Pro-Israel Hacking Group Destroys $90 Million in Cyberattack on Iran’s Top Crypto Exchange
An anti-Iranian hacking group believed to have ties to Israel claimed responsibility on Wednesday for a devastating cyberattack on one of Iran’s largest cryptocurrency exchanges, reportedly destroying nearly $90 million in digital assets and threatening to leak the platform’s source code.
The group, known as Gonjeshke Darande — or Predatory Sparrow — said it carried out the operation against Nobitex, a major crypto platform widely used in Iran. The incident marks the group’s second major attack in as many days. On Tuesday, the same hackers claimed they had wiped data from Iran’s state-owned Bank Sepah, amid a backdrop of escalating tensions and missile exchanges between Israel and Iran.
In a statement posted to its social media channels early Wednesday, Predatory Sparrow alleged that Nobitex was facilitating sanctions evasion and illicit financial activity for the Iranian government. Nobitex’s website was offline throughout the day, and attempts to contact the company via Telegram went unanswered. The group itself did not respond to external requests for comment.
In a post on X (formerly Twitter), Nobitex confirmed it had taken both its website and app offline while investigating what it described as “unauthorized access” to its systems.
Predatory Sparrow is a well-known hacking entity with a track record of sophisticated, politically motivated cyberattacks against Iranian infrastructure. Its past operations include a 2021 cyberattack that paralyzed gas stations across Iran and a 2022 breach that caused a fire at a steel facility.
While Israel has not officially acknowledged any link to the group, Israeli media have consistently referred to Predatory Sparrow as aligned with Israeli interests.
According to TRM Labs, a blockchain forensics firm, the attack began in the early morning hours with the transfer of funds from Nobitex wallets to hacker-controlled addresses. These wallets contained anti-IRGC (Islamic Revolutionary Guard Corps) messages, and the stolen crypto — totaling roughly $90 million — was effectively “burned,” meaning it was transferred to wallets with no recoverable access. Analysts at Elliptic, another blockchain analysis firm, noted that the funds appeared to have been intentionally destroyed to send a political message rather than for financial gain.
Elliptic also reported that Nobitex had a history of transacting with crypto wallets linked to hostile groups including Hamas, Palestinian Islamic Jihad, and Yemen’s Houthis — all adversaries of Israel.
U.S. lawmakers have taken notice. In a May 2024 letter to the Biden administration, Senators Elizabeth Warren and Angus King cited past Reuters investigations into Nobitex, raising concerns over the exchange’s role in facilitating Iranian efforts to evade international sanctions.
Andrew Fierman, head of national security intelligence at Chainalysis, confirmed to Reuters that the estimated value of the destroyed assets was about $90 million. He added that the action was “most likely geopolitically motivated,” given that the hackers deliberately rendered the funds inaccessible.
“Chainalysis has previously observed IRGC-linked ransomware actors using Nobitex to launder proceeds, along with other proxy groups aligned with the IRGC,” Fierman said.
The cyberattack represents another major flashpoint in the broader digital and proxy conflict playing out between Israel and Iran — one where cryptocurrency has become a key battleground.
