A major cyberattack on Iran’s largest cryptocurrency exchange, Nobitex, has resulted in the theft of approximately $138 million (US$90 million), as confirmed by several independent cryptocurrency tracking firms. The pro-Israel hacking group, “Predatory Sparrow,” has claimed responsibility for this incident, which appears to further destabilise Iran in the context of ongoing military actions by Israel against Tehran.
In a Farsi-language post on social media platform X, the hackers stated their intention behind targeting Nobitex, alleging that the exchange was used by Iran to bypass international sanctions. Remarkably, cybersecurity experts suggest that the hackers may have rendered the stolen cryptocurrency unusable by transferring it to digital wallets beyond their control.
Following the breach, Nobitex announced on its website that access to the platform had been temporarily suspended until further notice. Tracking firms such as Elliptic and TRM Labs confirmed that the stolen assets were sent to wallets, one of which notably included a reference to Iran’s Islamic Revolutionary Guard Corps (IRGC).
In a related incident, Predatory Sparrow also claimed to have compromised data at Bank Sepah, a state-owned financial institution, arguing that it was misused by IRGC personnel. Iran’s state-affiliated Fars news agency cautioned citizens about possible disruptions to banking services, including at petrol stations. Reports emerged of numerous ATM machines in Tehran being out of service or out of cash.
These cyberattacks signal a heightened phase in the ongoing shadow war between Israel and Iran, where both nations—or their supporters—have historically engaged in cyber espionage and sabotage for strategic gain. On the same day as the Nobitex attack, Iran’s state television was hacked, broadcasting messages calling for public uprisings against the Iranian government, although no group has immediately claimed responsibility for this act.
Predatory Sparrow, which has disrupted Iranian operations in the past—including an earlier attack on a steel mill—presents themselves as a group of hacktivists opposing the Iranian government, although cybersecurity experts suspect they may have connections to Israeli agencies.
Experts like Hamid Kashfi have warned that the Nobitex hack could negatively impact everyday Iranians, despite its stated aim of targeting military assets linked to the IRGC. As the conflict with Israel unfolds, many Iranians are turning to cryptocurrency amid diminishing financial resources, compounding the fallout from such cyber incidents.
The recent escalation in cyber activities coincides with military exchanges between Israel and Iran, where both populations are experiencing heightened anxiety. Reports of deceptive text messages in Israel claim that bomb shelters are unsafe, while Iranian authorities have warned against using messaging platforms like WhatsApp, citing fears of data collection by Israel. Meta, the parent company of WhatsApp, has dismissed these allegations, reaffirming the platform’s end-to-end encryption.