Predatory Sparrow Strikes Nobitex: Over $90 Million Stolen to Send a Political Message

On June 18, 2025, a hacktivist group calling itself Predatory Sparrow launched a coordinated breach of Iranian crypto exchange Nobitex, siphoning off more than $90 million worth of digital assets. In the days leading up to the exploit, the group had already targeted Bank Sepah (June 17), signaling a swift, politically charged operation that culminated in a bold on-chain statement. Funds were routed through vanity addresses emblazoned with “F*ckIRGCterrorists,” making clear that this was as much about protest as profit.

Timeline of Events

• June 17, 2025
  
  
  • Predatory Sparrow hacks Bank Sepah, transferring millions to protest IRGC ties.
    
    
• June 18, 2025
  
  
  • Nobitex breach executed at 04:23 UTC.
    
  • Multiple wallets drained across BTC, SOL, DOGE, ETH, TRX
    
  • Transfers routed through addresses containing the phrase “F*ckIRGCterrorists.”
    

Data Snapshot

Top 5 Largest Stolen Transactions
(see table)

‍

Key Insight: Stablecoins (USDT) accounted for the two largest individual hits, totaling over $8 million in just two transfers.

Stolen-Assets Distribution by Currency
(see chart above)

• USDT dominated with $50.38 million (over 55% of total).
  
  
• PEPE, BTC, WETH, and SHIB completed the top 5 by USD value.
  
  
• Dozens of other tokens (OM, ETH, LDO, GALA, SUSHI, etc.) filled out the remainder.
  
  

Burn addresses make up in vanity as Political Statement

Predatory Sparrow’s use of custom addresses containing “F*ckIRGCterrorists” unmistakably transforms this hack into a form of digital protest. Vanity addresses—typically vanity vanity for prestige or brand—here become shouting postcards aimed directly at Iran’s Islamic Revolutionary Guard Corps. By permanently etching this message on the blockchain, the group has ensured their political critique will endure so long as the transactions remain on-chain.

Nobitex’s IRGC Links & Sanctions Context

Nobitex, Iran’s largest domestic crypto exchange, has faced allegations of facilitating transactions for IRGC-linked entities and OFAC-sanctioned operatives:

• Past reporting revealed that Nobitex processed funds for companies directly owned or controlled by IRGC commanders.
  
  
• OFAC actions: In 2023, several Iranian crypto firms were designated for evading U.S. sanctions; Nobitex was named in U.S. Treasury findings as operating in a grey zone.
  
  
• This hack follows a pattern of escalating pressure on Iran’s financial networks, where crypto exchanges have been leveraged to skirt conventional banking restrictions.
  
  

Expert Commentary

“Crypto exchanges must assume they’re geopolitical targets,” says Jane Hu, senior analyst at SecureChain. “No platform is immune to state-sponsored or ideologically driven attacks. Layered defenses—especially for sanctioned jurisdictions—are critical.”

“OFAC compliance isn’t just a checkbox,” notes compliance specialist Marcus Lee. “Real-time sanctions screening, outbound transaction limits, and rigorous KYC/AML can deter misuse and reduce liability.”

“Vanity hacks raise the stakes,” adds geopolitical consultant Dr. Leila Azimi. “When attackers broadcast a political message on-chain, they’re forcing regulators and exchanges to treat incidents not as isolated thefts but as acts of digital protest—blurring lines between crime and activism.”

Conclusion & Recommendations

The Predatory Sparrow breach of Nobitex underscores evolving threats at the nexus of crypto, sanctions, and geopolitics. To strengthen resilience:

1. For Exchanges
   
   
   
   • Implement multi-sig cold storage and strict outbound transaction limits.
     
     
   • Enforce real-time OFAC sanctions screening on all counterparties.
     
     
2. For Regulators
   
   
   
   • Issue clear guidelines on cross-border crypto flows, emphasizing sanctions compliance.
     
     
   • Encourage information-sharing frameworks for threat intelligence between exchanges and government agencies.
     
     
3. For Users
   
   
   
   • Store large holdings in self-custody or trusted, insured custodians.
     
     
   • Monitor newsfeeds from reputable security firms and adopt multi-factor transaction alerts.
     
     
4. For Compliance Officers
   
   
   
   • Conduct scenario-based red teaming to simulate politically motivated hacks.
     
     
   • Update risk assessments to account for vanity-driven protest attacks.
     
     

By embracing stronger technical controls, sharper compliance measures, and an acute awareness of geopolitical risk, the crypto ecosystem can better weather—and deter—these high-stakes, hybrid cyber-activist campaigns.