By Key Points
- Gonjeshke Darande hacked Nobitex, Iran’s top crypto exchange
- Nearly $90 million in crypto was stolen and burned
- The group is allegedly linked to Israeli intelligence
- Previous attacks include Iran’s banks, steel plants, and railways
Gonjeshke Darande, also known as Predatory Sparrow, is no ordinary hacker group. Allegedly tied to Israel, this shadowy cyber unit has pulled off Iran’s largest crypto heist to date, stealing nearly $90 million from Nobitex, the country’s biggest crypto exchange.
But here’s what makes the attack even more explosive—they didn’t keep the money.
Time’s up – full source code linked below.
ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN.
بازمانده دارایی های شما در نوبیتکس هم اکنون در معرض دید و خطر هستندBut before that, lets meet Nobitex from the inside:
Exchange Deployment (1/8) pic.twitter.com/jiMfBpNXwd
— Gonjeshke Darande (@GonjeshkeDarand) June 19, 2025
Instead, the hackers burned all the stolen crypto, sending it to “vanity wallets” that can’t be accessed, with wallet names embedded with anti-government messages. This was no money grab—it was a political statement.
For years, Iran has been using crypto to bypass sanctions. This attack, Gonjeshke Darande claimed, was a direct hit on that system.
While Israeli authorities have remained silent, most cybersecurity analysts believe this operation—and others like it—are backed by Israeli intelligence.
This breach adds to the growing list of recent crypto incidents, including the LastPass crypto hack fallout, where attackers leveraged compromised data to steal over $200K in assets.
Destruction of the infrastructure of the Islamic Revolutionary Guard Corps “Bank Sepah”
We, “Gonjeshke Darande”, conducted cyberattacks which destroyed the data of the Islamic Revolutionary Guard Corps’ “Bank Sepah”.“Bank Sepah” was an institution that circumvented… pic.twitter.com/1r4XyDmXcJ
— Gonjeshke Darande (@GonjeshkeDarand) June 17, 2025
5 Years of High-Impact Attacks Across Iran
A History of Cyber Sabotage
Gonjeshke Darande has quietly operated for over five years, and Nobitex wasn’t their first target. Their past hits suggest a broader mission: disrupting Iran’s economy and exposing government operations.
-
May 2025 – Bank Sepah Breach
Just weeks before the Nobitex heist, Gonjeshke Darande targeted Bank Sepah, a state-owned bank. They leaked sensitive financial documents and temporarily shut down services. The attack aimed to highlight how Iran’s state banks may be involved in money laundering and sanctions evasion. -
October 2022 – Steel Plant Attacks
They hit Khuzestan, Mobarakeh, and Hormozgan Steel Companies, causing fires and physical damage. The group posted videos online showing the destruction—another public embarrassment for Iranian authorities. -
July 2021 – Train System Hack
They paralyzed Iran’s railway systems, delaying trains and posting mock messages on public displays. It was a bold move that proved they could breach even civilian infrastructure at a national scale.
This style of disruptive cyber activity echoes cases like the WhiteRock scam, where alleged founders vanished with millions in investor funds, undermining trust in platforms that appear state-linked or manipulated.
#cyberattack against Iran’s steel industry pic.twitter.com/BW7TR9Env7
— Gonjeshke Darande (@GonjeshkeDarand) June 27, 2022
Digital Clues and Political Messaging
What sets Gonjeshke Darande apart is their clear messaging strategy. They don’t just hack—they make a statement.
-
Vanity Wallets with Messages: Wallet addresses used in attacks often spell out anti-regime slogans
-
Polished Videos: Their operations are documented and edited into professional-grade footage
-
Anonymous Channels: They release leaks and updates via Telegram and anonymous websites
These tactics suggest a well-funded, highly organized operation, far beyond the abilities of casual hackers.
Much like the ZKJ Token crash, where token trust collapsed due to questionable governance, Gonjeshke Darande’s work undermines institutional credibility through transparency—albeit by force.
1/ A hacking group that The Times of Israel says has been “previously been linked to Israel” is claiming responsibility for a cyberattack on Monday that “paralyzed gas stations across Iran.” 🇮🇱🇮🇷
It’s called “Gonjeshke Darande,” or “predatory sparrow.”
Some more quotes from the… pic.twitter.com/Slhd2HleBN
— Decensored News (@decensorednews) December 18, 2023
Links to Israeli Intelligence?
While Israel has never confirmed ties, analysts from SentinelOne and Check Point Research believe Gonjeshke Darande has direct support from a nation-state, likely Israel.
Iran, on its part, blames Mossad—Israel’s intelligence agency—for sponsoring the group. So far, there’s no concrete proof, but the targets, tools, and timing of the attacks strongly point toward Israeli interests.
The name “Gonjeshke Darande,” meaning “Predatory Sparrow” in Farsi, reflects the group’s strategy—small, agile, but capable of devastating attacks. It’s a symbolic choice, perhaps designed to mock Iran’s cybersecurity defenses.
The geopolitical cyber fight increasingly echoes the Pi Network backlash, where users accused the platform of manipulating public opinion through domain hype rather than substance.
What Comes Next?
With geopolitical tensions rising, analysts believe Gonjeshke Darande’s activity is far from over.
Iran’s state-owned banks, government agencies, and crypto systems remain at risk. These attacks demonstrate how cyber warfare is now deeply intertwined with cryptocurrency infrastructure, and in many ways, it’s becoming a new front in modern conflict.
If Gonjeshke Darande continues on its current path, more disruptive and symbolic attacks are expected—especially if Iran relies more on crypto to weather sanctions.
The world’s eyes are now on how Iran and its adversaries navigate this high-stakes digital battlefield—with incidents like the SPK Token price drop serving as reminders of just how volatile and politically charged the crypto space has become.
What's your reaction?
