The dark hacker group Predatory Sparrow has claimed responsibility for two cyberattacks this week that have left state banking systems disrupted and crypto markets scorched, so upsetting Iran’s financial system to its core. Known for its aggressive and destructive activities, the group has lately taken responsibility for damaging Sepah Bank, a major financial institution connected to Iran’s military, and undermining Nobitex, Iran’s biggest cryptocurrency exchange.

The assaults seem to be surgical, timed, and quite symbolic.

Burning $90 million in bitcoin was the audacious and hitherto unheard-of action driving the operation. Blockchain experts at Elliptic claim that the pilfers from Nobitex did not find their way to anonymous wallets or dark market sales. Rather, they were moved to vanity crypto addresses—wallets starting with words like “FuckIRGCterrorists”—that are basically unrecoverable.

“These were not efforts at theft. Tom Robinson, co-founder of Elliptic, described them as intentional acts of destruction. “The crypto has been permanently lost.”

Predatory Sparrow claimed in a public post on X that Nobitex enabled financial transactions for approved terrorist groups including the Houthis, Hamas, and the IRGC, so breaching their policies. Elliptic verified based on transaction data that wallets belonging to those groups clearly link Nobitex.

Since the attack, the Nobitex platform has remained offline, leaving users in a state of uncertainty and generating concerns about personal data also caught in the cyberblast.

Still, the group still had work to do.

Predatory Sparrow soon made clear it had also targeted Sepah Bank, among Iran’s most reputable and strong financial institutions. The group asserted to have deleted all internal bank records and published documentation allegedly proving the bank’s participation in nuclear development projects and military financing.

Their farewell note is “whose next?”

Swedish-Iranian cybersecurity specialist Hamid Kashfi, who founded the security company DarkCell, confirmed he had spoken with people inside Iran who claimed Sepah’s digital banking systems and ATM were still offline days after the attack. People cannot access their wages or their accounts. Panic has resulted from it, Kashfi said. “This is not merely a cyberattack directed on the government. It is touching the daily life of common Iranians.

Sepah’s website returned briefly, but it’s not clear how much of the bank’s capabilities have actually been restored.

Predatory Sparrow is not new for dramatic digital assaults. The group closed Iran’s national fuel distribution network in 2021, so creating long lines at petrol stations. It attacked the national rail system that same year, showing hacked messages across train station monitors. Until now, however, the most damaging act the group has ever done was the steel plant fire set off by hacked industrial control systems.

The group bills itself as an Iranian resistance force. Its complex methods, timed coordination, and access to knowledge, however, point to an other reality. Most analysts agree Predatory Sparrow serves as a surrogate for Israeli cyber activity.

This group is not aiming for inspiration. Lead analyst John Hultquist of Google’s Mandiant threat intelligence said, “They are trying to disrupt—and they are quite good at it.” “They don’t send warnings. They act.

Through targeting Iran’s conventional banking industry as well as its crypto infrastructure, the group has revealed both symbolic and technological weaknesses. Iran has turned mostly on websites like Nobitex to use digital currency in order to evade sanctions. Sepah Bank, meantime, is central in the military and financial machinery of the government.

This amounted more than just a cybercrime. Written in code and delivered precisely, it was a message.

And this could only be the beginning as their chilling final note makes abundantly evident: “Caution: Associating with regime financial infrastructure is hazardous to your digital and financial health”.