Predatory Sparrow

Predatory Sparrow
گنجشک درنده
Formation	c. 2021
Type	Hacker group

Predatory Sparrow publicly emerged in 2021 with a series of attacks on Iranian transit systems.^[5] They portray themselves as a group of Iranian anti-government hacktivists, often using their Farsi name.^[2]^[6] However, Predatory Sparrow is widely believed, including by Israeli media, to be linked to the Israeli government or military.^[3]^[4]^[5] The Israeli government has not confirmed any ties with the group.^[3]

2021

Predatory Sparrow claimed responsibility for a July 2021 cyberattack on Iranian transit systems which disrupted Iranian train services. They also targeted the website of Iran's Ministry of Road and Transport. The group claimed the hack was intended to "express our disgust at the abuses and cruelty inflicted by the government on the Iranian nation".^[5]

Later in 2021, Predatory Sparrow launched a major cyberattack on the Iranian fuel system that left the majority of the country's gas stations unable to process payments.^[4] Attackers also took over digital billboards to display messages critical of the Supreme Leader of Iran.^[5] Two United States defense officials quoted anonymously by the New York Times attributed the attack to Israel.^[7]

2022

On 27 June 2022, Predatory Sparrow hackers were able to compromise industrial control systems at an Iranian steel mill, spilling a large vat of molten steel and causing a fire at the facility.^[6] The spill and fire caused damage to the plant, but no one was hurt. According to the BBC, "it seems [Predatory Sparrow] were at pains to ensure the factory floor was empty before they launched their attack". However, Wired noted that, although Predatory Sparrow emphasized that they orchestrated the attack so as to "protect innocent individuals", several workers narrowly avoided being hit with spilled molten metal.^[4] The attack was one of several targeting three Iranian steel companies, which the group said were in response to "aggression" by Iran.^[4]^[8] The group also published tens of thousands of emails exfiltrated from the steel companies, intended to show their links to the Iranian military.^[4]

The sophistication of the attack triggered additional speculation that Predatory Sparrow was an Israeli state-sponsored military hacking group. Israeli Defense Minister Benny Gantz ordered an investigation into leaks to Israeli journalists that led them to report that the group was state-affiliated.^[8]

2023

Predatory Sparrow again attacked fuel supply systems on 18 December 2023, using a similar attack as in 2021. They published messages claiming the attack was "in response to the aggression of the Islamic Republic and its proxies in the region", referring to the escalating Middle Eastern crisis.^[4]

2025

On 17 June 2025, shortly after Israeli airstrikes against Iran, a Predatory Sparrow cyberattack on Iran's state-owned Bank Sepah disrupted banking services. The group claimed to have destroyed data belonging to the bank, and accused the bank of helping to fund Iran's military.^[9]

The group also claimed responsibility for an attack on the Iranian cryptocurrency exchange Nobitex the following day. In that attack, they stole $90 million in crypto assets, then destroyed the funds by sending them to inaccessible cryptocurrency addresses. The hackers claimed that Nobitex had helped the Iranian government evade sanctions and finance terrorist operations. American cryptocurrency analysis firms Elliptic and Chainalysis corroborated the group's claims that Nobitex had been used by groups hostile to Israel, including Palestinian Islamic Jihad, Hamas, the Houthis, and Islamic Revolutionary Guard Corps-affiliated ransomware groups.^[10]

Predatory Sparrow

History

2021

2022

2023

2025

See also

References

Wikiwand - on