A hacking group known as Predatory Sparrow has claimed responsibility for a cyberattack that resulted in the theft of digital assets worth over Ksh11.6 billion from Nobitex, Iran’s largest cryptocurrency exchange. The group announced the breach on social media, initially in Persian, and later followed up in English, stating that it had “burnt” the stolen $90 million by transferring it to inaccessible wallets, thereby destroying the assets rather than utilizing them.
Predatory Sparrow accused Nobitex of facilitating financial operations for the Iranian regime, allegedly helping it evade international sanctions. The hackers threatened to publish the source code of the exchange, potentially exposing it to further vulnerabilities.
The attack occurred against the backdrop of escalating tensions between Iran and Israel, following a recent Israeli military strike targeting Tehran’s nuclear infrastructure. This hack marks a significant shift in the nature of cybercrime, with analysts labeling it the first major cyber theft driven purely by geopolitical motives rather than financial gain.
Crypto transaction monitoring firms confirmed that large sums were moved to uniquely labeled digital wallets. These wallets bore provocative names containing expletives and references to terrorism, with several including the acronym for Iran’s Islamic Revolutionary Guard Corps (IRGC). Though the hackers managed to transfer the crypto, they reportedly couldn’t access the stolen funds due to the design of the wallets.
Nobitex acknowledged the breach but emphasized that the assets in question were deliberately sent to wallets intended to destroy them, and not stolen in the conventional sense. The exchange stated that around $100 million in crypto had been “burnt” and assured users that it had fully cut off external server access to contain the situation. Nobitex denied any affiliation with the Iranian government or military, asserting its independence as a private business.
Cryptocurrency exchanges like Nobitex have long drawn criticism for operating in regulatory grey areas, lacking the transparency and compliance measures typical of traditional banks. Experts have warned that the anonymity and decentralization inherent to crypto make it a useful tool for illicit financing.
Further scrutiny of Nobitex revealed links to prominent figures connected to Iran’s leadership and Revolutionary Guard, including individuals accused of ransomware attacks and cybercrimes. Wallets on the platform were also found to be used by groups such as the Houthi militia in Yemen and entities linked to Hamas.
The attack also coincided with widespread internet disruptions across Iran, complicating efforts by Nobitex to regain control and restore user access. In a separate incident the day before, Predatory Sparrow also targeted Bank Sepah, another institution allegedly tied to the Revolutionary Guard, accusing it of misusing public funds to support terrorism.
