An Israel-linked hacking group has claimed responsibility for a $90m (£67m) heist on an Iranian cryptocurrency exchange.
The group known as Gonjeshke Darande, Farsi for Predatory Sparrow, said on Wednesday it had hacked the Nobitex exchange, a day after claiming it had destroyed data at Iran’s state-owned Bank Sepah.
Elliptic, a consultancy specialising in crypto-related crime, said it had so far identified more than $90m in cryptocurrency sent from Nobitex crypto wallets to hacker addresses.
The hackers appear to have in effect “burned” those funds, rendering them inaccessible by storing them in “vanity addresses” for which they do not have the cryptographic keys, Elliptic said.
Tom Robinson, Elliptic’s co-founder, told the Guardian it would take current computer technology “billions of years” to create the cryptographic key pairs that match the vanity addresses.
The funds are being held in addresses containing some variation of the term “F*ckIRGCterrorists”. In a post on X, Predatory Sparrow said it had targeted Nobitex and would release its source code and “internal information”.
Predatory Sparrow is regularly described in Israeli media as being Israel-linked, although there has been no official confirmation of the hackers’ identity or their nationality.
“Although there is no confirmation yet that the funds were moved by Predatory Sparrow, the hack appears to be motivated by the recent escalation of tensions between Israel and Iran,” Elliptic said.
Rafe Pilling, the director of threat intelligence at the cybersecurity firm Sophos, said there was no firm evidence linking Predatory Sparrow to a particular state, but it had the characteristics of a government-backed group.
“It bears all the hallmarks of a false persona used by a government-sponsored threat group to conduct disruptive operations against targets linked to illicit Iranian revenue generation, logistical entities, transport infrastructure and other strategic sectors,” he said.
Nobitex said on X it had experienced a “security incident” and was “actively working on implementing a secure and efficient recovery plan”.
Predatory Sparrow claimed in a post on X that it had “destroyed the data” of Bank Sepah and accused the bank of financing the Iranian military. Bank Sepah’s international branch in London has been approached for comment.
Meanwhile, companies tracking global internet activity have reported a near-total internet blackout in Iran, Cloudflare told the Guardian that traffic volumes were 98% below where they were at the same time last week.
However, hackers do not appear to have been the cause of the shutoff. An Iranian government spokesperson, Fatemeh Mohajerani, said this week that internet access had been slowed down to “maintain the network’s stability” and to ward of cyberattacks.
English (US) ·