Sparrow’s Cyberwar: Israel’s Hackers Disrupt Iran’s Finance

Overview of the Latest Attacks

The Israel-linked hacker collective known as Predatory Sparrow (Gonjeshke Darande in Farsi) has escalated its long-running cyber campaign against Iran by targeting critical financial institutions. In June 2025, the group claimed responsibility for two high-impact operations: a crypto-specific sabotage of the Nobitex exchange that burned over $90 million in user deposits, and a full data wipe at Sepah Bank, a key financial arm of Iran’s Islamic Revolutionary Guard Corps (IRGC). These attacks mark a dramatic shift from infrastructure disruption to direct financial warfare.

Sabotaging Crypto Assets: The Nobitex Operation

On June 18, Predatory Sparrow announced on its X account that it had seized control of Nobitex’s hot wallets and moved funds into a set of “vanity” addresses—crypto addresses whose custom prefixes (“FuckIRGCterrorists”) make it computationally infeasible to recover private keys. Blockchain analysis firm Elliptic confirmed the eight-figure loss and attributed the move to politically motivated asset destruction rather than theft.

“These cyberattacks are the result of Nobitex being a key regime tool for financing terrorism and violating sanctions—associating with that infrastructure puts your assets at risk.” —Predatory Sparrow statement on X

Technical forensics show the group exploited an unpatched REST API endpoint in Nobitex’s backend—running on a Linux cluster protected by Docker containers—and used chained Remote Code Execution (RCE) exploits (including CVE-2024-6278) to escalate privileges. Once inside, the attackers leveraged custom Golang scripts to sweep UTXO pools, reroute Ether and Bitcoin funds, and broadcast vanity transactions that effectively burned the crypto holdings.

Data Wipe at Sepah Bank

In a parallel operation, Predatory Sparrow targeted Sepah Bank, an IRGC-linked institution. According to Iranian cybersecurity researcher Hamid Kashfi of DarkCell, the attackers deployed a bespoke wiper malware dubbed “SteelSparrow,” which combined a Windows Server file‐system kill chain and encryption routines to overwrite critical volumes on the bank’s SAN arrays.

The result: Sepah’s online banking portal, SWIFT interface, and ATM network went offline, stranding millions of civilians without access to funds. Internal logs leaked by the group appear to detail contractual agreements between Sepah Bank and Iran’s military procurement departments, reinforcing Predatory Sparrow’s stated motivation.

Technical Anatomy of the Attacks

• Exploit Chain: Initial phishing campaigns against Nobitex staff, deployment of a Linux kernel exploit, container escape via Docker API abuse.
• Crypto Forensics: Vanity address generation requires trillions of ECC computations—an intentional burn method that leaves no recovery path.
• Wiper Malware: “SteelSparrow” uses a hybrid Go/C# payload to target NTFS metadata and physical disk headers, evading common backup-and-restore tools.
• Infrastructure Leaks: Data dumps include internal VPN certificates, edge firewall configs, and IRGC liaison memos, highlighting poor network segmentation.

Implications for Regional and Global Cyber Stability

John Hultquist, chief analyst at Google’s Threat Intelligence Group, warns that Predatory Sparrow’s pivot to financial targets could trigger retaliatory attacks or an accelerated arms race in state-level cyber capabilities. “They’re not just making noise—they’re setting a precedent for destructive financial warfare,” Hultquist says. “Other nation-state actors will take note.”

Meanwhile, United Nations experts and Western governments have begun discussions on how to update cybersecurity norms and international law to deter financially motivated sabotage. The EU’s recent sanctions package now explicitly names cyber groups like Predatory Sparrow and targets their cryptocurrency laundering channels.

Defensive Strategies and Mitigation

1. Implement Zero Trust segmentation across on-premise and cloud assets to limit lateral movement.
2. Harden API endpoints with WAFs and conduct regular fuzz testing to uncover hidden RCE vectors.
3. Deploy blockchain-focused threat intelligence tools (like open source Manta Labs) to track abnormal UTXO patterns and vanity address creation.
4. Maintain offline, immutable backups for critical financial systems and test rapid disaster-recovery playbooks quarterly.
5. Increase information-sharing between financial CERTs and law-enforcement agencies for real-time threat detection.

Looking Ahead: What Comes Next?

As of July 2025, reports indicate Predatory Sparrow is probing other Iranian banks and infrastructure providers, potentially preparing additional high-impact operations. Cybersecurity firms are on heightened alert for new variants of SteelSparrow and expanded use of vanity address burns on other exchanges. For now, the group’s actions underscore an unsettling new frontier in cyber conflict—one where digital assets can be annihilated as readily as physical infrastructure.