Two of the most well-known cyberattacks in Iran’s recent history—one that burned over $90 million in crypto assets and another that shut down banking systems serving millions—have been claimed by the hacker group known as Predatory Sparrow in a digital assault that has rocked Iran’s financial infrastructure.

Often known by its Farsi name, Gonjeshke Darande, the group is generally thought to have ties to Israeli intelligence. Claiming it had targeted Sepah Bank, a government-linked financial institution with strong ties to Iran’s military, and Nobitex, Iran’s leading bitcoin exchange, it made headlines once more this week.

This was not a usual cybercrime, though, targeted at data or money theft. Rather, the attackers purposefully destroyed money, surprising experts and indicating a marked change in cyberwarfare strategies.

From Nobitex wallets into so-called vanity addresses—custom blockchain wallets starting with phrases like “FuckIRGCterrorists,” attackers transferred over $90 million in digital assets, according to Elliptic, a blockchain analysis company. These kinds of addresses are irrevocable as well as symbolic. The money is gone forever.

“This was not about profit,” said co-founder of Elliptic Tom Robinson. “The crypto they pilfered has burned. The hackers obviously have political rather than financial driving forces.

Predatory Sparrow claimed in a statement placed on X that Nobitex assisted the Iranian government in funding terrorist organizations and avoiding international sanctions. The group said that affiliates of Hamas, Yemen’s Houthis, Palestinian Islamic Jihad, and sanctioned Islamic Revolutionary Guard Corps (IRGC) officials have used the platform. Elliptic’s results seemed to support these links using on-chain data.

After the attack, Nobitex’s website was offline; at the time of writing, it had not been restored. The exchange has not released any official statement, so leaving its users—and most of Iran’s crypto community—in doubt.

Predatory Sparrow returned only a few hours later.

Targeting Sepah Bank, one of Iran’s oldest and most strategically significant banks, this time Claiming ties to the Iranian military and the IRGC as justification, the group asserted to have erased all internal bank data. The hackers uploaded records seeming to show financial contracts between Sepah and state defense agencies as evidence.

Their voice is “Caution: Your long-term financial situation suffers if you associate with the tools used by the government to evade sanctions and fund its nuclear program and ballistic missiles. Next? Who’s?

The public-facing website of Sepah Bank momentarily crashed but was fixed soon after. Still, behind the scenes, the situation was far more disruptive.

Iranian cybersecurity researcher Hamid Kashfi, founder of DarkCell and based in Sweden, claimed that since the attack, Sepah Bank’s ATMs and online banking systems have stayed offline. “There has been much collateral damage,” Kashfi remarked. “Millions of average Iranians depend on those services; right now, they cannot access their money.”

Operations of Predatory Sparrow now regularly feature collateral damage. The group disabled thousands of gas station payment systems, wrecked the railway network, and hacked an industrial steel mill in Khouzestan province, causing national anarchy in Iran in 2021 and 2022. That specific attack nearly resulted in death, set the plant on fire, and caused a vat of molten metal to overflow. Posted by the group itself, a video of the incident went viral online.

Although Predatory Sparrow says it is an Iranian resistance group, most security analysts agree their operations’ sophistication suggests support from Israel’s intelligence services. Far beyond what most hacktivists can accomplish, their ability to regularly access sensitive systems, compromise highly secured infrastructure, and delete data without detection is astounding.

Chief analyst John Hultquist of Google’s Mandiant threat intelligence division clarified, “This actor is highly competent and very serious. Many of the performers create threats. This one really does follow through.

It is difficult to overlook the larger lesson these attacks send. Iran has turned more and more to crypto sites like Nobitex to get around world sanctions and keep some degree of financial flexibility. Predatory Sparrow may have seriously damaged Iran’s financial lifelines by wiping off its digital assets and undermining one of its main banks.

With its simplicity—who’s next—the last line of the hacker group’s comment was eerie. For Iran and maybe others in the area, this is a topic with actual weight today.