Latest news with #GonjeshkeDarand
News18
6 hours ago
- Business
- News18
Pro-Israel Hackers Steal $90 Million From Iran Crypto Exchange, Leak Source Code
Last Updated: The leaked files include blockchain scripts, internal privacy settings, and server lists, seriously weakening Nobitex's cybersecurity A pro-Israel hacker group has claimed responsibility for a major cyberattack on Nobitex, Iran's largest cryptocurrency exchange, saying they have stolen over $90 million and exposed the company's entire source code. The group, Gonjeshke Darande — also known as 'Predatory Sparrow" — released the data on Thursday, claiming Nobitex was helping to fund Iran's military and bypass Western sanctions. The leak came just a day after the group had threatened to publish the code if their demands were not met. But before that, lets meet Nobitex from the inside: Exchange Deployment (1/8) — Gonjeshke Darande (@GonjeshkeDarand) June 19, 2025 Blockchain analysis firms confirmed that the stolen funds were moved to wallets carrying messages critical of Iran's Revolutionary Guard. Experts say the act was politically motivated, not financial. According to a blog post by analytics firm Elliptic, the hackers 'effectively burned the funds" as a form of protest. The leaked files include blockchain scripts, internal privacy settings, and server lists, seriously weakening Nobitex's cybersecurity. The platform's app and website went offline shortly after the leak. Gonjeshke Darande accused the exchange of supporting Iran's nuclear programme and facilitating money transfers to sanctioned groups such as Hamas and Yemen's Houthis. Elliptic also reported links between relatives of Iran's Supreme Leader Ayatollah Ali Khamenei and the exchange, as well as evidence of use by sanctioned Revolutionary Guard operatives. The hackers have a history of launching sophisticated attacks on Iran. In 2021, they disrupted fuel stations across the country, and in 2022, they targeted a steel mill, causing a major fire. Earlier this week, the group claimed to have destroyed data from Bank Sepah, a key Iranian state-owned bank. The latest cyberattack comes amid rising tensions between Israel and Iran, now in the second week of direct conflict following Israeli strikes on Iranian military sites and nuclear facilities. Iran responded with missile attacks, intensifying fears of wider regional war. While Israeli media have linked Gonjeshke Darande to the Israeli government, there has been no official confirmation. However, the scale and precision of the attack suggest possible state-level support. (With inputs from agencies) Location : Israel First Published: June 19, 2025, 17:23 IST
&w=3840&q=100)
First Post
11 hours ago
- Business
- First Post
Predatory Sparrow: The pro-Israel group that stole $90 million from Iran's biggest crypto exchange
A shadowy hacking group calling itself Predatory Sparrow has claimed responsibility for a devastating cyberattack on Iran's top crypto exchange, Nobitex, wiping out over $90 million. Allegedly linked to Israel, the group's actions come amid mounting regional tensions and follow earlier attacks on Iranian banks and steel plants read more A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017. Representational Image/Reuters A hacking group calling itself Predatory Sparrow — or Gonjeshke Darande in Persian — has claimed responsibility for a cyberattack on Nobitex, Iran's largest cryptocurrency exchange. The attack, which reportedly took place on Wednesday (June 18, 2025), led to the removal or irreversible 'burning' of roughly $90 million in digital assets. The incident marks yet another high-profile operation by the shadowy group, believed to be connected to Israeli interests, as part of a sustained digital offensive against Iranian financial and infrastructure systems. STORY CONTINUES BELOW THIS AD This targeted strike on Iran's cryptocurrency backbone follows an attack a day earlier on Iran's state-run Bank Sepah, also claimed by the same group, and comes How Nobitex was compromised In the early morning hours of Wednesday, cryptocurrency holdings amounting to nearly $90 million were siphoned from Nobitex's systems and moved into wallets controlled by the hackers. TRM Labs, a blockchain forensics firm, confirmed the movement of funds and reported that the wallets used to receive the stolen cryptocurrency contained messages denouncing the Islamic Revolutionary Guard Corps (IRGC). 12 hours ago 8 burn addresses burned $90M from the wallets of the regime's favorite sanctions violation tool, Nobitex. 12 hours from now The source-code of Nobitex will be open to the public, and Nobitex's walled garden will be without walls. Where do you want your assets to be?… — Gonjeshke Darande (@GonjeshkeDarand) June 18, 2025 Soon after, the Nobitex website went offline. The company acknowledged 'unauthorised access' and stated via X that it had deactivated both its website and mobile application while investigating the breach. Attempts to reach Nobitex through its Telegram support channel yielded no response, and the hacker group also remained silent to media queries. An analysis from blockchain security firm Elliptic later revealed a unique twist in the operation. The group reportedly transferred the stolen crypto into wallets that they themselves would be unable to access, essentially making the funds irretrievable. STORY CONTINUES BELOW THIS AD Elliptic concluded: 'The hackers effectively burned the funds in order to send Nobitex a political message.' While the exact method of the breach remains undisclosed, this act of irreversible crypto 'burning' has highlighted the symbolic rather than monetary intention behind the attack. The goal, analysts say, appears to be damage to Iran's ability to use crypto infrastructure to circumvent sanctions, rather than personal enrichment. What we know about Predatory Sparrow Predatory Sparrow has developed a reputation for bold and destructive cyberattacks targeting the Iranian regime and its critical infrastructure. The group operates under a pseudonym that is widely interpreted as a linguistic