Predatory Sparrow Claims Wipeout of $90 Million in Nobitex Hack

Arabian Post

5 hours ago

Hackers claiming affiliation with Predatory Sparrow, possibly linked to Israel, have executed a cyber‑strike against Nobitex, Iran's leading cryptocurrency exchange, erasing approximately $90 million worth of digital assets. The assault began in the early hours of 18 June 2025, when the group transferred diverse cryptocurrencies—including Bitcoin, Ethereum and Dogecoin—into vanishing crypto‑wallets designed without private keys, effectively 'burning' the funds to send a deliberate political message.
Blockchain analytics firms, including Elliptic and TRM Labs, analysed the transactions and found the emptied addresses bore anti‑IRGC messages, confirming the operation was ideologically motivated rather than financially driven. Elliptic noted that the assets were moved into vanity addresses with embedded slogans denouncing the IRGC, and that the group leaking the funds would not retain the keys, ensuring permanent loss.
Noble objective remains politically charged
ADVERTISEMENT
The group, using its Farsi‑named moniker Gonjeshke Darande—or 'Predatory Sparrow'—publicly accused Nobitex of facilitating Iran's sanctions evasion and funding militant groups, claiming the platform had enabled transactions for IRGC‑linked factions such as Hamas and Yemen's Houthis. Elliptic has traced past ties between Nobitex and IRGC‑affiliated actors, including sanctioned individuals like Amir Hossein Niakeen Ravari and Ahmad Khatibi Aghada.
The hack comes amid heightened Israel‑Iran tensions. Reports indicate that Predatory Sparrow also targeted Iran's state‑owned Bank Sepah on 17 June, triggering widespread service disruption, including to ATMs and fuel stations. Analysts interpret these cyber‑operations as extensions of conventional military retaliations between the two nations.
Nobitex disruptions raise alarm
Nobitex admitted to unauthorised access affecting both its app and website, temporarily shutting services while conducting assessments. Public updates from the exchange have been sparse, and customer inquiries have reportedly gone unanswered. Plans to recover or rebuild lost assets remain unclear, raising concerns among its claimed user base of over 7 million.
Despite accusations, Israel has not officially claimed responsibility. Media speculation within the country suggests government backing, but no formal confirmation has been issued. Predatory Sparrow, noted for previous impactful operations—from collapsing gas station networks in 2021 to prompting major fires at a steel mill in 2022—added this attack to its growing list of cyber engagements against Iranian infrastructure.
Impact and implications for crypto ecosystem
Cyber‑security analysts have labelled the hack 'particularly significant given the comparatively modest size of Iran's cryptocurrency market,' with Chainalysis intelligence chief Andrew Fierman underscoring the political overtones. The operation exemplifies how digital currencies and blockchain platforms are becoming tactical assets and vulnerabilities within geopolitical conflicts.
U.S. legislators, including Senators Elizabeth Warren and Angus King, previously raised concerns over Nobitex's facilitation of sanctions avoidance, highlighting its role in enabling Iran's IRGC and related proxies to move financial resources. This attack may intensify scrutiny on crypto exchanges suspected of abetting questionable transactions in sanctioned jurisdictions.
Decline of Iran's crypto defences
Crypto adoption in Iran has long served as a hedge against economic instability, with citizens and state‑linked groups alike using digital currencies to escape inflationary pressures and circumvent banking restrictions. Nobitex, in particular, developed significant traction, drawing millions of users seeking alternative financial tools.
However, analysts warn this sabotage could erode investor trust, disrupt public confidence in digital assets, and invite heightened regulatory oversight. Exchanges in politically sensitive regions may now face new security standards and sanctions compliance demands.
A new frontier in cyber‑warfare
This development underlines a shift where cyber‑warfare transcends state boundaries, now targeting third‑party financial networks with tangible consequences. By obliterating rather than stealing funds, Predatory Sparrow signalled that its operation aimed to disrupt Iran's crypto‑financing rather than profit from it.
Officials tracking these patterns warn that similar tactics may emerge as cyber‑tools of statecraft evolve, affecting financial systems across volatile regions. Experts suggest exchanges handling high‑risk jurisdictions should shore up defences and improve transparency around asset provenance and network resilience.
As Nobitex works to restore functionality, regulators, crypto stakeholders and intelligence services will closely examine the incident. The breach draws attention to the critical role of exchanges in global geopolitics, raising complex questions about neutrality, compliance and cybersecurity in an increasingly fraught digital economy.