Predatory Sparrow

Predatory Sparrow, also known as Gonjeshke Darande, is a pro-Israel threat actor that has conducted disruptive and destructive cyber operations against Iranian targets since at least 2021. Multiple sources in the provided content describe it as a purported hacktivist group, while also noting suspected state links and frequent public assessment that it is linked to Israel; some reporting specifically describes it as a suspected Israeli nation-state threat actor posing as an Iranian opposition hacktivist group, but the evidence on direct government control is described as inconclusive. The group has at times claimed to be an Iranian entity defending Iranian citizens against the Islamic Republic. Additional aliases mentioned in the content are Adalat Ali, Indra, and MeteorExpress. The group is associated in the content with operations against Iranian rail assets in 2021, Iran’s fuel distribution system in October 2021, Iranian state media infrastructure in 2021, an Iranian steel facility in June 2022 that reportedly caused a serious fire, petrol distribution infrastructure in 2021 and 2023, Bank Sepah in June 2025, and the Nobitex cryptocurrency exchange in June 2025. Reported impacts include widespread outages affecting banking and payment services, disruption to fuel stations, destruction or wiping of data, publication of source code and internal documentation, and destructive handling of stolen cryptocurrency. In June 2025, Predatory Sparrow claimed responsibility for a cyberattack on Bank Sepah, accusing the bank of helping fund Iran’s military, terrorist proxies, ballistic missile program, and military nuclear program. The operation reportedly caused widespread service outages that prevented customers from accessing accounts, withdrawing cash, or using bank cards, and also affected gas stations relying on the bank’s payment infrastructure. The content states the claimed destruction of Bank Sepah data is consistent with the group’s past use of wiper malware. One day later, the group claimed it breached Nobitex, Iran’s largest cryptocurrency exchange, stealing roughly $90 million in digital assets. The content states the funds were sent to vanity addresses containing variations of anti-IRGC phrases, effectively burning the assets, and that Predatory Sparrow also posted Nobitex source code and internal documentation on X. The group claimed Nobitex was central to the Iranian regime’s sanctions evasion and terror financing efforts. Earlier operations attributed or claimed by Predatory Sparrow in the content include the October 2021 attack on Iran’s fuel distribution system, which disrupted subsidized fuel card processing and affected thousands of gas stations, with messages such as "cyberattack 64411" and protest-themed billboard text appearing on affected systems. The group also claimed a June 27, 2022 attack on an Iranian steel production facility that reportedly caused a serious fire. Across the provided content, Predatory Sparrow is characterized as capable of sophisticated, coordinated operations over several years, with disciplined messaging and a focus on Iranian critical infrastructure and financial systems.