Iran’s financial infrastructure has been the target of a cyberattack with far-reaching effects. The perpetrator is the enigmatic and extremely proficient hacker collective Predatory Sparrow, which may have connections to Israel. In a daring double-strike, the group crippled Sepah Bank, a crucial financial pillar of the Islamic Republic, and destroyed Nobitex, Iran’s largest cryptocurrency exchange.

However, this was not your average cybercrime.

The group destroyed more than $90 million worth of assets on Nobitex rather than stealing cryptocurrency for financial gain. Blockchain analytics firm Elliptic claims that the money was transferred to “vanity” addresses, or wallets with unique names like “FuckIRGCterrorists,” from which it is impossible to recover the money. That cryptocurrency? Gone forever.

“This is very unusual,” Elliptic co-founder Tom Robinson stated. “The hackers had no intention of making money. They have essentially burned the cryptocurrency they took.

The attack was announced on X (formerly Twitter) by Predatory Sparrow, who claimed that Nobitex was helping Iran’s government circumvent international sanctions and provide funding to groups associated with terrorism, such as the Islamic Revolutionary Guard Corps (IRGC), Hamas, the Houthis, and Palestinian Islamic Jihad. Elliptic subsequently verified links between Nobitex and wallets under the jurisdiction of sanctioned organizations.

Nobitex fell silent after the attack. No public statement was released, and its website went down. The blackout has caused anxiety and uncertainty for thousands of Iranians who use the exchange.

Then there was another blow.

Targeting Sepah Bank, a state-owned organization closely associated with Iran’s military and defense funding, Predatory Sparrow claimed responsibility for yet another cyberattack. According to the group, all internal data was destroyed, and documents purportedly demonstrating direct cooperation between the bank and the Iranian military were made public.

“Caution: Associating with the regime’s instruments for evading sanctions and financing its ballistic missiles and nuclear program is bad for your long-term financial health,” they warned alongside the attack. Who will be next?

Insiders informed Hamid Kashfi, the founder of DarkCell and an Iranian cybersecurity specialist based in Sweden, that Sepah’s digital services and ATMs were unavailable for hours, if not longer, in some regions of the nation. “It seems that the attack’s scope extends beyond news reports. Civilians are impacted. “Accounts are locked out,” Kashfi stated.

Although Sepah’s primary website eventually returned to the internet, there are currently no indications that internal operations have resumed as usual.

High-impact digital warfare is nothing new to Predatory Sparrow. The group has previously planned a cyberattack on a steel plant that resulted in a fire caused by molten metal spilling across the floor, interfered with Iran’s fuel distribution network, and delayed trains across the country. To amplify the message, the group even uploaded video footage of the incident.

Cybersecurity experts nearly all agree that Predatory Sparrow is under Israeli intelligence control, despite its claims to be a domestic resistance organization. Its accuracy, coordination, and availability of military-grade systems point to a state actor’s involvement.

“They are one of the few hacker groups that consistently delivers on their threats,” said John Hultquist, chief analyst at Google’s Mandiant. This is strategic cyberwarfare.

What these attacks were intended to target is what gives them their true weight. Nobitex is a symbol of Iran’s increasing use of cryptocurrencies to get around harsh economic sanctions. Conversely, Sepah Bank represents the essence of Iran’s traditional military funding. Attacking both within a single day is a calculated attack that combines physical harm with symbolic meaning.

“Who’s next?” is their parting message.—Predatory Sparrow made it apparent that this was not a one-time event. It served as a warning.