Following two devastating cyberattacks this week by Predatory Sparrow, a hacker group with a mounting record of damage and suspected links to Israeli intelligence, Iran’s financial stability is under siege. Targeting the biggest bitcoin exchange in the nation, Nobitex, and major state-run financial institution Sepah Bank in a one-two punch, the group left millions in chaos and raised questions regarding the vulnerability of Iran’s digital infrastructure.

The first attack hit Nobitex, and it had nothing to do with cryptocurrency theft. It had to do with eradicating it.

Blockchain forensics company Elliptic claims that hackers moved more than $90 million worth of digital assets into supposedly vanity addresses. Politically charged words like “FuckIRGCterrorists,” which signal not only the group’s goals but also its defiance, were tailored into these wallets. Funds sent to these kinds of addresses are unreachable permanently. That cryptocurrency is gone, precisely burned.

“This attack was about politics, not profit,” said co-founder of Elliptic Tom Robinson. “The crypto they pilfers has burned rather nicely. This is among the most obvious acts of financial sabotage we have seen in the crypto realm.

Predatory Sparrow accused Nobitex of supporting terrorism, particularly via ties to the Islamic Revolutionary Guard Corps (IRGC), Hamas, Yemen’s Houthi rebels, and Palestinian Islamic Jihad, so enabling the Iranian government to evade sanctions. Research by Elliptic revealed that wallets connected to approved groups had dealt with Nobitex.

The Nobitex website went down soon after the hack. The platform has not responded publicly, thus users are left wondering whether their possessions are safe or if they have also been deleted.

Still, the attack on Nobitex was just a component of a more extensive campaign.

Within hours, Predatory Sparrow claimed responsibility for a second strike—this one on Sepah Bank, among Iran’s most powerful and oldest financial institutions. The group claimed to have destroyed all internal systems at the bank and produced records allegedly linking Sepah to Iran’s nuclear and missile development programs.

The message of the group had a clear tone: “Caution: Your long-term financial situation suffers when you support the instruments of the government for avoiding sanctions and fund its nuclear program and ballistic missiles. Next is who?

Iranian cybersecurity specialist Hamid Kashfi, who now resides in Sweden, told reporters he has heard from several sources in Iran that Sepah Bank’s online banking and ATM operations are still down. “There’s actual ground disturbance,” Kashfi said. This is not only an attack on establishments. The effect is on the civilians. Individuals cannot access their money.

Though the extent of the damage is yet unknown, the effects are being felt. Although Sepah Bank’s public website is now back online, normal banking activities have not entirely resumed, particularly outside Tehran.

Predatory Sparrow has made Iran’s digital infrastructure a battlefield before now. By tampering with industrial control systems, the group has already disabled thousands of gas station payment systems, disrupted the national railway network, and even started a fire at a steel mill. That 2022 steel mill attack was especially dramatic: molten steel spilled across the floor, almost killing workers. The group sent video evidence attesting to their participation.

Although Predatory Sparrow presents itself as a grassroots Iranian resistance group, most cybersecurity experts agree it is most likely a front for Israeli cyber operations. Its accuracy, resources, and intelligence access point to state-level support.

“This is not just another hacktivist group,” said Google’s Mandiant chief analyst John Hultquist. They have a track record of following through and a playbook of military quality.

As a workaround for its severely sanctioned economy, Iran has turned to cryptocurrencies more and more. A key component of this approach, Nobitex provides a means for both state actors and citizens to migrate funds electronically. Eliminating $90 million in cryptocurrencies from the platform, Predatory Sparrow made it abundantly clear: those paths are unsafe.

Sepah Bank, meantime, stands for Iran’s conventional state-sponsored financial capability. Its connections to defense projects make it a natural target, but the effects of its closing are being felt much outside of government buildings.

Digital attacks can strike in the modern world with the power of bombs. And given Predatory Sparrow’s ominous last words, “Who’s next?” there is every hint that more strikes could be forthcoming.