On June 18, 2025, the pro-Israel hacking group known as Predatory Sparrow (or Gonjeshke Darande in Farsi) executed one of the most dramatic cyberattacks in recent cryptocurrency history. The group drained over $90 million worth of cryptocurrency from Iran’s largest exchange, Nobitex. However, the hackers shocked the crypto world by burning the entire loot. They sent the stolen funds to crypto addresses for which they held no private keys, rendering the assets forever inaccessible.
How the Hack Unfolded
Predatory Sparrow announced the hack just one day after they claimed responsibility for destroying data at Iran’s state-owned Bank Sepah. The group timed these attacks during a period of escalating tension between Israel and Iran. This conflict had already involved missile strikes and the targeting of military installations on both sides. By attacking Nobitex, Predatory Sparrow sought to hit Iran’s financial and technological infrastructure where it hurt most.
Security researchers at Elliptic, a crypto tracking firm, analyzed the blockchain transactions following the attack. Their data revealed that the hackers moved over $90 million worth of cryptocurrency—including Bitcoin, Ethereum, and Dogecoin—from Nobitex wallets into their own addresses. The group routed these funds through addresses containing phrases like “F*ckIRGCterrorists,” a direct insult aimed at the Islamic Revolutionary Guard Corps (IRGC). The IRGC controls significant portions of Iran’s economy and military operations, and Western governments have accused it of sponsoring terrorism.
The Intentional Burning of the Stolen Crypto
Predatory Sparrow shocked the cybersecurity and crypto communities by deliberately burning the stolen funds. The group sent the cryptocurrency to vanity addresses that incorporated politically charged messages in their identifiers. The group could not access these funds because they did not generate or hold the private keys for these addresses.
Crypto tracking firms, including Elliptic, confirmed that no one could ever recover or spend the stolen funds. By doing this, Predatory Sparrow sent a clear message: they aimed not for financial gain but for symbolic destruction. The group wanted to demonstrate its ability to strike at Iran’s core digital financial systems while eliminating any chance for Iran—or even themselves—to benefit from the theft.
Political Context of the Attack
Predatory Sparrow carried out the Nobitex hack during a dangerous escalation between Israel and Iran. The two countries had already exchanged missile strikes, targeting sensitive military facilities. The international community watched the standoff with increasing alarm. The United States signaled that it would delay direct intervention by two weeks, while Russia warned Israel against attacking Iran’s Bushehr nuclear plant.
Former U.S. President Donald Trump issued public threats against Iran’s leadership, while Iran’s Supreme Leader Ayatollah Ali Khamenei responded with defiance, promising that any U.S. intervention would cause “irreparable damage.” In this climate of hostility and brinkmanship, Predatory Sparrow’s attack on Nobitex added a new dimension to the digital battlefield.
Why Nobitex Became a Target
Nobitex stands as Iran’s largest cryptocurrency exchange, serving more than 7 million users. Many Iranians rely on it for trading digital assets as a means to bypass the severe restrictions imposed by international sanctions. The exchange provides a lifeline for ordinary citizens and businesses seeking alternatives to Iran’s heavily regulated and sanctioned banking system.
However, Nobitex has attracted scrutiny because of its alleged ties to the IRGC. Independent investigative journalists have uncovered links between Nobitex and IRGC-backed ransomware groups. Reports have also connected the exchange to individuals with close relationships to Iran’s Supreme Leader. Predatory Sparrow likely selected Nobitex as a target to deliver a direct blow against the financial networks supporting the IRGC.
The Aftermath of the Hack
After the attack, Nobitex scrambled to reassure its users. The company acknowledged the incident but downplayed its impact on customer funds. Security experts believe Nobitex will face challenges rebuilding trust among its users and partners. The exchange already operates under intense pressure because of international sanctions, and this high-profile attack will only increase the scrutiny it faces from regulators and cybersecurity firms.
Predatory Sparrow followed up the hack by releasing the source code of Nobitex’s platform. By doing so, the group exposed the inner workings of the exchange, potentially creating new vulnerabilities for Iran’s crypto infrastructure. Nobitex now must not only recover from the immediate financial damage but also address the long-term risks posed by this leak.
Implications for the Global Crypto Community
Predatory Sparrow’s decision to burn the stolen funds introduced an unusual and dramatic twist to the typical narrative of crypto hacks. Most hackers steal cryptocurrency to profit. They launder funds through mixers, decentralized exchanges, or obscure blockchains to cash out anonymously. Predatory Sparrow, by contrast, used the hack as a political weapon. They transformed cryptocurrency from a financial asset into a tool of geopolitical messaging.
The global crypto community must now grapple with new questions. Can other politically motivated groups replicate this kind of attack? What protections can exchanges implement to defend against similar politically charged cybercrimes? The attack on Nobitex revealed the fragility of crypto infrastructure when confronted with skilled and determined adversaries.
The Broader Cyber Conflict Between Israel and Iran
The Nobitex hack fits into a wider pattern of cyber hostilities between Israel and Iran. Both countries have invested heavily in offensive cyber capabilities. Israel’s military and intelligence services maintain some of the world’s most advanced cyber operations teams. Iran, through the IRGC and other entities, has built its own cyber force to engage in espionage, sabotage, and disruption.
Predatory Sparrow has carried out previous cyberattacks against Iranian infrastructure. Israeli media outlets often describe the group as having ties to Israeli intelligence, although no government has confirmed this officially. The group’s operations consistently align with Israel’s strategic objectives, particularly in undermining the IRGC and Iran’s nuclear program.
What Comes Next?
Nobitex faces the difficult task of restoring its reputation and securing its platform. The exchange must enhance its defenses against future cyberattacks while managing customer concerns about security and asset protection. Meanwhile, Iran’s government will likely seek to retaliate, both in cyberspace and through conventional means.
The global crypto sector must prepare for further weaponization of digital currencies in geopolitical conflicts. The Nobitex incident has shown how hackers can use cryptocurrency not just for theft but also for sending potent political messages. Security teams at crypto exchanges must now rethink their threat models to account for attackers with political motives rather than purely financial ones.
The international community, especially regulators and technology firms, will need to collaborate to strengthen crypto ecosystem security. As digital assets continue to grow in importance within national economies, their protection will become a matter of national security.
Also Read – Iran Strait Threat: Market Shock, Oil Risk, Crypto Moves
