Predatory Sparrow
Gonjeshke Darande | |
| Formation | c. 2021 |
|---|---|
| Type | Hacker group |
Predatory Sparrow (Persian: Gonjeshke Darande) is a pro-Israel[1] hacker group with possible links to the Israeli government.[2][3] Since 2021, the group has claimed responsibility for multiple cyberattacks targeting Iran, including the 2021 Iranian fuel cyberattack, attacks on several Iranian steel mills in 2022, and attacks on Bank Sepah and the Nobitex cryptocurrency exchange in 2025.[2]
History
[edit]Predatory Sparrow publicly emerged in 2021 with a series of attacks on Iranian transit systems.[4] They portray themselves as a group of Iranian anti-government hacktivists, often using their Farsi name.[1][5] However, Predatory Sparrow is widely believed, including by Israeli media, to be linked to the Israeli government or military.[2][3][4] The Israeli government has not confirmed any ties with the group.[2]
2021
[edit]Predatory Sparrow claimed responsibility for a July 2021 cyberattack on Iranian transit systems which disrupted Iranian train services. They also targeted the website of Iran's Ministry of Road and Transport. The group claimed the hack was intended to "express our disgust at the abuses and cruelty inflicted by the government on the Iranian nation".[4]
Later in 2021, Predatory Sparrow launched a major cyberattack on the Iranian fuel system that left the majority of the country's gas stations unable to process payments.[3] Attackers also took over digital billboards to display messages critical of the Supreme Leader of Iran.[4] Two United States defense officials quoted anonymously by the New York Times attributed the attack to Israel.[6]
2022
[edit]On 27 June 2022, Predatory Sparrow hackers were able to compromise industrial control systems at an Iranian steel mill, spilling a large vat of molten steel and causing a fire at the facility.[5] The spill and fire caused damage to the plant, but no one was hurt. According to the BBC, "it seems [Predatory Sparrow] were at pains to ensure the factory floor was empty before they launched their attack". However, Wired noted that, although Predatory Sparrow emphasized that they orchestrated the attack so as to "protect innocent individuals", several workers narrowly avoided being hit with spilled molten metal.[3] The attack was one of several targeting three Iranian steel companies, which the group said were in response to "aggression" by Iran.[3][7] The group also published tens of thousands of emails exfiltrated from the steel companies, intended to show their links to the Iranian military.[3]
The sophistication of the attack triggered additional speculation that Predatory Sparrow was an Israeli state-sponsored military hacking group. Israeli Defense Minister Benny Gantz ordered an investigation into leaks to Israeli journalists that led them to report that the group was state-affiliated.[7]
2023
[edit]Predatory Sparrow again attacked fuel supply systems on 18 December 2023, using a similar attack as in 2021. They published messages claiming the attack was "in response to the aggression of the Islamic Republic and its proxies in the region", referring to the escalating Middle Eastern crisis.[3]
2025
[edit]On 17 June 2025, shortly after Israeli airstrikes against Iran, a Predatory Sparrow cyberattack on Iran's state-owned Bank Sepah disrupted banking services. The group claimed to have destroyed data belonging to the bank, and accused the bank of helping to fund Iran's military.[8]
The group also claimed responsibility for an attack on the Iranian cryptocurrency exchange Nobitex the following day. In that attack, they stole $90 million in crypto assets, then destroyed the funds by sending them to inaccessible cryptocurrency addresses. The hackers claimed that Nobitex had helped the Iranian government evade sanctions and finance terrorist operations. American cryptocurrency analysis firms Elliptic and Chainalysis corroborated the group's claims that Nobitex had been used by groups hostile to Israel, including Palestinian Islamic Jihad, Hamas, the Houthis, and Islamic Revolutionary Guard Corps-affiliated ransomware groups.[9]
See also
[edit]References
[edit]- ^ a b Lyngaas, Sean (18 June 2025). "Pro-Israel hackers take credit after $90 million stolen from Iran's largest crypto exchange". CNN. Retrieved 23 June 2025.
- ^ a b c d Levin, Gabe (19 June 2025). "Hackers say they wiped out $90 million from Iran cryptocurrency exchange". AP News. Retrieved 23 June 2025.
- ^ a b c d e f g Greenberg, Andy (25 January 2024). "How a Group of Israel-Linked Hackers Has Pushed the Limits of Cyberwar". Wired. ISSN 1059-1028. Retrieved 23 June 2025.
- ^ a b c d Untersinger, Martin; Reynaud, Florian (20 June 2025). "Who is Gonjeshke Darande, the group behind the cyberattack targeting Sepah Bank in Iran?". Le Monde. Retrieved 23 June 2025.
- ^ a b Greenberg, Andy (18 June 2025). "Israel-Tied Predatory Sparrow Hackers Are Waging Cyberwar on Iran's Financial System". Wired. ISSN 1059-1028. Retrieved 23 June 2025.
- ^ Fassihi, Farnaz; Bergman, Ronen (27 November 2021). "Israel and Iran Broaden Cyberwar to Attack Civilian Targets". The New York Times. ISSN 0362-4331. Retrieved 23 June 2025.
- ^ a b Tidy, Joe (10 July 2022). "Predatory Sparrow: Who are the hackers who say they started a fire in Iran?". BBC. Retrieved 23 June 2025.
- ^ Vicens, A. J.; Pearson, James (17 June 2025). "Suspected Israeli hackers claim to destroy data at Iran's Bank Sepah". Reuters. Retrieved 23 June 2025.
- ^ Vicens, A. J. (18 June 2025). "Iran crypto exchange hit by hackers, $90 million destroyed". Reuters. Retrieved 23 June 2025.