fierman, Head of National Security Intelligence at Chainalysis, told Reuters the evidence strongly indicates a geopolitical motive behind the breach. “We’ve previously observed IRGC-linked ransomware actors cashing out through Nobitex,” Fierman noted.
