Who Is Gonjeshke Darande? The Hackers Behind Iran’s $90M Crypto Exchange Breach

A high-profile cyberattack has pushed the Israel-Iran conflict further into the digital realm. A group calling itself Gonjeshke Darande, or Predatory Sparrow, claims to have stolen and then burned nearly $90 million in crypto from Iran’s largest exchange, Nobitex. Framed as a politically motivated operation, the heist highlights growing concerns over the weaponization of blockchain infrastructure in modern geopolitical conflict.

While no government has formally taken responsibility, cybersecurity analysts say the group is likely linked to Israeli intelligence. If true, this would mark one of the most high-stakes examples yet of state-aligned actors using decentralized finance to wage digital war.

Nobitex Hack: Political Statement or Digital Sabotage?

The breach occurred in June 2025, with attackers siphoning millions in crypto from Nobitex wallets into vanity addresses embedded with anti-IRGC messages. Rather than launder or convert the funds, the group chose to “burn” the assets—permanently removing them from circulation. It was a message, not a payday.

Nobitex has long faced scrutiny from international watchdogs over its alleged role in facilitating sanctions evasion by Iran’s Islamic Revolutionary Guard Corps (IRGC). The hacker group’s decision to destroy the stolen funds rather than profit from them adds a layer of ideological motive, aimed at disrupting Iran’s financial maneuvering.

A History of Digital Warfare

Gonjeshke Darande isn’t new to this. The group has a short but high-impact track record of cyberattacks targeting Iranian infrastructure and financial systems:

• May 2025: The group allegedly infiltrated Bank Sepah, a state-owned Iranian financial institution, leaking sensitive financial records and disrupting operations.
• October 2022: Gonjeshke Darande gained global attention after paralyzing three Iranian steel giants—Khuzestan, Mobarakeh, and Hormozgan—through coordinated cyberattacks that reportedly caused fires and economic disruption.

• July 2021: They breached Iranian Railways’ digital systems, halting train services and replacing internal messages with public mockery, humiliating Iran’s cyber defense apparatus.

What sets the group apart is its polished presentation. Attacks are often followed by professionally edited videos and detailed Telegram announcements. These high-production releases, paired with real-time technical proof, suggest a level of coordination and resourcing that goes beyond hacktivism.

Who Are They, Really?

Despite the Persian name—Gonjeshke Darande translates to Predatory Sparrow—the group is widely suspected to be affiliated with the Israeli government or its intelligence services. Cybersecurity firms like SentinelOne and Check Point Research have publicly named Israel as a likely sponsor.

Iran has formally blamed Israel for the hacks, specifically accusing Mossad of orchestrating the group’s operations. Still, Israel has not acknowledged any role, maintaining strategic ambiguity.

Notably, the group’s digital fingerprints often include:

• Vanity wallets with embedded political messaging.
• Targeted defacements aimed at symbolic humiliation.
• Sophisticated malware and zero-day exploits to compromise high-value infrastructure.

These tactics point to a group with capabilities far beyond those of typical independent hackers.

Crypto as a Weapon in Modern Cyberconflict

The attack on Nobitex adds a new dimension to the geopolitical use of crypto. Unlike traditional cybercrime, where stolen assets are usually laundered for financial gain, Gonjeshke Darande’s operation focused on destruction rather than profit. This weaponization of digital finance is a growing concern for cybersecurity experts.

Exchanges, wallet providers, and blockchain infrastructure linked to sanctioned or state-affiliated entities are now under increased threat. And while traditional cyber targets like banks and rail systems remain vulnerable, this latest incident suggests DeFi platforms are now firmly in the crosshairs.