Hacking Group Targets Iranian Regime’s Cryptocurrency Exchange and Bank

Latest Developments

• Iranian Regime Crypto Exchange Hacked: A group of anti-Iran hackers known as Gonjeshke Darande, meaning Predatory Sparrow in Farsi, destroyed nearly $90 million worth of cryptocurrency on Nobitex, one of Iran’s largest cryptocurrency exchanges, on June 18. Nobitex is reportedly used by the Islamic Republic to launder money and evade international sanctions, as well as finance international terrorism operations. The hacker group, which allegedly has ties to Israel, reportedly transferred the funds to hacker-controlled wallets with names that denounced the Islamic Revolutionary Guard Corps (IRGC), making the funds inaccessible to both the hacking group and the regime and effectively burning the money to make a political statement.
• Targeting IRGC’s Bank: One day earlier, the same hacker group destroyed data belonging to the Iranian state-owned Bank Sepah, leading to nationwide ATM outages and disruptions at gas stations. Gonjeshke Darande claimed that its actions were because the regime uses the bank to circumvent sanctions and used the Iranian people’s money to finance IRGC activities, its terrorist proxies, and its ballistic missile and nuclear programs. “This is what happens to institutions dedicated to maintaining the dictator’s terrorist fantasies,” the group warned on X.
• Bank Sepah Sanctioned, Nobitex Under Scrutiny: The U.S. Treasury Department reimposed sanctions on the Iranian banking sector in 2018 after they were lifted as part of the 2015 Joint Comprehensive Plan of Action nuclear deal with Iran. Treasury noted that Bank Sepah “served as a financial platform for [Iran’s Ministry of Defense and Armed Forces Logistics] to pay its agents abroad.” In 2024, Sens. Elizabeth Warren (D-MA) and Angus King (I-ME) sent a letter to the secretaries of the Defense and Treasury Departments expressing concern over Iran’s use of cryptocurrencies to evade sanctions, saying that Nobitex “provided guidance on its website on avoiding sanctions.”

FDD Expert Response

“The anti-Iran hacktivist group, Gonjeshke Darande, struck a blow at the heart of the Iranian regime over the past week by taking down Bank Sepah and Nobitex — two pillars of its financial system. These two entities laundered the regime’s ill-gotten gains from ransomware operations to fund Iran’s brutal regime and its terrorism operations, making them prime targets. This is also not the first time that both organizations have been hacked. A recent hack of Bank Sepah by a hacktivist group called ‘Codebreakers’ leaked sensitive information on regime officials, senior military officers, and others. These operations exposed Iran’s financial system as weak and vulnerable, possibly inspiring it to be targeted again by other groups and weakening public trust in its security and in the financial stability of the regime.” — Ari Ben Am, Adjunct Fellow

“It was only a matter of time before Iranian financial institutions like Bank Sepah and Nobitex became targets of a likely Israeli cyberattack. These institutions don’t just support the regime’s economy; they actively enable its aggression by providing the financial infrastructure that powers missile launches at Israel, funds proxy militias across the region, and even facilitates terrorist operations in the West. When Israel struck al-Qard al-Hassan — Hezbollah’s bank in Lebanon — in October 2024, it signaled that financial enablers of terrorism are legitimate targets, both on the ground and in cyberspace. While Israel hasn’t claimed responsibility for these latest attacks, the message is clear: the banks and cryptocurrency platforms sustaining Iran’s war machine will be exposed and dismantled.” — Max Meizlish, Senior Research Analyst

FDD Background and Analysis

“Israel targets IRGC general and disrupts Iranian banks (June 17 updates),” by Janatan Sayeh

“Iran Launches Counterattacks in Cyberspace,” by Ari Ben Am and Annie Fixler

“Tehran Is Fabricating Data Leaks About Israeli Pilots,” by Max Lesser