Iran’s financial sector takes another hit as largest crypto exchange is targeted

Cyberattacks targeting Iran’s financial sector widened Wednesday, as a pro-Israel hacktivist group stole more than $90 million from Nobitex, the country’s largest cryptocurrency exchange. The attack marks the second attack on Iran’s financial systems in as many days. 

Predatory Sparrow, the group that self identifies as Gonjeshe Darande in Persian, claimed responsibility for the attack on Nobitex in a social media post early Wednesday. Less than 24 hours prior, the hacktivist group said it attacked the Iran state-owned Bank Sepah, resulting in service disruptions.

Researchers at Elliptic, a blockchain analytics firm, confirmed more than $90 million was transferred from Nobitex to multiple vanity addresses all containing some variation of “F–kIRGCterrorists” within their public key. IRGC is the acronym for the Islamic Revolutionary Guard Corps, the Iranian military branch under the control of Ayatollah Ali Khamenei, Iran’s supreme leader. 

In the social media post, the group said the “cyberattacks are the result of Nobitex being a key regime tool for financing terrorism and violating sanctions.” Predatory Sparrow, which previously claimed attacks on steel mills in Iran, the country’s rail system network and gas station payment systems, also threatened to leak Nobitex’s source code and internal information about its network by Thursday morning. 

The attack on Nobitex could pose far-reaching financial consequences for the Iranian regime. 

“I’m not aware of any larger thefts of crypto from Iran-based exchanges,” Tom Robinson, co-founder and chief scientist at Elliptic, said in an email. “Iran has been experimenting with crypto as a means of evading sanctions for a number of years. As Iran’s largest crypto exchange, Nobitex is key to that strategy.”

Elliptic researchers noted that the vanity addresses hackers transferred the crypto funds to were generated through brute force methods, including large numbers of cryptographic key pairs.

“Creating vanity addresses with text strings as long as those used in this hack is computationally infeasible,” Elliptic said in a blog post. “This means that Predatory Sparrow would not have the private keys for the crypto addresses they sent the Nobitex funds to, and have effectively burned the funds in order to send Nobitex a political message.”

Nobitex’s website is currently offline. 

Iran’s government on Monday confirmed it was reducing internet speeds to ward off cyberattacks, but that didn’t prevent the ensuing attacks on Bank Sepah and Nobitex.

Iran government spokesperson Fatemeh Mohajerani said in a social media post Monday that the speed reduction is “temporary, targeted and controlled.” She added that the country’s stock market is also closed. The website for the Tehran Stock Exchange, the country’s largest stock exchange, is also currently offline.