A shadowy hacker group known as Predatory Sparrow has struck once again, this time directly at the financial lifeblood of the Iranian government, in what many analysts are calling one of the most aggressive cyber offensives in the Middle East to date.

First aiming at Nobitex, Iran’s biggest bitcoin exchange, the group then moved quickly to compromise Sepah Bank, a major institution connected to Iran’s military and political elite, on Wednesday in a devastating two-pronged attack.

And the damage was symbolic, deliberate, and quite public, not only digital.

Over $90 million in cryptocurrency assets were taken from Nobitex wallets and moved to unrecoverable addresses, claims Elliptic, a blockchain analytics company tracking the hack. These wallet addresses were not random; they included inflammatory labels like “FuckIRGCterrorists,” a conscious signal from the hackers.

“These were not stolen for profit,” said Elliptic co-founder Tom Robinson. “They scorched. This was cybercrime done on purpose.

Declaring Nobitex as a tool used by the Iranian government to evade international sanctions and finance terrorism, the hackers turned to X (formerly Twitter). They listed connections between the platform and approved groups including the IRGC, Hamas, Houthis of Yemen, and Palestinian Islamic Jihad. Elliptic crypto-tracing verified several of these claims.

The Nobitex website crashed following the attack. Right now, the platform has not released any comments. Iranian users are left wondering whether their digital assets are lost permanently without any solutions.

That attack did not stop, though.

Declaring to have destroyed “all internal data,” Predatory Sparrow later the same day said it had also hacked Sepah Bank. In a further action to reveal the bank’s claimed military ties, the group uploaded records purportedly showing agreements between Sepah and the IRGC—highlighting links to Iran’s missile and nuclear development programs.

“Caution: Associating with the instruments of the regime for evading sanctions and financing its ballistic missiles and nuclear program is bad for your long-term financial health,” their warning said. Whose comes next?

Inside Iran, the effects showed right away.

According to Hamid Kashfi, founder of DarkCell and Iranian cybersecurity analyst based in Sweden, he heard reports of ATMs and online banking systems linked to Sepah failing. “People lacked access to their own wealth. This touched people, hard, not only about state players.

The public website of Sepah Bank briefly returned online, but the whole degree of the damage is still unknown. The bank has not spoken, but stories of data loss and internal paralysis abound.

Far from the first high-impact strike Predatory Sparrow makes is this one.

Believed by most experts to be supported by Israeli intelligence, the group has past disrupted rail systems, disabled Iran’s gas station payment network, and, in a 2022 cyberattack, melted steel spilled onto a major plant’s manufacturing floor, almost injuring workers and starting fires. They even posted video of that event.

Few in the cybersecurity field believe Gonjeshke Darande, despite using a Farsi name, to convey the impression of an Iranian hacktivist collective, is credible.

“This group has all the traits of a state-sponsored entity,” said Google’s Mandiant chief analyst, John Hultquist. “Their actions are precisely coordinated, politically strategic.”

The targets selected convey a message.

Nobitex is a pillar of Iran’s attempt to operate around the worldwide banking system, not only a digital wallet tool. And Sepah Bank is a valuable but vulnerable target since it is closely linked to military and defense financing.

In both cases, Predatory Sparrow has not only interfered with services. Iran’s financial escape routes are now clearly visible and under attack.