Two coordinated cyberattacks by a hacker group known as Predatory Sparrow have caused extensive damage to Iran’s financial systems in a fast-growing digital confrontation between Iran and Israel. Targeting Sepah Bank, one of the most powerful financial institutions in Iran, and Nobitex, the biggest bitcoin exchange in the nation, the group, known in Farsi as Gonjeshke Darande, aimed. These were not merely regular data leaks or ransom requests. Rather, the hackers concentrated on wiping out data and burning assets, so attacking the core of Iran’s economic survival systems.

From the top blockchain analytics company, Elliptic, the most concerning disclosure came. Their research indicates that over $90 million in digital assets were transferred from Nobitex wallets to tailored blockchain addresses, including phrases like “FuckIRGCterrorists.” These vanity addresses are irreversibly even if they look dramatic. This indicates that the assets were deliberately destroyed rather than merely moved. “The crypto they stole has essentially been burned,” co-founder of Elliptic Tom Robinson remarked. “The hackers quite obviously have political rather than financial motives.”

Their public statement made clear Predatory Sparrow’s driving force. They charged Nobitex with supporting terrorism and allowing the Iranian government to evade international sanctions. “These cyberattacks are the outcome of Nobitex being a main regime tool for financing terrorism and violating sanctions,” the group said. “Your assets are vulnerable when you assist with regime terror financing and sanction violation infrastructure.”

Elliptic supported these charges with facts connecting Nobitex to approved Islamic Revolutionary Guard Corps (IRGC) agents, Hamas, the Houthi rebels, and Palestinian Islamic Jihad. This is a negative picture of the crypto platform that, for years, went unnoticed as a main player in Iran’s approved financial network.

Nobitex was only one goal, though. Predatory Sparrow declared another strike that same day—this one directed against Sepah Bank. Citing Sepah’s cooperation with the IRGC, they asserted that they had erased all of the bank’s data. The hackers uploaded papers allegedly containing financial agreements between Sepah and Iran’s military establishments in order to support their claim. Their advice was direct: “Caution: Your long-term financial situation suffers when you support the instruments of the government for avoiding sanctions and fund its nuclear program and ballistic missiles. Next? Who?

Sepah Bank’s website went dark following the attack, but it was back up soon after. Nobitex, on the other hand, stayed offline, and the exchange said nothing. Iranian officials and media have stayed mostly silent as the public works through the effects.

Hamid Kashfi, a cybersecurity researcher based in Sweden and founder of the company DarkCell, is one person who has personally heard straight from the ground. According to his contacts in Iran, Sepah’s related online banking and ATM systems have been unreachable since the cyberattack started. “There’s a lot of collateral damage here,” Kashfi remarked. “It just seems to be straightforward, damaging, and chaotic. Every day, these services are relied upon by millions of ordinary people.

This line of behavior for the Predatory Sparrow makes sense. The group has already been blamed for some of the most disruptive cyberattacks in Iran’s history, including the shutdown of thousands of gas station payment systems, a cyberattack on the national railway network, and a 2022 incident whereby industrial controls were manipulated and a steel mill caught fire. Not only was that last attack quite destructive—it almost claimed lives.

Although Predatory Sparrow claims to be an Iranian resistance group, analysts think the sophistication and breadth of their attacks point to involvement or direct support from Israel’s military or intelligence services. Their ability to coordinate high-impact strikes, wipe data without a trace, and compromise high-security systems points to state-level capability.

Chief analyst at Google’s threat intelligence division, John Hultquist, validated as much. “This actor is really competent and serious,” he said. Many of the actors will be making threats. This one can carry out those threats.

Particularly, the attack on Nobitex points to a significant change in cyberwarfare. Instead of pilfering money for profit, the hackers essentially burned Iran’s digital workaround for sanctions. Losing such a major crypto channel could have major long-term consequences for a nation already struggling under financial pressure.

It is yet unknown what comes next. With a threat, “Who’s next?” Predatory Sparrow concluded their message. That question should not be taken lightly for Iran and anyone endorsing its shadow financial network as well. Since the message was not just symbolic. It burned permanently into the blockchain.