Predatory Sparrow: Iran Crypto Hack Exposes Risks
The escalating Israel-Iran conflict recently spilled over into the cryptocurrency world. A pro-Israel hacker group, known as Gonjeshke Darande (Predatory Sparrow), successfully exploited Iran's largest cryptocurrency exchange, Nobitex, resulting in the theft of approximately $90 million.
Who are Gonjeshke Darande?
Gonjeshke Darande, translating to "Predatory Sparrow" in Farsi, is a highly sophisticated cyberattack group with strong suspected links to Israel. Their operations are politically motivated, primarily targeting Iranian infrastructure, financial systems, and government entities. While Israel hasn't officially claimed responsibility, the group's targets, methods, and overt political messaging strongly suggest Israeli affiliation.
The Name: Predatory Sparrow
- The name "Gonjeshke Darande" directly translates to "Predatory Sparrow" in Farsi.
- This moniker symbolizes a small but powerful bird capable of swift, targeted attacks—a fitting description of the group's cyber operations.
- Using a distinctly Iranian name is a provocative move, likely intended to mock Iranian cybersecurity and deliver a symbolic message to the regime.
History of Attacks
June 2025: Nobitex Crypto Exchange Hack
Gonjeshke Darande compromised Nobitex, transferring funds to vanity wallets displaying anti-IRGC (Islamic Revolutionary Guard Corps) messages. This rendered the stolen cryptocurrency effectively inaccessible. Nobitex itself had faced accusations of money laundering and sanctions evasion.
May 2025: Bank Sepah Attack
Prior to the Nobitex hack, the group targeted Bank Sepah, a state-owned Iranian bank. They disrupted services and leaked sensitive financial data, aiming to expose Iranian government financial dealings and cripple state-backed economic activities.
October 2022: Iranian Steel Plant Attacks
- The group attacked three major Iranian steel factories: Khuzestan Steel Company, Mobarakeh Steel Company, and Hormozgan Steel Company.
- They publicly claimed responsibility, releasing footage of the resulting damage.
July 2021: Attack on Iranian Railways
- Gonjeshke Darande disrupted Iranian Railways' digital systems, causing delays and posting mocking messages on train display boards.
- This attack highlighted the group's willingness to target critical civilian infrastructure.
The group’s digital footprint is characterized by:
- Vanity Wallets and Defacement: Political messages embedded in cryptocurrency addresses.
- Social Media and Telegram Messaging: Announcements and leaked documents shared via anonymous channels.
- Professional-Quality Video Releases: High-production-value videos showcasing successful attacks.
Attribution and State Sponsorship
Security firms like SentinelOne and Check Point Research have linked Gonjeshke Darande to Israel, though Israel hasn't confirmed or denied this. Iran officially accuses Israel and Mossad, but lacks concrete proof. The group's continued activities and sophistication are closely monitored by cybersecurity analysts worldwide. The potential for further attacks on crypto exchanges and Iranian banks remains high.
Codeum's services can help mitigate these risks: Our smart contract audits and security consultations can help cryptocurrency exchanges enhance their security posture and protect against sophisticated attacks. Contact us to learn more about our comprehensive blockchain security solutions.