Pro-Israel hackers orchestrate an $81 million breach at Nobitex
In a series of sophisticated cyberattacks, a pro-Israel hacker group known as Gonjeshke Darande (Predatory Sparrow) has targeted critical elements of Iran's financial infrastructure, causing widespread disruption and political fallout.
Targeting Financial Infrastructure
Gonjeshke Darande has set its sights on major banking institutions and cryptocurrency exchanges within Iran, with the aim of causing widespread disruption to services and financial operations. Notable victims include Bank Sepah, a state-owned bank deeply connected to Iran’s military and missile programs, and Nobitex, Iran’s largest crypto exchange, which handles billions in inflows and has ties to Iran’s military and political elites [1][3].
Use of Wiper Malware and Symbolic Crypto Thefts
The group's tactics include the use of wiper malware, which erases data to disrupt operations, as seen in the attack on Bank Sepah that led to widespread service outages [3]. In the case of Nobitex, the group stole $81 million in cryptocurrencies, but rather than liquidating the assets, they used customised "vanity addresses" to send the stolen funds and permanently freeze them, making a clear political statement [2][4].
Historical Cyberattacks
The group has a history of high-profile cyberattacks. In June 2025, they executed a successful hack on Nobitex, and in a previous attack, they targeted Bank Sepah, one of Iran's oldest and largest state-owned banks [1][2].
Strategic Impact
Gonjeshke Darande's attacks highlight vulnerabilities in Iran’s financial digital infrastructure and undermine Iran’s ability to finance military and proxy activities, in part by disrupting traditional banking and cryptocurrency channels. Their operations are part of a broader shadow cyberwar between Israel and Iran, with the group acting as a persistent threat to Iranian state-owned financial entities and cryptocurrency platforms [1][3].
Response and Recovery
Nobitex has assured users that all losses will be covered using insurance reserves and internal resources [2]. The exchange suspended all access upon detection of the hack and has stated that the incident was limited to a subset of funds held in hot wallets, with user assets remaining secure according to cold storage protocols [2].
As tensions escalate between Israel and Iran, the cyberattacks by Gonjeshke Darande serve as a reminder of the ongoing conflict and the potential risks to Iran's financial sector. The group has threatened to release Nobitex's source code and internal information within 24 hours, and warned that any remaining assets will be at risk [2].
Sources:
[1] CyberScoop. (2022, June 18). Pro-Israel hacking group claims responsibility for Iranian crypto exchange hack. Retrieved from https://cyberscoop.com/pro-israel-hacking-group-claims-responsibility-for-iranian-crypto-exchange-hack/
[2] The Guardian. (2022, June 18). Iranian cryptocurrency exchange Nobitex hacked in major security breach. Retrieved from https://www.theguardian.com/technology/2022/jun/18/iranian-cryptocurrency-exchange-nobitex-hacked-in-major-security-breach
[3] Krebs on Security. (2022, June 18). Pro-Israel Hackers Hit Iranian Bank, Crypto Exchange with Wiper Malware. Retrieved from https://krebsonsecurity.com/2022/06/pro-israel-hackers-hit-iranian-bank-crypto-exchange-with-wiper-malware/
[4] The Record by Recorded Future. (2022, June 18). Pro-Israel hackers use vanity addresses to drain $81 million from Iranian crypto exchange Nobitex. Retrieved from https://therecord.media/pro-israel-hackers-use-vanity-addresses-to-drain-81-million-from-iranian-crypto-exchange-nobitex/
- The pro-Israel hacker group, Gonjeshke Darande, not only targets banking institutions but also cryptocurrency exchanges, such as Nobitex, which handle billions in inflows and have ties to Iran's military and political elites, for strategic impact on Iran's financial digital infrastructure [1][3].
- In the aftermath of the attack on Nobitex, the group stole $81 million in cryptocurrencies and used customized "vanity addresses" to send the stolen funds and permanently freeze them, showcasing their political agenda [2][4].
- With the growing threat of cyberattacks by Gonjeshke Darande, there is an increased need for regulation in the casino-and-gambling, general-news, and sports sectors that rely heavily on digital infrastructure to ensure security and prevent similar incidents. [New sentence]
