19.06.2025
2 min
500
On June 18, 2025, the hacktivist group Predatory Sparrow carried out a large-scale cyberattack on the Iranian crypto exchange Nobitex, stealing over $90 million in digital assets. The entire amount was intentionally destroyed — the funds were transferred to inaccessible crypto wallets with anti-regime messages.
The attack was carried out at night, after which Nobitex confirmed unauthorized access to its reporting infrastructure and hot wallets. The pro-Israeli group Gonjeshke Darande (English Predatory Sparrow) announced responsibility for the attack on the X-profile, threatening to publish internal code and stolen data in 24 hours. According to Elliptic, the hackers were not financially motivated — all funds were sent to *“vanity”* addresses embedded with anti-regime phrases like “F\*ckIRGCterrorists,” which are *cryptographically inaccessible*. This means that the cryptocurrency was intentionally burned to make it unusable.
Nobitex is Iran’s largest crypto exchange, which has previously been linked to government officials, relatives of Ayatollah Khamenei, and businesses affiliated with the Islamic Revolutionary Guard Corps (IRGC). It was used by researchers to launder funds from DiskCryptor and BitLocker operations. Predatory Sparrow also claimed responsibility for a previous attack on Bank Sepah, another key Iranian financial institution. The attacks are clearly political and destructive, not financial.
This attack is the latest step in the ongoing cyber conflict between Israel and Iran. Instead of stealing assets, the hackers committed a show of destruction—a symbolic and technically complex blow to the reputation of Nobitex and the entire Iranian financial cybersector. Governments are increasingly finding that cyberattacks are part of geopolitical pressure and not necessarily for economic gain. This underscores the dangers of a new generation of hacktivist campaigns.
