Hacking Group Steals at Least $90M from Iranian Crypto Exchange

A hacking group called Predatory Sparrow claimed responsibility Wednesday for a cyberattack that stole digital assets worth at least $90 million from the Iranian cryptocurrency exchange Nobitex.

The group posted on social media early Wednesday, in Persian, that it had targeted Nobitex, Iran’s largest crypto exchange, and would publish the exchange’s source code next, rendering remaining assets on the platform even more vulnerable.

Later Wednesday, the hacking group posted in English, saying that it had transferred and “burned” $90 million from the exchange, meaning that it had moved the assets but was not using them. It accused Nobitex of being a tool of the Iranian regime to work around financial sanctions imposed by the United States and other nations that have designated the Revolutionary Guard, a branch of the Iranian military, a terrorist group.

The hack comes as Israel and Iran trade attacks in the deadliest confrontation between the two countries in a decades-long shadow war that is now decidedly overt, after a surprise Israeli strike on Iran last week that it said was intended to dismantle Tehran’s nuclear program.

Crypto analytics firm Chainalysis, which tracks the movement of transactions online, said in a blog post Wednesday that the Predatory Sparrow attack on Nobitex was “the first hack of this scale exclusively for geopolitical purposes.”

According to Elliptic, another company that tracks crypto transactions, at least $90 million worth of digital assets were transferred to “vanity wallets” from Nobitex early Wednesday. The wallets, each identified by a string of numbers and letters, all had names with an expletive and the word “terrorist”; some contained IRGC, the acronym for the Islamic Revolutionary Guard Corps, the company said.

Based on Elliptic’s analysis, the hackers were able to move the crypto to digital wallets that they created, but they were unable to access the assets in those wallets.

Nobitex confirmed that the assets were inaccessible to the hackers in a post on social media Wednesday, saying that about $100 million in crypto was transferred to wallets that were used to “burn and destroy user assets.”

“The situation is now under control,” Nobitex said, adding that all external access to its servers had been “completely severed.” Nobitex pushed back on claims it was associated with the Iranian regime, saying it had “always operated as an independent private business.”

Cryptocurrency exchanges have long faced criticism from finance experts and law enforcement authorities, as well as from some U.S. lawmakers, because they do not have many of the same transparency and compliance requirements as traditional financial institutions. Because crypto is anonymous, borderless and moves through intermediaries that operate in regulatory gray spaces, critics have said for years that terrorists use it for fundraising.

Elliptic, which authorities have used to track the movement of digital assets online, noted in its post that Nobitex “has been linked to the Revolutionary Guards, and Iranian government figures in the past.” Elliptic also said that open source investigations had identified relatives of Iran’s supreme leader, Ayatollah Ali Khamenei, and Revolutionary Guard-linked business partners as connected with Nobitex.

Elliptic said it had also identified “the use of Nobitex by sanctioned Revolutionary Guards operatives accused of ransomware operations and targeting critical infrastructure,” including Ahmad Khatibi Aghda, who is on the FBI’s “most wanted” list for suspected cybercrimes, and Amir Hossein Nickaein Ravari, also on that list, accused of computer crimes. Both have sent bitcoin to Nobitex accounts, according to Elliptic.

Chainalysis said its data showed that Nobitex hosted wallets for entities tied to the Iranian-backed Houthi militia in Yemen and wallets that Israeli authorities have identified as tied to Hamas, which is also backed by Iran.

On Wednesday, internet access was interrupted in Iran, compounding Nobitex’s woes. Nobitex said that “the simultaneous occurrence of national internet disruptions and emergency conditions” had slowed its ability to restore user access.

On Tuesday, Predatory Sparrow also claimed responsibility for a cyberattack on Bank Sepah, a major Iranian bank. The hackers accused the bank of being associated with the Revolutionary Guard and of financing terrorism using money from the accounts of the Iranian people. The Fars News Agency, an outlet affiliated with the Revolutionary Guard, reported a cyberattack on that bank Tuesday and warned account holders of a disruption to its online and remote services.

Iranians online and on the ground indicated that they were having at least some problems accessing their accounts online or at ATMs.

Predatory Sparrow has previously claimed responsibility for a number of sophisticated attacks against Iranian targets, including IRIB, the state broadcasting company. In 2022, Iranian state-sponsored actors were thought to be responsible for a cyberattack in Albania, associated with Albania’s sheltering of Mujahedeen Khalq, a secretive Iranian dissident group, and a logo stamped on confidential Albanian documents leaked by the attackers featured an eagle preying on the logo of Predatory Sparrow inside a Star of David.