Israel and Iran’s conflict is increasingly shifting to cyberspace, intensifying a decades-long shadow war of hacking and espionage between two cyber powerhouses.
On Tuesday, a pro-Israel hacking group claimed responsibility for a major cyberattack on an Iranian bank, as Iran’s state-run IRIB News accused Israel of waging a full-scale cyber offensive against the country’s critical infrastructure. By Wednesday, the hackers revealed yet another breach, this time hitting an Iranian crypto exchange.
Iran’s Fars News Agency, which is tied to the Islamic Revolutionary Guard Corps, reported that the country has been hit by over 6,700 distributed denial-of-service (DDoS) attacks in just three days. To blunt the effects of the barrage, officials imposed temporary internet restrictions. DDoS attacks work by overwhelming servers with fake traffic, making websites and online services inaccessible.
On Tuesday night, Iranians reported widespread internet disruptions, with many virtual private networks (VPNs) rendered inoperable. Users also experienced issues with banking services, including ATMs and online platforms. It remains unclear whether the disruptions stemmed from cyberattacks or from government measures intended to contain their effects.
While the recent Israel-linked attacks mark a new phase in the growing Middle East conflict, the cyber rivalry between the two countries has been unfolding for over twenty years.
Iran and its regional allies, such as Hamas, have carried out a broad spectrum of cyberattacks against Israel in recent years — including disinformation campaigns, data destruction efforts, and phishing attacks — though with mixed effectiveness, according to Google’s Threat Analysis Group.
Israel is widely regarded as one of the world’s most advanced and capable actors in cyber warfare. In 2010, the Stuxnet operation — attributed to the U.S. and Israel — sabotaged hardware believed to be central to Iran’s nuclear weapons program. As one of the most sophisticated and consequential hacking campaigns in history, Stuxnet underscores the enduring role of cyber operations in the Israel-Iran conflict.
Predatory Sparrow’s claims of breaching Iran’s Bank Sepah and the crypto exchange Nobitex represent the latest episode in the ongoing digital tit-for-tat between the two sides.
The group has carried out major cyberattacks against Iran over the past five years while presenting itself as a "hacktivist" organization. However, many cybersecurity experts in the private sector believe Predatory Sparrow has ties to the Israeli government.
Israel’s Ministry of Foreign Affairs declined to comment, and Predatory Sparrow was unavailable for response.
“Most disruptive and destructive cyberattacks are about influence and psychological impact rather than practical impact,” said John Hultquist, chief analyst at Google’s Threat Intelligence Group. “That’s why a lot of them involve an effort to publicize the incidents which oftentimes includes a fictitious hacktivist front.”
At 4 a.m. Tuesday New York time, Predatory Sparrow announced on Telegram and X that it had successfully "destroyed the data" of Bank Sepah, alleging the institution was used to evade international sanctions.
On Wednesday, the group announced it had carried out a separate attack targeting Nobitex. Prominent crypto investigator ZachXBT noted in a Telegram post that he observed "suspicious outflows" from Nobitex, estimating that the attacker had stolen over $81 million in cryptocurrencies from the Tehran-based exchange.
Bank Sepah was unavailable for comment. In a statement on X, Nobitex acknowledged detecting unauthorized access that "specifically affecting internal communication systems and a segment of the hot wallet environment.” The platform assured users that wallet balances would be fully restored “with no loss or discrepancy.”
Active since 2021, Predatory Sparrow first emerged publicly after claiming responsibility for a data destruction attack on Iran’s national railway system, which caused widespread delays across the country. Around the same time, Iran’s Ministry of Roads and Urban Development was targeted by hackers using the same file-destroying tool.
In other incidents, Predatory Sparrow has been accused of targeting point-of-sale systems at Iranian gas stations, causing a malfunction at the Khouzestan steel mill that led to molten steel spilling onto the plant floor, and releasing the alleged phone number of Iranian Supreme Leader Ali Khamenei.
Security experts note that the attackers are unusual in that relatively little technical information is available about their hacks compared to similar campaigns. Predatory Sparrow’s operations often involve destroying technical forensic evidence, hindering analysts’ ability to fully understand the attacks.
The group frequently leverages social media to publicize its operations, a strategy experts interpret as an effort to exert psychological pressure. The hack on Bank Sepah was accompanied by a targeted publicity campaign, with Predatory Sparrow declaring, "this is what happens to institutions dedicated to maintaining the dictator’s terrorist fantasies."
