Iran discovered itself on the front line of a cyberwarfare this week. The assailant? Predatory Sparrow is a known enemy, a group notorious for aggressive, destructive cyberattacks meant to undermine Iran’s infrastructure.

Their most recent action was symbolic as much as technical.

Wednesday saw the group launch coordinated assaults on Sepah Bank, a major financial institution integral to Iran’s military and economic machinery, and Nobitex, Iran’s largest bitcoin exchange. These were not just quick fixes. They landed takedowns with great accuracy.

Regarding Nobitex, the hackers did not pilfer the money. They burned them. Blockchain analytics company Elliptic claims that moving cryptocurrencies to irretrievable wallet addresses with names like “FuckIRGCterrorists destroyed over $90 million in assets.”

Tom Robinson, co-founder of Elliptic, said, “These vanity addresses cannot be accessed or controlled. “It was a deliberate act of destruction—a means of ensuring those monies are gone permanently.”

Predatory Sparrow asserted that the Iranian government was laundering money using Nobitex as a tool to support terrorism operations all around the Middle East. Their post called out the supposed links of the platform to approved groups, including the Houthis, Hamas, and the IRGC.

Blockchain analysis supports these assertions. Elliptic confirmed that systems of Nobitex have been interacted with by wallets connected to approved groups.

The Nobitex website went down not long after the cyber attack. The company has not given any public comments. This silence has only served to heighten anxiety for Iranian consumers depending on cryptocurrencies in the middle of an economic crisis.

Then the attack on Sepah Bank came fast.

Allegedly working with the IRGC, Predatory Sparrow claimed to have totally destroyed internal systems at the bank and leaked files implying its involvement in nuclear development and missile financing. The leaks seemed reliable, alarming people both inside and outside of Iran.

“Who’s next?” their closing line asked, sharp and direct.

The ramifications were instantaneous. Sepah’s online services and ATMs started failing all around Iran, which infuriated people and sparked panic. Expert in cybersecurity from Sweden with ties to Iran, Hamid Kashfi, said, “I’m hearing that people can’t access their money. Payment processing is not possible for small businesses. For ordinary people, this has actual, agonizing effects.

Sepah’s public web portal came back momentarily, but there is not much evidence that complete internal functionality has been restored. Government organizations have stayed silent, avoiding media comments and declining to validate specifics.

This is not the first time this group has brought Iran to ruin. Predatory Sparrow carried out public strikes on Iran’s railroads, fuel infrastructure, and even a steel mill in 2021 and 2022, setting off fires and explosions. Time and again, they have demonstrated that their goal is not only cyber disturbance—it is chaos, exposure, and strategic weakening of vital assets.

Although they assert to be a grassroots Iranian resistance movement, most cybersecurity experts think the group is either allied with or funded by Israel’s military or intelligence agency.

“These aren’t amateur tactics,” Google’s threat intelligence lead John Hultquist said. Predatory Sparrow does military exacting execution. Among the few groups out there that actually carry out their threats, they are one.

Targeting Sepah Bank and Nobitex, they have hit two of Iran’s most delicate digital veins. Moving money outside conventional financial systems depends on Nobitex, a vital conduit. Conversely, Sepah Bank is tightly linked to Iran’s defense and sanctions-evading capacity.

The group’s message is quite clear: infrastructure connected to regime operations—digital or physical—is fair game.

One thing is also clear: the cyberwar is far from finished as tensions grow.