counterpoint to 'Charming Kitten,' a well-known Iranian cyber-espionage unit. The choice of name is believed to indicate a direct adversarial stance against Iranian cyber operations. Though no nation has publicly claimed association with Predatory Sparrow, several Israeli media reports have characterised the group as being aligned with Israeli strategic interests. The Israeli government has officially maintained ambiguity regarding the group's ties to the state, though in 2022, media leaks following a major cyberattack on Iranian steel infrastructure prompted then-Defence Minister Benny Gantz to order an internal probe into potential breaches of Israel's covert operations policy. STORY CONTINUES BELOW THIS AD The group has left a long trail of notable digital attacks: June 2022 steel factory incident: Predatory Sparrow claimed responsibility for a cyber operation that disrupted three Iranian steel plants. The group released video footage purportedly showing the moment molten steel spewed from a machine, causing a fire. CCTV footage captured factory workers evacuating the site, followed by scenes of the blaze being doused with hoses. The hackers stated on Telegram: 'These companies are subject to international sanctions and continue their operations despite the restrictions. These cyber-attacks, being carried out carefully to protect innocent individuals.' October 2021 fuel system hack: The group claimed responsibility for taking down Iran's national fuel payment infrastructure. They also hacked into roadside digital billboards to display the message: 'Khamenei, where is our fuel?' — a direct reference to Iran's Supreme Leader, Ayatollah Ali Khamenei. Iranian emergency services were reportedly warned in advance to mitigate chaos. Railway system disruption: In another public operation, hackers caused significant delays and confusion by tampering with Iran's national train station displays. STORY CONTINUES BELOW THIS AD Information boards were hijacked to inform passengers of delays and cancellations and suggested they contact Khamenei directly. Code similarities with Indra: Cybersecurity firm Check Point found that some of the malware used by Predatory Sparrow contained code resembling that of another anti-Iranian group, Indra, which conducted a July 2021 attack on Iranian train systems. These incidents suggest that Predatory Sparrow may be a tightly regulated and disciplined team of military-grade hackers. Their actions appear to involve careful planning, timing and in some cases, even forewarning of emergency services to avoid civilian casualties — characteristics often associated with state-sponsored operations. Why Nobitex was targeted The crypto platform has been under scrutiny for its alleged role in helping the Iranian government and IRGC-affiliated actors launder funds and evade international sanctions. Nobitex's reported financial transactions have shown linkages to cryptocurrency wallets operated by organisations such as Hamas, Palestinian Islamic Jihad and Yemen's Houthis — all entities hostile to Israel. A 2022 investigative report by Reuters highlighted Nobitex's links to these groups and its use as a platform for Iran's illicit financial operations. Representations of cryptocurrency Binance are seen in front of displayed Nobitex logo and Iran flag in this illustration taken November 3, 2022. Representational Image/Reuters In May 2024, US Senators Elizabeth Warren and Angus King raised concerns in a letter addressed to the Biden administration, calling for scrutiny over the platform's role in helping Iran bypass sanctions. The senators cited the Reuters report as supporting evidence. STORY CONTINUES BELOW THIS AD Andrew Fierman, who heads national security intelligence at Chainalysis, confirmed in an email to Reuters that 'the value of the attack was roughly $90 million and that it was likely geopolitically motivated, given that the money was burned.' He added that Chainalysis had 'previously seen IRGC-affiliated ransomware actors leveraging Nobitex to cash out proceeds, and other IRGC proxy groups leveraging the platform.' This growing body of financial and technical evidence suggests that the recent cyberattack on Nobitex was not an isolated incident but part of a long-standing effort to disable or expose the digital infrastructure underpinning Iran's shadow economy. What we know about the Bank Sepah attack Just a day prior to the Nobitex breach, Predatory Sparrow also claimed responsibility for another major operation — this time targeting Iran's Bank Sepah. The group claimed to have erased key data from the bank's systems. They posted on X: 'This is what happens to institutions dedicated to maintaining the dictator's terrorist fantasies.' Destruction of the infrastructure of the Islamic Revolutionary Guard Corps 'Bank Sepah' We, 'Gonjeshke Darande', conducted cyberattacks which destroyed the data of the Islamic Revolutionary Guard Corps' 'Bank Sepah'. 'Bank Sepah' was an institution that circumvented… — Gonjeshke Darande (@GonjeshkeDarand) June 17, 2025 STORY CONTINUES BELOW THIS AD Customers in Iran reportedly faced serious disruptions in accessing accounts, withdrawing funds, and using bank cards. Iranian media outlets warned that these problems could ripple out to the country's fuel distribution systems, which depend on Bank Sepah for processing transactions. This assault marked a rare instance of a cyberattack affecting core financial infrastructure in the middle of a regional conflict, raising concerns about the cyber front of the ongoing Israel-Iran standoff. Bank Sepah was sanctioned by the US Treasury Department in 2018 for aiding Iran's Ministry of Defense and Armed Forces Logistics. Experts have noted that while hackers often exaggerate their impact, the consequences of the attack on Bank Sepah appear to be both real and widespread. Former NSA official Rob Joyce commented on X: 'Disrupting the availability of this bank's funds, or triggering a broader collapse of trust in Iranian banks, could have major impacts there.' STORY CONTINUES BELOW THIS AD Also Watch: With inputs from agencies
