In a terrifying escalation of cyberwarfare, Predatory Sparrow has once more targeted the digital core of Iran’s infrastructure—this time aiming at the country most suffering: its financial sector.

The group took ownership of two high-impact cyberattacks on Wednesday: one on Sepah Bank, a long-standing financial institution closely linked to the military operations of Iran, and another on Nobitex, the biggest bitcoin exchange in the nation.

The fallout was immediate and severe.

Blockchain analysis company Elliptic claims Predatory Sparrow tried not to make money off of the Nobitex hack. Rather, they sent over $90 million in cryptocurrencies to so-called vanity addresses, many of which included the phrase “FuckIRGCterrorists,” so purposefully destroying them. Design dictates that nobody can access these wallet addresses. The money cannot be got back.

“This is rare,” said Elliptic co-founder Tom Robinson. “Most cyberattacks connected to cryptocurrencies center on theft. This differed. Not an economic benefit, it was political destruction.

Predatory Sparrow claimed in a statement uploaded to their X (formerly Twitter) account that Nobitex was enabling terrorist financing and sanctions avoidance for the Iranian government. They protested the alleged links of the exchange to militant organizations, including Hamas, the Houthis, and Palestinian Islamic Jihad, as well as the Islamic Revolutionary Guard Corps (IRGC).

Elliptic’s tracking verifies that Nobitex had in fact interacted with wallets connected to these groups.

The Nobitex website disappeared from the internet not long after the announcement. Nothing has been said in response or explanation. Users are left wondering, meanwhile, whether their assets are gone permanently or whether more strikes could follow.

Later the same day, the same hacker group turned their attention to Sepah Bank, a sizable Iranian financial institution. Claiming to have totally destroyed the internal systems of the bank, Predatory Sparrow released leaked records implying close cooperation between Sepah and the missile and nuclear programs of the IRGC.

The hackers cautioned in their post, “Caution: associating with the financial infrastructure of the regime is dangerous.”

There was great aftershock from this second attack.

Living in Sweden, Iranian cybersecurity researcher Hamid Kashfi reported receiving word from contacts inside Iran that online banking systems and ATM networks connected to Sepah Bank had broken down. “It’s commonplace,” he remarked. People cannot pay their bills, check their accounts, or take money out. It is striking people’s daily lives, not only a digital crisis.

Sepah’s website briefly came back online, but it’s not clear if internal systems of the bank have been rebuilt. The Iranian government has stayed officially quiet.

Predatory Sparrow has developed a reputation for mercilessly and precisely attacking valuable Iranian infrastructure. They have disabled fuel distribution systems, caused havoc across railway networks, and even started physical destruction at an Iranian steel plant, causing molten steel to leak across the plant floor and almost injure workers.

Their operational signature is clear: they destroy, expose, and broadcast their work for maximum impact rather than merely disturb.

Although the group goes under a Farsi alias, Gonjeshke Darande, trying to seem like a local resistance effort, cybersecurity experts mostly agree it is a proxy group supported by Israeli intelligence.

“These operations are far too sophisticated to be carried out without nation-state support,” said John Hultquist, chief analyst of Google’s Mandiant threat division. Predatory Sparrow delivers, not only threatens. That qualifies them as especially dangerous.

The attack on Nobitex targets one of the few financial instruments Iran employs to avoid world economic sanctions. Sepah Bank funds state-owned defense initiatives in parallel. Predatory Sparrow made it very clear by selecting these two targets: no institution allowing Iran’s worldwide aspirations is safe.