A state-linked Iranian hacking group, Gonjeshke Darande (“Predatory Sparrow” in Farsi), has claimed responsibility for a recent major cyber attack. They zeroed in on Nobitex, Iran’s largest cryptocurrency exchange. Besides the theft of more than $90 million, the attack led to the leak of Nobitex’s source code. Gonjeshke Darande charged that Nobitex helped the Iranian government circumvent harsh Western sanctions and funnel funds to terrorist organizations. Circumstantial evidence connects the deadly incident to increased Israel-Iran tensions.

Details of the Cyberattack

The misappropriated funds were allegedly routed to bitcoins wallets that held anti-Revolutionary Guard messages. Gonjeshke Darande asserted that "ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN."

The group has a troubled, years-long history of executing notable, disruptive cyberattacks against Iranian infrastructure. In 2021, they shut down gas stations in every corner of Iran. Within a few months, the mill was in their scope and they caused a massive conflagration.

Gonjeshke Darande took credit for a recent cyberattack against Iran’s state-controlled Bank Sepah, which reportedly caused the destruction of financial data. These actions highlight a larger pattern of targeting critical infrastructure and terrorist entities inside Iran.

Alleged Ties to Israel

Israeli media reports identify Gonjeshke Darande as having ties to the Israeli intelligence service. The Israeli government only ever acknowledged any connection to the group in an unofficial capacity. This supposed link has stoked suspicion regarding the reasons behind the attacks and the possible role of state actors.

The Nobitex hack coming just as tensions began to boil over between Israel and Iran, would prove timely. This timing increases the chances that this attack was indeed politically motivated. The government had attached messages to the stolen funds that taunted Iran’s Revolutionary Guard. These messages make clear that the point is to destabilize or even overthrow the Iranian government.

Earlier this year, the U.S. government warned against Iran utilizing cryptocurrencies in order to evade sanctions. We are glad to see this important topic raised by Senators Elizabeth Warren and Angus King. It’s true, of course, that digital assets are susceptible to illicit activities.

Implications and Future Concerns

In short, the Nobitex hack offers important lessons on the security of cryptocurrency exchanges, and the reality of politically motivated cyberattacks. In addition to the $90 million theft, the leak of sensitive source code places Nobitex users at severe risk. All of these developments would serve to rattle the whole Iranian economic structure.

The recent hack of the Colonial Pipeline Company demonstrates the increasing threat of cyber warfare. It illustrates how non-state actors are able to threaten critical infrastructure and financial systems. As Middle Eastern tensions escalate, cyberattacks will be an increasingly prevalent instrument of statecraft and war.