-
Gonjeshke Darande, a covert hacker group linked to Israel, has escalated cyber warfare by targeting Iranian infrastructure, including the Nobitex crypto exchange and Bank Sepah.
-
Active for over five years, this group has disrupted critical Iranian sectors such as steel production and railways, signaling a persistent and strategic cyber threat.
-
According to COINOTAG sources, Gonjeshke Darande’s politically charged operations aim to undermine Iran’s economic resilience, particularly its efforts to circumvent sanctions through cryptocurrency.
Gonjeshke Darande’s cyberattacks on Iran’s Nobitex exchange and Bank Sepah highlight growing state-linked digital warfare, threatening Iran’s financial and infrastructure sectors.
Gonjeshke Darande: Unveiling the ‘Predatory Sparrow’ Cyber Threat
Gonjeshke Darande, translating to “Predatory Sparrow” in Farsi, is a sophisticated hacker collective believed to be affiliated with Israeli intelligence. Their operations focus on disrupting Iranian state infrastructure and financial institutions, leveraging advanced cyber tactics to inflict both economic and reputational damage.
The group’s choice of name symbolizes their modus operandi: small but precise and impactful attacks that catch targets off guard. This nomenclature also serves as a psychological tactic, directly challenging Iranian cybersecurity defenses with culturally resonant symbolism.
Strategic Impact of Recent Attacks on Iranian Financial Systems
In June 2025, Gonjeshke Darande executed a high-profile breach of Nobitex, Iran’s largest cryptocurrency exchange, stealing nearly $90 million before rendering the funds irretrievable. This attack not only disrupted a key financial platform but also sent a clear message against Iran’s use of crypto to evade international sanctions.
Earlier in May 2025, the group targeted Bank Sepah, a state-owned Iranian bank, leaking sensitive financial data and interrupting banking operations. These coordinated strikes reveal a deliberate strategy to weaken Iran’s economic infrastructure and transparency.
Historical Cyber Operations and Their Broader Implications
Gonjeshke Darande’s cyber campaign dates back to at least 2021, with notable attacks on Iranian railways causing widespread disruptions and public embarrassment. In 2022, their assault on major steel plants resulted in physical damage and significant economic loss, marking a shift towards more aggressive, multi-domain cyber warfare.
- The 2022 steel plant attacks demonstrated the group’s capability to blend cyber and physical sabotage, amplifying their impact beyond digital confines.
- The 2021 railway hack showcased their ability to compromise critical civilian infrastructure, undermining public confidence in Iranian cybersecurity.
Advanced Digital Tactics and Public Messaging
Gonjeshke Darande distinguishes itself through the release of professionally produced videos and detailed online disclosures, often embedding political statements within crypto wallet addresses. Their use of social media and encrypted messaging platforms to disseminate proof of their operations underscores a sophisticated approach to psychological and information warfare.
Attribution, State Sponsorship, and Future Outlook
While Israel has not officially acknowledged any connection, cybersecurity firms such as SentinelOne and Check Point Research attribute Gonjeshke Darande’s activities to Israeli state sponsorship. Iran’s government accuses Israel and Mossad of orchestrating these attacks, though conclusive evidence remains undisclosed.
Experts anticipate that Gonjeshke Darande will continue targeting Iranian financial and infrastructure sectors, particularly crypto exchanges and state-owned banks, as geopolitical tensions persist. Their advanced capabilities necessitate vigilant monitoring by global cybersecurity communities to mitigate potential escalations in state-sponsored cyber conflict.
Conclusion
Gonjeshke Darande’s sustained cyber offensives represent a significant evolution in digital warfare, blending political motives with technical precision to disrupt Iran’s economic and infrastructural stability. As these attacks intensify, they underscore the growing role of cryptocurrency platforms and critical infrastructure as focal points in state-level cyber conflicts. Stakeholders must prioritize robust cybersecurity measures and international cooperation to address this emerging threat landscape effectively.
