With the hacker group Predatory Sparrow claiming responsibility for two unheard-of strikes—one against the country’s biggest cryptocurrency exchange, Nobitex, and another on Sepah Bank, a financial institution closely linked to the Iranian military—a sophisticated and highly targeted cyberattack has rocked Iran’s financial system.

But unlike most cyberattacks motivated by profit or ransomware, this campaign seems to have had just one goal: destruction.

Leading blockchain forensics company Elliptic claims that over $90 million in cryptocurrency assets were taken from Nobitex’s wallets and transferred to so-called vanity addresses—wallets under personalized names like “FuckIRGCterrorists.” These are functionally dead ends, not only untraceable. Any assets passed to them are permanently lost, more like burned on demand.

“The crypto they stole has essentially burned,” co-founder of Elliptic Tom Robinson remarked. “The hackers quite obviously have political rather than financial motives.”

Predatory Sparrow claimed in a post on X (formerly Twitter) that Nobitex was a financial conduit for the Iranian government, so enabling transactions connected to approved entities including the Islamic Revolutionary Guard Corps (IRGC), Hamas, Yemen’s Houthi rebels, and Palestinian Islamic Jihad. Blockchain activity does link Nobitex to several wallets connected to those groups, Elliptic confirmed.

The aftermath was instantaneous. After the announcement, Nobitex’s website went down and remained unreachable. The exchange has not made any public comments since, which leaves consumers wondering whether their accounts—and money—have survived the hack.

Still, that marked only the beginning of the digital assault.

Just a few hours later, Predatory Sparrow said it had singled out Sepah Bank, one of Iran’s most well-known and oldest banks. Citing the bank’s ties to Iran’s defense industry and its part in sanctions avoidance, the group claimed it deleted all internal data. The hackers published files seeming to show official agreements between the bank and the Iranian military to support their claim.

The warning from the hackers was strong and foreboding. “Caution: Your long-term financial situation suffers if you support the regime’s tools for avoiding sanctions and fund its nuclear program and ballistic missiles. Next? Who’s?

Although Sepah’s public website was rebuilt in one day, insiders report the effects of the attack are still felt.

Iranian cybersecurity researcher Hamid Kashfi, who now resides in Sweden, verified claims that Sepah’s online banking systems and ATMs have stayed offline in a number of locations throughout the nation. “This is not only an attack on military infrastructure,” Kashfi remarked. For millions of Iranians who depend on the bank for daily needs, it is creating real difficulties.

Predatory Sparrow made news not too long ago. They turned off thousands of gas stations in 2021, leaving drivers stranded and generating a general scarcity of fuel. Attacking Iran’s railway system, they also displayed digital messages on train station screens alerting travellers of canceled trains. Perhaps their most infamous deed, though, occurred in 2022 when the hackers themselves broke into the control system of a steel plant, allowing molten steel to flow and start a fire on the manufacturing floor. This event was caught on camera and published by the hackers.

Although the group claims to be an Iranian resistance force, most analysts agree that Predatory Sparrow works with Israeli military or intelligence backing. Their activities have impact, scale, and accuracy much above what individual hacktivists could accomplish.

“This is a group with both state-grade tools and high-level access,” Google’s Mandiant chief analyst John Hultquist said. They are not making empty threats or blustering. They generate outcomes.

Platforms like Nobitex have become vital to the financial survival of Iran since it is turning to cryptocurrencies more and more to get access to foreign goods and evade sanctions. Predatory Sparrow might have hit two of the most important financial lifelines in the nation by destroying Sepah Bank’s internal infrastructure and crypto holdings.

The last shot the group offers, “Who’s next,” points to maybe only the start of a larger campaign. Attacks like this one highlight how susceptible even money can be to political firepower as financial systems get more and more digital.