As the conflict between Israel and Iran approaches the first-week mark, both countries are leaning into cyberspace to launch attacks.
A possible Israeli-linked hacking group has claimed responsibility for disrupting operations at an Iranian bank and flooding the crypto market with approximately $90 million (€77 million) in stolen funds.
Meanwhile, Israeli officials reported fake messages sent to the public alerting them of terrorist attacks against bomb shelters to sow panic.
Both countries are also known for having a long history of cyberattacks against each other, according to US-based cybersecurity firm Radware.
“In the days since the fighting began, government-backed hackers, patriotic hacktivists, online propagandists, and opportunistic cybercriminals have all been active,” the company said in its threat alert dated June 18.
Israeli-linked group target bank and crypto exchange
The anti-Iranian hacking group with possible ties to Israel,Gonjeshke Darande, or “Predatory Sparrow,” claimed an attack on one of Iran’s most prominent banks, Bank Sepah, this week, according to a statement they published on X.
Iranian media reported at the time that people had difficulties accessing their accounts, withdrawing cash or using their bank cards.
The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Bank Sepah in 2018 for supporting Iran’s military.
The hacking group then went after Nobitex, one of Iran’s main cryptocurrency exchanges. The group claimed they burned $90 million from accounts that belong to the Israeli regime and, by Thursday morning, had posted the source code for the platform.
In a statement on X posted on Wednesday, Nobitex claimed that the assets were transferred to a wallet “composed of arbitrary characters,” an approach they say “deviates significantly from conventional crypto exchange hacks”.
“It is clear the intention behind this attack was to harm the peace of mind and assets of our fellow citizens under false pretences,” Nobitex wrote.
Nobitex estimates the amount stolen is closer to $100 million (€87 million)
The Iranian government has asked people to delete the social messaging app WhatsApp and has begun internet blackouts that have taken the country offline for “over 12 hours” due to “Israel’s alleged ‘misuse’ of the network for military purposes,” according to internet monitoring companies Netblocks and Censys.
Iran’s Tasnim News Agency, a news service associated with the Iranian military, claimed the Internet blackouts are “temporary” due to the “special conditions of the country,” and that it will come back when the “situation returns to normal”.
Other attacks against Iran from Gonjeshke Darande
Gonjeshke Darande has been linked to other cyber attacks in Iran, like the 2010 Stuxnet attack.
Stuxnet was a computer virus that damaged or destroyed the centrifuges, a key component used to enrich uranium, at Iran’s uranium enrichment facilities in Natanz, one of the facilities targeted in the recent missile fire from Israel.
US media reports believe Stuxnet was carried out by Israel with support from the United States, who built the program. It’s also believed that Israel’s Defence Forces Unit 8200 was involved in the attack, according to Reuters.
Gonjeshke Darande has also taken credit for other cyber attacks against Iran, such as the 2022 attack on Iran’s steel plants and the 2023 attack on gas stations.
At the time of the steel plant cyber attacks, Gonjeshke Darande released on social media what they called “top secret documents and tens of thousands of emails” from Iran’s three leading companies to show how the firms were working with the Islamic Revolutionary Guard Corps, a primary branch of Iran’s military.
Cyber attacks against Israel up 700 per cent, local media reports
Israeli media reported people receiving fraudulent text messages claiming to come from the Israeli Defence Forces (IDF) Home Front Command that warned of attacks onbomb shelters.
The messages from OREFAlert were identified as fake by the Israeli authorities, who claim pro-Iranian groups are behind it as a way to sow panic during the operation against the Iranian military, called Operation Rising Lion.
Another fake message circulated that said fuel supplies would be suspended for 24 hours, according to the Jerusalem Post.
Ron Meyran, the VP of Cyber Threat Intelligence at US-based cybersecurity firm Radware, told the newspaper that there was a 700 per cent increase in cyberattacks against Israel in the first two days of the conflict with Iran, which comes from cyber retaliation from Iranian state actors.
Those actions include infiltration attempts targeting critical infrastructure, data theft and malware distribution, Meyran added. Euronews Next reached out to Radware to independently confirm these numbers but did not hear back at the time of publication.
A report from Radware says it expects Iran to make use of “its well-developed network of fake social media personas to shape perceptions of the conflict.”
“During this crisis, observers have seen pro-Iran bot accounts amplifying hashtags about alleged Israeli atrocities and portraying Iran's actions as defensive,” the report said.
The bots “frequently pose as ordinary citizens to make the messaging more persuasive,” it added.
Iran has 'considerable number' of threat groups, report says
Radware also noted in its report that at least 60 of the 100 hacktivist groups that have sprung up since the start of the conflict last week are pro-Iran and are either from the Middle East or Asia.
These groups have launched 30 denial of service (DDos) attacks per day against Israel that disrupt normal traffic to a website, Radware found. Some of these groups have also threatened cyber attacks against the United Kingdom and the United States if leadership there decides to “join the war against Iran”.
Iran has a “considerable number” of state-sponsored threat groups that have targeted Israel in the past, like Muddy Water, APT35 (OilRig), APT35 (Charming Kitten) and APT39 (Remix Kitten), the Radware report continued.
These groups, with the help of Iran’s Islamic Revolutionary Guard Corps, have targeted Israeli infrastructure, conducted malware campaigns and cyberespionage according to local media.
These cyber attacks increased following the start of the conflict between Israel and Hamas in Gaza in 2023, according to a 2024 report by Microsoft.
