An anti-Iranian hacking group with possible ties to Israel announced an attack on one of Iran's largest cryptocurrency exchanges on Wednesday, destroying nearly $90 million and threatening to expose the platform's source code.

A group known as Gonjeshke Darande, or “Predatory Sparrow,” claimed the attack, making it the group's second operation in two days. On Tuesday the group claimed to have destroyed data at Iran’s state-owned Bank Sepah amid the increasing hostilities and missile attacks between Israel and Iran.

Wednesday’s attack targeted Nobitex, one of Iran’s largest cryptocurrency exchanges. The platform allegedly helps the Iranian government avoid sanctions and finance illicit operations around the world, the hackers claimed in a message posted to its social media channels early Wednesday.

Nobitex’s website was unavailable Wednesday. Messages sent to the company’s support channel on Telegram were not returned. Gonjeshke Darande did not respond to requests for comment. Nobitex said in a post on X that it had pulled its website and app offline as it reviewed “unauthorized access” to its systems.

Gonjeshke Darande is an established hacking group with a history of sophisticated cyberattacks targeting Iran. A 2021 operation claimed by the group caused widespread gas station outages, while a 2022 attack targeting an Iranian steel mill caused a large fire and tangible, offline damage.

Israel has never formally acknowledged that it is behind the group, although Israeli media has widely reported Gonjeshke Darande as “Israel-linked.”

Wednesday's attack started in the early hours of the morning when funds were moved to hacker-controlled wallets denouncing the Islamic Revolutionary Guard Corps (IRGC), according to blockchain analysis firm TRM Labs, which pegged the total theft at about $90 million across multiple types of cryptocurrencies. The way the hacker-controlled wallets were created suggests the hackers would not be able to access the stolen money, meaning that the hackers “effectively burned the funds in order to send Nobitex a political message,” blockchain analysis firm Elliptic said in a blog post. Elliptic’s post shared evidence that Nobitex had sent and received funds to cryptocurrency wallets controlled by groups hostile to Israel, including Palestinian Islamic Jihad, Hamas and Yemen's Houthis.

Senators Elizabeth Warren and Angus King had raised concerns about Nobitex's role in enabling Iranian sanctions evasion in a May 2024 letter to top Biden administration officials, citing Reuters' reporting from 2022. Andrew Fierman, head of national security intelligence with Chainalysis, confirmed in an email to Reuters that the value of the attack was roughly $90 million and that it was likely geopolitically motivated, given that the money was burned.

Chainalysis has “previously seen IRGC-affiliated ransomware actors leveraging Nobitex to cash out proceeds, and other IRGC proxy groups leveraging the platform,” Fierman said.