How Israel-aligned hackers hobbled Iran's financial system

Mint

14 hours ago

While Israel and the U.S. were bombing Iran's nuclear sites, another battlefield emerged behind the scenes: the financial infrastructure that keeps Tehran connected to the world.
Israeli authorities, and a pro-Israeli hacking group called Predatory Sparrow, targeted financial organizations that Iranians use to move money and sidestep the U.S.-led economic blockade, according to Israeli officials and other people familiar with the efforts. U.S. sanctions, imposed off-and-on for decades due to Tehran's nuclear program and support for Islamist groups, have aimed to cut Iran off from the international financial system.
Predatory Sparrow, which operates anonymously and posts updates of its activities on X, said this past week that it crippled Iran's state-owned Bank Sepah, which services Iran's armed forces and helps them pay suppliers abroad, knocking out its online banking services and cash machines. Iranian state media acknowledged the damage.
The group also breached Nobitex, Iran's largest cryptocurrency exchange, popular with locals for transferring money overseas. The hackers extracted about $100 million in funds and forced the platform to shut down, according to the exchange.
Iran's government pulled the plug on much of the country's online activities to prevent further attacks and keep a lid on dissent. Non-Iranian websites were blocked. Citizens were warned against using foreign phones or messaging platforms that it claimed could collect audio and location data for Israeli spies. Government officials were banned from using laptops and smartwatches.
Predatory Sparrow said the two hacks were directed against the 'financial lifelines" of the Islamic Revolutionary Guard Corps, the most powerful faction of Iran's military that also controls swaths of the economy. 'Noble people of Iran! Withdraw your funds before it is too late," it tweeted.
Both targeted companies remain hobbled. Nobitex said it faced serious challenges in restoring services and was aiming to relaunch trading this coming week. Some Bank Sepah users say online they still aren't receiving deposits.
The group didn't say if it was acting on behalf of Israeli authorities. 'The group's sophistication, target selection and geopolitical messaging fit the profile of an Israel-aligned, state-sponsored cyber actor," said Deddy Lavid, chief executive of Cyvers, a Tel Aviv-based cybersecurity firm.
Predatory Sparrow didn't respond to requests for comment sent to the administrator of its Telegram group.
The cyberattacks hit an economy already battered by U.S. sanctions that bar the purchase of Iran's oil or interactions with its banks. Iran's economy is highly dependent on a select few trading partners, notably China. Annual inflation runs above 40%, according to the World Bank. A constant flight of skilled workers has also throttled Iran's economic growth.
Israel confirmed a cease-fire with Iran on Tuesday. But cybersecurity experts and Israeli officials expect the cyberwarfare to continue. 'Israel will likely keep launching precision cyberstrikes against the regime's power centers," said Lavid.
Officials at Israel's National Bureau for Counter-Terror Financing said they didn't have information on links between Predatory Sparrow and Israeli authorities. They said Israel was broadly targeting the economic infrastructure that allowed Iran to finance its military and proxies, imposing sanctions earlier this month on its central bank and other banks used by the IRGC.
The NBCTF, which is overseen by the defense ministry, plans to issue orders to exchanges outside Iran to help it seize more of Nobitex's crypto holdings. It has identified a further $150 million in funds held by Nobitex, the officials said.
Pro-Iran cyber groups have hit back, targeting Israeli government websites with denial-of-service attacks, in which hackers aim to overwhelm computers that route internet traffic with a flood of requests, and sending phishing messages to Israelis in a bid to compromise their phones. The Israel National Cyber Directorate said Iran's cyberattacks hadn't caused damage in recent weeks.
Paranoia swept through the Iranian population as the attacks, both physical and cyber, mounted. 'It's better to cut [the internet] off. Israel can see everything," said Mohammad Ghorbaniyan, a Tehran-based money changer whom the U.S. sanctioned several years ago for allegedly aiding Iranian hackers, an accusation he denies.
The Bank Sepah hack last Tuesday halted payments, including salaries owed to military retirees, according to Fars News Agency, which is controlled by the IRGC. Many of its cash machines stopped working. The U.S. Treasury Department said last year that Bank Sepah, which has branches on Iranian military bases, helps Iran's defense ministry pay foreign suppliers via a sprawling shadow-banking network.
Nobitex went offline the next day. The Tehran-based crypto exchange has processed transactions in excess of about $22 billion for users since its 2017 launch, according to blockchain research firms and the officials from Israel's NBCTF.
'This attack had political motives to create emotional distress and damage the Iranian people's property," Nobitex's chief executive, Amir Rad, said in a video posted on its Telegram channel.
As in Russia and other countries cut off from international finance, cryptocurrencies, in particular dollar-pegged stablecoins such as tether, have emerged as a vital workaround in Iran, providing a medium through which users can shift money between local and foreign banks.
Nobitex's 11 million customers use the platform to swap Iranian rials for tether, which they can convert into other traditional currencies abroad. Rad has said on his LinkedIn account that Nobitex's goal is to allow Iranians to trade crypto despite 'the shadow of sanctions."
'Nobitex has been the main option for the Iranians to skip the sanctions," said Amit Levin, a former Israeli prosecutor and ex-investigator at the Binance crypto exchange who now advises companies on financial-crime compliance.
The Islamic Revolutionary Guard Corps had also turned to Nobitex for international payments, according to the Israeli officials and blockchain researchers. Crypto analytics firm Elliptic has found that two IRGC operatives, whom the U.S. accused of conducting ransomware attacks on American companies, used Nobitex to make transfers.
Rad said he didn't believe that the IRGC was moving money through Nobitex because he operated a transparent platform that was closely monitored.
Predatory Sparrow has been wreaking havoc on Iran since at least 2021. In earlier hacks, the group disabled gas-station payment systems across the country and triggered a fire at an Iranian steel plant.
For their operation against Nobitex, the hackers managed to obtain the keys for the exchange's cryptocurrency wallets, which were held by key personnel within the company, said Rad.
Predatory Sparrow then 'burned" the stolen $100 million by sending the tokens to other digital wallets the group itself couldn't access. These wallets' addresses, which are made up of long strings of numbers and letters, contained profane phrases like 'F—IRGCterrorists."
Nobitex's initial investigation into the breach indicated that Israel's government had likely supported it, Rad said, though he declined to provide proof of his claim. He said Nobitex was a private, independent company with no affiliation to the Iranian state, including the IRGC.
Write to Angus Berwick at angus.berwick@wsj.com