Full Report
Pro-Israel Predatory Sparrow Group steals $90m in crypto from Iranian exchange Nobitex
Analysis Summary
# Incident Report: Hacktivist Attack on Iranian Crypto Exchange Nobitex
## Executive Summary
A pro-Israeli hacktivist group, identified as "Predatory Sparrow" (Gonjeshke Darande), breached the Iranian cryptocurrency exchange Nobitex. The attack resulted in the apparent theft of over $90 million in digital currency, which was subsequently transferred to politically charged "vanity addresses." The group also exfiltrated the exchange's source code and internal data, stating the exchange was used by the Iranian regime to finance terror and evade international sanctions.
## Incident Details
- Discovery Date: June 18, 2025 (Date of Elliptic disclosure reporting on the breach)
- Incident Date: Occurred shortly before June 18, 2025 (Warning posted day prior)
- Affected Organization: Nobitex (Iranian Cryptocurrency Exchange)
- Sector: Financial Technology (Cryptocurrency Exchange)
- Geography: Iran
## Timeline of Events
### Initial Access
- Date/Time: Prior to June 18, 2025 (Warning stated "In 24 hours...")
- Vector: Not explicitly detailed, but implied system compromise based on data exfiltration capabilities.
- Details: The group gained access to Nobitex's internal network.
### Lateral Movement
- Details: Implied access to systems holding source code and cryptocurrency holdings.
### Data Exfiltration/Impact
- Date/Time: Commenced shortly after the warning period on June 18, 2025 (or immediately preceding).
- Details: Tens of millions of dollars in digital currency ($90m+ identified) were stolen and transferred. Source code and internal data were also exfiltrated.
### Detection & Response
- Date/Time: Detected by blockchain analytics firm Elliptic on June 18, 2025 (via tracking blockchain transfers).
- Details: Elliptic tracked the movement of the stolen funds to "vanity addresses" containing anti-regime political messages (e.g., "F\*ckIRGCterrorists"). Response by the attackers was the public statement/warning via X. Organization response details are not specified in the provided text.
## Attack Methodology
- Initial Access: Likely utilized an unpatched vulnerability or compromised credentials, enabling access to the internal network.
- Persistence: N/A (Attack appeared focused on immediate monetary gain and data dump).
- Privilege Escalation: N/A (Assumed the attacker achieved necessary privileges to access source code and transfer funds).
- Defense Evasion: The use of "brute force" methods to generate complex vanity addresses could be considered a form of operational security in transferring funds.
- Credential Access: Not explicitly mentioned.
- Discovery: Not explicitly mentioned, though internal data theft suggests comprehensive internal reconnaissance (Discovery phase).
- Lateral Movement: Inferred movement to critical storage locations holding crypto assets and source code.
- Collection: Source code and internal information gathered, alongside cryptocurrency assets.
- Exfiltration: Digital currency swept to external addresses; source code and data released publicly (exfiltration to the public domain/hacktivist group control).
- Impact: Financial loss ($90m+), exposure of proprietary source code, and reputational damage to the exchange.
## Impact Assessment
- Financial: Estimated loss of over $90 million in digital currency.
- Data Breach: Source code and internal information of the exchange were stolen and publicized.
- Operational: Significant disruption due to massive fund loss and public exposure of internal architecture.
- Reputational: Severe reputational damage, especially given the stated political motivation linking the exchange to sanctions violations and terror financing.
## Indicators of Compromise
- Network indicators: Transfers of cryptocurrency to specific destination addresses (requires analysis of the block explorer data tracking transactions mentioned by Elliptic).
- File indicators: Exfiltrated source code/internal files (specific hashes/names not provided).
- Behavioral indicators: Transfer of large volumes of cryptocurrency to addresses with unique, politically worded components in their public keys (vanity addresses).
## Response Actions
- Containment: Funds transfer was tracked on the blockchain (Elliptic).
- Eradication: Not specified.
- Recovery: Not specified, though financial recovery of the stolen $90m+ is highly unlikely given the nature of the transfer.
## Lessons Learned
- The critical risk posed by hacktivist groups potentially targeting entities perceived as aligned with a geopolitical opponent.
- Insufficient security controls at the crypto exchange allowed a threat actor to access and steal source code and large amounts of funds.
- The use of vanity addresses clearly signaled the non-financial, politically motivated nature of the operation.
## Recommendations
- Implement robust multi-factor authentication and strict access controls on all administrative and critical systems (source code repositories, hot wallets).
- Conduct regular security audits focused on preventing unauthorized blockchain transfers and internal data exfiltration.
- Review and limit organizational connectivity to services perceived as politically sensitive or high-risk, considering the geopolitical landscape.