An Israel-linked hacking group has claimed responsibility for a $90m (£67m) heist on an Iranian cryptocurrency exchange. The group, known as Gonjeshke Darande (Farsi for Predatory Sparrow), said it had hacked the Nobitex exchange, a day after claiming it had destroyed data at Iran’s state-owned Bank Sepah.
Elliptic, a consultancy specializing in crypto-related crime, identified over $90m in cryptocurrency sent from Nobitex wallets to hacker addresses. The hackers appear to have ‘burned’ these funds by storing them in ‘vanity addresses’ for which they lack cryptographic keys. Tom Robinson, Elliptic’s co-founder, stated it would take current computer technology ‘billions of years’ to create the matching cryptographic key pairs.
The funds are held in addresses containing variations of ‘F*ckIRGCterrorists’. Predatory Sparrow announced it had targeted Nobitex and would release its source code and ‘internal information’. While there’s no official confirmation of the hackers’ identity or nationality, they’re regularly described in Israeli media as Israel-linked.
Rafe Pilling, director of threat intelligence at Sophos, noted that Predatory Sparrow has characteristics of a government-backed group, though there’s no firm evidence linking them to a particular state. Nobitex acknowledged a ‘security incident’ and is working on a recovery plan.
The hack appears motivated by recent escalations between Israel and Iran. Meanwhile, Iran experienced a near-total internet blackout, with traffic volumes 98% below normal. An Iranian government spokesperson attributed this to measures to maintain network stability and prevent cyberattacks.
