Iran is at the center of a fresh chapter in cyberwarfare. Believed to be in line with Israeli interests, the hacker group Predatory Sparrow has carried out one of its most aggressive actions yet: crippling two main financial targets in Iran: Sepah Bank, a pillar of the nation’s state-run banking system, and Nobitex, the biggest cryptocurrency exchange.

These assaults had nothing to do with dark web sales of data or money theft. Rather, they were painstakingly computed acts of devastation.

Respected blockchain analytics company Elliptic claims that more than $90 million was taken out of Nobitex and moved into crypto wallets known as vanity addresses, carrying politically charged names like “FuckIRGCterrorists.” These addresses are unrecoverable; money paid to them is basically burned permanently. “The hackers obviously have political rather than financial motivations,” co-founder Elliptic Tom Robinson remarked. “The crypto they stole has basically been burned.”

Predatory Sparrow defended their attack in a public post on their X account by charging Nobitex with helping the Iranian government to fund terrorism and violate international sanctions. The group connected directly the activities of Nobitex to IRGC agents, Hamas, the Houthis, and Palestinian Islamic Jihad. Elliptic’s investigation confirmed those assertions by demonstrating unambiguous transactional ties between Nobitex and several approved entities.

Nobitex’s website went down following the attack and has stayed black ever then. The company has not made a public statement, so leaving users and onlookers in the dark about the whole scope of the hack.

The second phase of the attack arrived quickly.

Predatory Sparrow claimed to have also entered Sepah Bank, completely wiping off its internal records. They uploaded records apparently showing official agreements between the bank and the Islamic Revolutionary Guard Corps as proof. “Caution: Associating with the regime’s instruments for evading sanctions and financing its ballistic missiles and nuclear program is bad for your long-term financial health,” they said at the closing of the post. Next? Who’s?

Although Sepah Bank’s website returned online soon after the attack, the ground situation points to a far more major impact. Through contacts in Iran, cybersecurity researcher and DarkCell founder Hamid Kashfi confirmed that Sepah’s online banking and ATMs have stayed offline since the hack, affecting financial access for millions of average Iranians. Kashfi pointed out that a lot of collateral damage had resulted. “Yes, these institutions serve people, but they are also connected to the dictatorship.”

Predatory Sparrow made news not too long ago. In the past, they have been in charge of high-impact strikes on Iran’s gas stations, railway system, and even a steel manufacturing plant, where they caused an industrial accident by messing with control systems. Particularly startling was the steel mill incident; it almost caused a fire and injured workers. The group even posted video footage of the operation.

While the group presents itself as a homegrown Iranian resistance, cybersecurity experts agree that Predatory Sparrow is supported or directed by Israeli intelligence services. Their accuracy, resources, and ability to compromise secure infrastructure point to a nation-state actor.

“This actor is quite serious and quite capable,” said Google’s Mandiant threat intelligence division chief analyst John Hultquist. Many of the performers will be posing threats. This one can carry out those threats.

Clearly, these attacks imply that cyberwar is changing. Targeting economic lifelines, these activities go beyond data theft or ransomware to try to destabilize, disrupt, and disable. Destroying $90 million worth of cryptocurrency assets was a loud geopolitical statement more than just financial damage.

It is not a secret that Iran depends on websites like Nobitex to get around restrictions. Predatory Sparrow might have hit at a crucial workaround Iran uses to keep afloat by eliminating those assets and upsetting banking systems.

“Who’s next?” The last words the hackers said summed up everything. The alert is clear. And this time it was not empty rhetoric; it had actual influence and permanent results.