Who are Gonjeshke Darande, the Hackers Targeting Iran?

The Israel-Iran war moved on-chain this week, after a pro-Israeli hacker group called Gonjeshke Darande exploited Iran’s largest crypto exchange, Nobitex, to steal nearly $90 million.

The group later burned all of the funds, framing the hack as a politically motivated attempt to disrupt Iran’s ability to evade sanctions via crypto. But who are Gonjeshke Darande?

Everything to Know about the Mysterious ‘Predatory Sparrow’

Gonjeshke Darande, or Predatory Sparrow, is a highly sophisticated, politically motivated cyberattack group. Security analysts and government officials believe they are strong links to Israel.

Their attacks typically target Iranian infrastructure, financial systems, and government-linked entities.

While Israel has not officially claimed responsibility for Gonjeshke Darande’s operations, security firms and intelligence communities broadly view the group as Israeli-affiliated.

This is due to their targets, methods, and overtly political messaging.

Meaning of the Name “Gonjeshke Darande”

“Gonjeshke Darande” translates literally to “Predatory Sparrow” in Farsi.
The term symbolizes a small yet fierce bird capable of surprising attacks, a fitting metaphor for a hacker group conducting sudden, targeted cyber strikes.
Their choice of a distinctly Iranian name likely serves both to mock Iranian cybersecurity defenses and to deliver symbolic messaging directly to the Iranian regime.

History of Cyberattacks Linked to Gonjeshke Darande

Gonjeshke Darande has a relatively brief but significant history of impactful cyber operations, primarily against Iranian infrastructure and financial systems:

June 2025: Nobitex Crypto Exchange Attack

As BeInCrypto reported, the group hacked into Iran’s leading crypto exchange, Nobitex.

Time's up – full source code linked below.

ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN.
بازمانده دارایی های شما در نوبیتکس هم اکنون در معرض دید و خطر هستند

But before that, lets meet Nobitex from the inside:

Exchange Deployment (1/8) pic.twitter.com/jiMfBpNXwd
— Gonjeshke Darande (@GonjeshkeDarand) June 19, 2025

Funds were transferred to vanity wallets with anti-IRGC (Islamic Revolutionary Guard Corps) messages, rendering the crypto permanently inaccessible.

Also, Nobitex was suspected by the West of being involved in money laundering and sanctions evasion.

May 2025: Attack on Bank Sepah

Shortly before the Nobitex attack, Gonjeshke Darande compromised systems at Bank Sepah. This is a state-owned Iranian bank.

More notably, they disrupted banking services and leaked sensitive financial data online. The aim was to expose Iranian government financial dealings and disrupt state-backed economic activities.

Announcement from the Hackers after Exploiting Bank Sepah. Source: X

October 2022: Iranian Steel Plant Attacks

Gonjeshke Darande previously gained significant international attention after attacking three major Iranian steel factories: Khuzestan Steel Company, Mobarakeh Steel Company, and Hormozgan Steel Company.
They claimed responsibility publicly, releasing footage showing the steel plants on fire, causing physical and economic damage and embarrassment for Iran.

#cyberattack against Iran's steel industry pic.twitter.com/BW7TR9Env7
— Gonjeshke Darande (@GonjeshkeDarand) June 27, 2022

July 2021: Attack on Iranian Railways

The group hacked Iranian Railways’ digital information systems, causing train delays, disruptions, and posting mocking messages on display boards across the country.
This attack humiliated Iranian cybersecurity officials and demonstrated the group’s willingness to target critical civilian infrastructure.

Digital Footprints and Tactics

The group maintains a low public profile, but it notably releases high-quality videos, websites, and online messages claiming responsibility. Their digital fingerprints often include:

Vanity Wallets and Defacement: Attackers use crypto vanity addresses embedded with political messages against the Iranian regime.
Social Media and Telegram Messaging: They frequently post announcements, videos, and leak documents via anonymous Telegram channels, sharing proof of successful operations.
Professional-quality Video Releases: Unlike typical anonymous hacker groups, Gonjeshke Darande releases professionally edited videos showcasing cyberattack results, hinting at substantial financial backing and operational sophistication.

1/ A hacking group that The Times of Israel says has been “previously been linked to Israel” is claiming responsibility for a cyberattack on Monday that “paralyzed gas stations across Iran.” 🇮🇱🇮🇷

It's called “Gonjeshke Darande,” or “predatory sparrow.”

Some more quotes from the… pic.twitter.com/Slhd2HleBN
— Decensored News (@decensorednews) December 18, 2023

Attribution and Links to State Government

Cybersecurity firm SentinelOne and analysis groups like Check Point Research have suggested Israel as the likely state sponsor behind Gonjeshke Darande.

However, Israel has neither confirmed nor denied these claims.

Iran officially accuses Israel and the Israeli intelligence agency Mossad of orchestrating these cyberattacks. But again, there has been no tangible proof of these allegations.

Cybersecurity researchers expect continued high-impact cyberattacks against Iranian targets from Gonjeshke Darande, particularly if geopolitical tensions continue to escalate.

Concerningly, crypto exchanges and Iranian state-linked banks remain primary potential targets.

Due to the group’s advanced capabilities and resources, cybersecurity analysts globally monitor its activities closely.

Overall, if the current conflict lasts longer, it might have broader implications for cyber warfare and state-sponsored digital conflicts.

Top crypto platforms in the US

Figure Markets Explore

Coinbase Explore

COCA wallet Explore

Arkham Explore

Moonacy Explore