Predatory Sparrow, an Israel-affiliated cyber-sabotage group, executed a highly destructive attack on Nobitex, Iran’s prominent cryptocurrency exchange, in June 2025. The assault resulted in the permanent theft and destruction of $90 million in cryptocurrency assets, rendered inaccessible by transfer to controlled wallet addresses. Beyond financial losses, the attackers published Nobitex’s entire source code, infrastructure documentation, and internal R&D materials, exposing critical operational vulnerabilities, sensitive intellectual property, and proprietary privacy research. The breach inflicted irreversible reputational damage, eroded customer trust, and compromised the exchange’s competitive standing. The attack’s sophistication leveraging multi-stage malware, forensic evidence destruction, and targeted data wipers highlighted the group’s capability to paralyze financial infrastructure while ensuring no recovery. The incident underscores Nobitex’s existential operational and financial threats, with long-term implications for Iran’s cryptocurrency sector and broader economic stability.
Source: https://cyberpress.org/predatory-sparrow-cyberattack/
TPRM report: https://www.rankiteo.com/company/nobitexmarket
"id": "nob1432414102725",
"linkid": "nobitexmarket",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Banking',
'location': 'Iran',
'name': 'Bank Sepah',
'type': 'Financial Institution'},
{'industry': 'Cryptocurrency Exchange',
'location': 'Iran',
'name': 'Nobitex',
'type': 'Private Company'},
{'industry': 'Transportation/Critical Infrastructure',
'location': 'Iran',
'name': 'Iranian Railways',
'type': 'Government Entity'}],
'attack_vector': ['Multi-stage Malware',
'Native Windows Batch Scripting',
'Visual Basic Droppers',
'Scheduled Tasks',
'Wiper Malware (Meteor)',
'Host Discovery Scripts'],
'data_breach': {'data_exfiltration': 'Yes (Published Publicly)',
'sensitivity_of_data': 'High (Critical Operational '
'Vulnerabilities, Sensitive IP)',
'type_of_data_compromised': ['Source Code',
'Infrastructure Documentation',
'Internal R&D Materials',
'Intellectual Property']},
'date_publicly_disclosed': '2025-06',
'description': 'Predatory Sparrow, a cyber-sabotage group widely believed to '
'be affiliated with Israel, escalated its highly disruptive '
'operations targeting Iran’s critical infrastructure, '
'financial systems, and governmental institutions. The group '
'executed sophisticated campaigns marked by deliberate data '
'destruction and provocative public messaging, inflicting '
'substantial operational damage across diverse sectors. Key '
'incidents include the erasure of Bank Sepah’s data in June '
'2025 and a destructive attack on the Nobitex cryptocurrency '
'exchange, resulting in the theft and permanent destruction of '
'$90 million in cryptocurrency assets. The group also '
'published Nobitex’s source code, infrastructure '
'documentation, and internal R&D materials, exposing critical '
'vulnerabilities. The attacks employed multi-stage malware '
"(e.g., 'Meteor' wiper malware), advanced defense evasion "
'techniques, and forensic destruction methods to obscure '
'attribution and prevent recovery.',
'impact': {'brand_reputation_impact': ['Severe (Public Exposure of '
'Vulnerabilities)',
'Loss of Trust in Financial and '
'Critical Infrastructure Sectors'],
'data_compromised': ['Source Code',
'Infrastructure Documentation',
'Internal Privacy R&D Materials',
'Sensitive Intellectual Property'],
'financial_loss': '$90 million (Nobitex cryptocurrency theft and '
'destruction)',
'operational_impact': ['Permanent Data Destruction',
'Service Disruption (Bank Sepah, Nobitex, '
'Iranian Railways)',
'Large-Scale Infrastructure Paralysis'],
'payment_information_risk': ['Cryptocurrency Theft (Nobitex)'],
'systems_affected': ['Bank Sepah (Financial Systems)',
'Nobitex Cryptocurrency Exchange',
'Iranian Railways',
'Passenger Information Systems (avoided for '
'messaging purposes)']},
'initial_access_broker': {'data_sold_on_dark_web': 'No (Data Published '
'Publicly Instead)',
'high_value_targets': ['Financial Systems (Bank '
'Sepah, Nobitex)',
'Critical Infrastructure '
'(Iranian Railways)'],
'reconnaissance_period': 'Selective (Avoided '
'Passenger Information '
'Systems for messaging)'},
'investigation_status': 'Ongoing (Publicly Disclosed by Threat Actor)',
'lessons_learned': 'The incident highlights the evolving sophistication of '
'state-affiliated cyber-sabotage groups in deploying '
'multi-stage malware, defense evasion techniques, and '
'forensic destruction to inflict sustained damage on '
'critical infrastructure. Key takeaways include the need '
'for enhanced detection of native scripting-based attacks, '
'protection against wiper malware, and resilience against '
'large-scale data destruction campaigns.',
'motivation': ['Geopolitical',
'Sabotage',
'Disruption of Critical Infrastructure',
'Financial Damage'],
'post_incident_analysis': {'corrective_actions': ['Patch management for '
'Windows native tool abuses '
'(e.g., BCDEdit, vssadmin).',
'Deployment of '
'behavior-based detection '
'for wiper malware.',
'Hardening of scheduled '
'task permissions and '
'monitoring.',
'Implementation of '
'immutable logging to '
'prevent event log '
'tampering.',
'Segmentation of critical '
'infrastructure networks to '
'limit lateral movement.'],
'root_causes': ['Lack of detection for native '
'scripting-based malware (batch, '
'VBS).',
'Insufficient protection against '
'scheduled task abuses.',
'Vulnerability to wiper malware '
'(Meteor) due to unprotected boot '
'configurations.',
'Inadequate forensic resilience '
'(event log deletion, shadow copy '
'removal).',
'Over-reliance on traditional '
'antivirus (Kaspersky bypassed via '
'exclusion lists).']},
'ransomware': {'data_encryption': 'Yes (Meteor Wiper Malware uses XOR-based '
'encryption for configuration files)',
'data_exfiltration': 'Yes (Nobitex data published publicly)'},
'recommendations': ['Implement advanced endpoint detection and response (EDR) '
'solutions to identify native scripting abuses (e.g., '
'Windows batch, VBS).',
'Deploy immutable backups and air-gapped storage to '
'mitigate wiper malware impact.',
'Enhance monitoring for scheduled task-based execution '
'chains and timestamp-triggered attacks.',
'Disable or restrict administrative tools (e.g., BCDEdit, '
'vssadmin, WMIC) to limit forensic destruction.',
'Conduct regular red team exercises simulating '
'multi-stage malware and data destruction scenarios.',
'Strengthen supply chain security for critical '
'infrastructure to prevent reconnaissance and lateral '
'movement.'],
'references': [{'source': 'Cybersecurity News Article (Title Not Provided)'}],
'threat_actor': 'Predatory Sparrow',
'title': "Predatory Sparrow Cyber-Sabotage Campaign Targeting Iran's Critical "
'Infrastructure and Financial Systems',
'type': ['Cyber-Sabotage', 'Data Destruction', 'Financial Theft', 'Espionage']}