Israeli hackers steal $90m Iranian crypto – and ‘burn’ it

A group of pro-Israel hackers known as Predatory Sparrow targeted Iran’s largest crypto exchange last Wednesday, stealing roughly $90m (£67m). Then they did something extraordinary: rather than keep the money, in effect they destroyed it. Blockchain analysis shows the $90m was transferred to wallets that can never be accessed because no one holds the keys.

As Israel orchestrates an attack on Iranian nuclear targets it may also be coordinating a campaign in cyberspace. Multiple sources told The Observer that the crypto exchange attack was the clearest sign yet that Predatory Sparrow, long rumoured to be backed by the Israeli military, is a state-sponsored group.

Cybersecurity researcher Costin Raiu said: “They could have very easily kept the $90m and used [it] to boost their operations. The fact that they burned [the money] to me is an indication that they have a separate budget, probably, which is way bigger than $90m.”

While hackers may have destroyed the money to avoid being traced, said Tom Robinson, co-founder of the crypto tracing firm Elliptic, it’s just as likely that the move was political: “[It] is also a powerful statement.”

Predatory Sparrow emerged in 2019 and operates under a series of personas. Though it does not have the name recognition of hacktivist collective Anonymous, it is well-known in cybersecurity circles for its military-grade, geopolitically motivated attacks. The group is behind a number of hacks in Iran, including one in 2022 on a steel mill, which caused a serious fire after one of the factory’s machines began to spew molten metal on to the factory floor.

Nation states tend to “engage in cyber-espionage – what intelligence analysts call computer network exploitation,” Raiu says. But Predatory Sparrow is set apart by its  “destructive” operations, often deleting data or causing damage. On Tuesday – a day before the attack on the Iranian crypto exchange – Predatory Sparrow took credit for destroying data at Iran’s state-owned Bank Sepah.

An Israeli official would not comment on whether the recent cyber- attacks were linked to the Israeli military, but noted that the country is engaged in “multidimensional warfare”, given that it is “dealing with an enormous, complicated threat”. Another senior source working in Israeli cyber would not confirm whether Predatory Sparrow is backed by Israel, but hinted that the group’s advanced capabilities speak for themselves.

The Israeli intelligence service, Mossad, is known to have sophisticated cyber skills, as does the Israel Defense Forces’ Unit 8200. Mossad and Unit 8200 were both linked to the Stuxnet attack, which damaged the Iranian nuclear programme in 2010, though neither confirmed their involvement. It pays to maintain ambiguity, says the Israeli cyber source: “ We don’t have international laws for the cybernetic world.”

Could the spate of attacks signal the start of an all-out cyber war? Not quite. According to Ciaran Martin, former CEO of the National Cyber Security Centre, “cyber can be quite a limited tool in this type of conflict”. The attacks on both Sepah Bank and the crypto exchange are sophisticated. Analysts say it would likely take months, if not years, of planning to cause maximum disruption. This means other large-scale operations are unlikely to follow in the short term.

While Iran is home to sophisticated hackers, they do not match Israel’s capabilities or resources. A number of efforts to cause damage over the years have failed, including a 2020 attempt to flood Israeli water supply with chlorine that was intercepted by Israel.

Iran’s most successful hack abroad was in 2012, when hackers destroyed thousands of hard drives belonging to Saudi Arabia’s national oil company, plunging it briefly into crisis. “But coordinating such an operation – especially if you haven’t done the preparation – is hard if you’re in bunkers trying not to be killed by targeted Israeli strikes,” said Martin.

In war, the analysts say, bombs will always be more effective than hacks. But the Israeli cyber source adds that, today, every act of kinetic warfare involves sophisticated cyber capabilities – from espionage that helps the military plan attacks, to AI software that directs drones. We are firmly in the era of hybrid warfare.