This week, Iran’s financial scene was disturbed by a series of well-planned cyberattacks executed by the infamous hacker group Predatory Sparrow. The twin strikes aimed at Sepah Bank, a prominent financial institution connected to Iran’s elite military forces, and Nobitex, the country’s top bitcoin exchange.

The damage was quick, public, and intended to convey a message.

Nobitex, a crypto platform extensively used by Iranians to evade conventional banking systems under global sanctions, was at the center of the first attack. Burning more than $90 million worth of digital money, the hackers sent it to wallet addresses with provocative words like “FuckIRGCterrorists,” instead of pilfering.

Tom Robinson, co-founder of Elliptic, the blockchain analysis company that confirmed the hack, described these as essentially black holes, vanity addresses. Once money enters, it is not easily reversible. This was financial devastation, not theft.

Predatory Sparrow claimed in a statement on X that Nobitex assisted the Iranian government in funding radical groups and avoiding sanctions. According to the group, the trade handled cryptocurrencies for the IRGC, Hamas, the Houthis, and other internationally sanctioned organizations. Later, Elliptic verified these links using blockchain tracking.

The website of Nobitex vanished from the internet not long afterward. And up to now, the company has been silent—no updates, no denial, no clarity for the hundreds of thousands of locked out users.

The group still lacked completion, though.

Declaring they had entered Sepah Bank, Predatory Sparrow said in their second operation, they had destroyed all internal data and distributed what they claimed to be evidence of the bank’s cooperation with Iran’s missile and nuclear programs. According to the published records, Sepah and the Islamic Revolutionary Guard Corps (IRGC) have close financial relations.

“Who’s next?” the group asked in closing, a menacing note.

The Iranian domestic consequences were felt right away. An expert in cybersecurity, Hamid Kashfi from Sweden, reported that many Sepah customers discovered ATMs and online services were not available all around the nation. “The civilian cost here is tremendous,” Kashfi said. “It’s everyday people, not only an elite financial system that’s been hit.”

Sepah Bank’s website briefly returned online, but the outage exposed the possible flaws in Iran’s digital banking system. The silence of state officials has simply heightened the uncertainty.

Not new to this kind of high-impact cyberwarfare is predatory Sparrow, sometimes known as Gonjeshke Darande in Farsi.

They have disabled fuel distribution systems, caused mass train delays, even hacked a steel mill, so causing a catastrophic equipment failure and fire. Every attack has been deliberate, reported, and accompanied by strategic leaks—tactics more akin to state intelligence operations than independent hacktivism.

Many analysts have thus come to the conclusion that the group most certainly acts as a surrogate for Israeli intelligence services. Its technical mastery and constant emphasis on high-value Iranian targets help to support that theory.

“This is an operator that knows exactly what it’s doing,” said Google’s Mandiant chief analyst, John Hultquist. “They’re remarkably effective and are shaping geopolic conflict from behind a keyboard.”

The twin attack this week landed squarely on two of Iran’s most important financial tools.

For digital commerce and sanction circumvention, Nobitex had evolved into a lifeline. From defense to nuclear development, Sepah Bank is central in providing funding for Iran’s strategic aspirations.

Predatory Sparrow pulled back the curtain on how Iran attempts to survive isolation and fuel power, so influencing not only business.