Israel-linked group hacks Iranian cryptocurrency exchange in $90m heist

TruthLens AI Suggested Headline:

"Israel-Linked Hacking Group Claims $90 Million Heist of Iranian Cryptocurrency Exchange"

Israel-linked group hacks Iranian cryptocurrency exchange in $90m heist analysis cover image The Guardian 7.8
Image Source: https://i.guim.co.uk/img/media/2fcd2c332b47c91cab40bfeaeccf466e318b3768/1004_301_2496_1997/master/2496.jpg?width=1200&height=630&quality=85&auto=format&fit=crop&overlay-align=bottom%2Cleft&overlay-width=100p&overlay-base64=L2ltZy9zdGF0aWMvb3ZlcmxheXMvdGctZGVmYXVsdC5wbmc&enable=upscale&s=9cc8d583173893b2df73b8ca71541519
Original Article Source: https://www.theguardian.com/technology/2025/jun/18/israel-linked-group-hacks-iranian-cryptocurrency-exchange-in-90m-heist
View Raw Article Source (External Link)
Raw Article Publish Date:
AI Analysis Average Score: 7.8
These scores (0-10 scale) are generated by Truthlens AI's analysis, assessing the article's objectivity, accuracy, and transparency. Higher scores indicate better alignment with journalistic standards. Hover over chart points for metric details.

TruthLens AI Summary

An Israel-linked hacking group, known as Gonjeshke Darande or Predatory Sparrow, has claimed responsibility for a significant cyber heist involving the theft of $90 million from the Iranian cryptocurrency exchange Nobitex. This incident unfolded shortly after the group announced it had compromised the data of Iran's state-owned Bank Sepah, further escalating the ongoing cyber conflict between Israel and Iran. According to Elliptic, a consultancy that focuses on cryptocurrency crimes, over $90 million in cryptocurrency has been traced from Nobitex's wallets to addresses controlled by the hackers. Remarkably, the stolen funds appear to have been rendered permanently inaccessible, as they were transferred to “vanity addresses” for which the hackers lack the necessary cryptographic keys. These addresses are noted for containing variations of the phrase “F*ckIRGCterrorists,” indicating a politically motivated attack against Iranian interests.

The implications of this cyber heist are significant, especially considering the current geopolitical tensions between Israel and Iran. While there is no formal confirmation of the hackers’ national identity, Israeli media frequently links Predatory Sparrow to state-sponsored operations. Cybersecurity experts, such as Rafe Pilling from Sophos, suggest that the group's activities exhibit characteristics typical of government-backed cyber operations targeting Iran's financial and logistical sectors. In response to the incident, Nobitex reported a security breach and is actively pursuing a recovery strategy. Additionally, it has been noted that Iran is experiencing a drastic reduction in internet traffic, with reports indicating a 98% drop compared to the previous week, although this slowdown has been attributed to government measures rather than the hacking incidents. The situation highlights the increasing intersection of cyber warfare and state-sponsored espionage, particularly in the context of financial systems and national security.

TruthLens AI Analysis

You need to be a member to generate the AI analysis for this article.

Log In to Generate Analysis

Not a member yet? Register for free.

Unanalyzed Article Content

Source URL: https://www.theguardian.com/technology/2025/jun/18/israel-linked-group-hacks-iranian-cryptocurrency-exchange-in-90m-heist

An Israel-linked hacking group has claimed responsibility for a $90m (£67m) heist on an Iranian cryptocurrency exchange.

The group known as Gonjeshke Darande, Farsi for Predatory Sparrow, said on Wednesday it had hacked the Nobitex exchange, a day after claiming it had destroyed data at Iran’s state-owned Bank Sepah.

Elliptic, a consultancy specialising in crypto-related crime, said it had so far identified more than $90m in cryptocurrency sent from Nobitex crypto wallets to hacker addresses.

The hackers appear to have in effect “burned” those funds, rendering them inaccessible by storing them in “vanity addresses” for which they do not have the cryptographic keys, Elliptic said.

Tom Robinson, Elliptic’s co-founder, told the Guardian it would take current computer technology “billions of years” to create the cryptographic key pairs that match the vanity addresses.

The funds are being held in addresses containing some variation of the term “F*ckIRGCterrorists”. In a post on X, Predatory Sparrow said it had targeted Nobitex and would release its source code and “internal information”.

Predatory Sparrow is regularly described in Israeli media as being Israel-linked, although there has been no official confirmation of the hackers’ identity or their nationality.

“Although there is no confirmation yet that the funds were moved by Predatory Sparrow, the hack appears to be motivated by the recent escalation of tensions between Israel and Iran,” Elliptic said.

Rafe Pilling, the director of threat intelligence at the cybersecurity firm Sophos, said there was no firm evidence linking Predatory Sparrow to a particular state, but it had the characteristics of a government-backed group.

“It bears all the hallmarks of a false persona used by a government-sponsored threat group to conduct disruptive operations against targets linked to illicit Iranian revenue generation, logistical entities, transport infrastructure and other strategic sectors,” he said.

Nobitex said on X it had experienced a “security incident” and was “actively working on implementing a secure and efficient recovery plan”.

Predatory Sparrow claimed in a post on X that it had “destroyed the data” of Bank Sepah and accused the bank of financing the Iranian military. Bank Sepah’s international branch in London has been approached for comment.

Meanwhile, companies tracking global internet activity have reported a near-total internet blackout in Iran, Cloudflare told the Guardian that traffic volumes were 98% below where they were at the same time last week.

However, hackers do not appear to have been the cause of the shutoff. An Iranian government spokesperson, Fatemeh Mohajerani,said this weekthat internet access had been slowed down to “maintain the network’s stability” and to ward of cyberattacks.

Back to Home
Source: The Guardian