Predatory Sparrow Wiped a Bank, Burned $90M in Crypto, and Hacked a Prayer App. Meet Israel's Most Effective Weapon.

The operational record, in chronological order:

October 2021: 4,300 gas stations across Iran lose their payment systems simultaneously. Customers can't pay. Lines form for days. The group broadcasts a message on gas station display screens with a phone number for Khamenei's office.

June 2022: Three steel mills in Khuzestan province. The group penetrates the industrial control systems and causes a serious fire at the Mobarakeh Steel Company. They publish CCTV footage of the fire, proving they were watching from inside the facility's own cameras.

December 2023: Gas stations again. 4,000 stations hit. This time the group specifically targets the subsidy distribution system, disrupting the government's ability to provide subsidized fuel. More sophisticated than the 2021 attack. Different systems targeted.

June 17, 2025: Bank Sepah. Iran's oldest bank, founded 1925, $15.6 billion in assets. Customer data, transaction records, account balances: erased. The attack wasn't ransomware. There was no demand. Pure destruction. Bank Sepah serves the Iranian military and defense procurement network. Military payroll went dark. ATMs failed nationwide.

June 18, 2025: Nobitex. Iran's largest cryptocurrency exchange. $90 million in assets sent to inaccessible wallet addresses. Burned, not stolen. Iran's crypto economy ($7.8 billion, IRGC controlling 50%+ of inflows) was a known vulnerability. The attack degraded the financial infrastructure that funds missile production.

February 28, 2026: BadeSaba. A mobile prayer app used by millions of Iranians. Hacked at 9:52 AM on the first day of strikes to broadcast anti-regime messages during Ramadan. The symbolism was precision-targeted for maximum psychological impact.

Predatory Sparrow (also transliterated as "Gonjeshke Darande" in Farsi) is widely attributed to Israeli intelligence, specifically Unit 8200 or a related entity. Israel has never confirmed or denied the attribution. The group operates with a level of sophistication and strategic alignment that rules out criminal or hacktivist origin. Every target serves Israeli strategic interests. Every operation is timed for maximum disruption.

The group's operational signature: they don't just attack. They prove they were inside. Published CCTV footage from the steel mill. Broadcast messages through the gas station screens. The BadeSaba hack during Ramadan. Each operation includes a calling card that says: we were here, we watched, we chose when to strike. The psychological dimension is as deliberate as the technical one.

---

FAQ

Is Predatory Sparrow government or private?

Almost certainly government-linked (Israeli intelligence). The targeting alignment (Iranian military banking, IRGC crypto infrastructure, strategic industrial systems) matches national security objectives. The operational security (no leaks, no arrests, sustained multi-year campaign) exceeds private capability. The group is either a Unit 8200 operation or operates under Unit 8200 direction.

Why didn't Iran prevent these attacks?

Iran's cyber defense is significantly weaker than its cyber offense. The IRGC's APT groups (APT33/34/35) are capable of attacking foreign targets but defending domestic infrastructure requires different skills, investment, and organizational culture. Iran's critical infrastructure uses outdated SCADA systems, poorly segmented networks, and insufficient patch management. Predatory Sparrow exploits systemic weaknesses, not one-time vulnerabilities.

Could Predatory Sparrow target other countries?

The group has only targeted Iran. But the capabilities demonstrated (industrial control system manipulation, financial system destruction, mass communications hijacking) are transferable. Any country with similar infrastructure vulnerabilities could theoretically be targeted. The limiting factor is not capability but political authorization.