Predatory Sparrow
Pro-Israel hacktivist persona widely assessed by researchers and Israeli media as linked to Israeli military intelligence, though no government has publicly confirmed the relationship. Has claimed responsibility for a series of physically-consequential cyber-physical attacks against Iranian infrastructure: the July 2021 Iranian-railway disruption, the October 2021 nationwide gas-station outage, the 27 June 2022 fire at the Khouzestan steel mill (caught on internal CCTV the group released), the December 2023 second gas-station outage, and the June 2025 attacks on Bank Sepah and the Nobitex cryptocurrency exchange.
Aliases
Motivations
Target sectors
Target countries
Diamond Model
Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.
MITRE ATT&CK techniques
Timeline
2 events- CompromiseHigh2025-06-17·TechCrunch
Predatory Sparrow attacks Bank Sepah and Nobitex crypto exchange
Predatory Sparrow claimed responsibility for compromises of two major Iranian financial institutions amid the broader June 2025 Israel-Iran exchange of strikes. The Bank Sepah attack disrupted retail banking services nationwide; the Nobitex incident leaked the cryptocurrency exchange's internal codebase and saw $90M+ of customer funds burned to dead addresses with vanity prefixes (e.g. F***IRGC) — an ostentatious anti-IRGC signal rather than a financially-motivated theft.
financialcryptocurrencyiraninformation-operations - CompromiseCritical2022-06-27·WIRED
Predatory Sparrow caused fire at Iran's Khouzestan steel mill
Predatory Sparrow (Gonjeshke Darande) claimed responsibility for a cyber-physical attack at Iran's Khouzestan Steel Company that caused a major industrial fire. The group released internal CCTV footage from inside the mill showing the moment a vat of molten metal overflowed onto the factory floor, sparking the blaze — among the most consequential public cyber-physical attacks attributed to any actor outside the Sandworm Industroyer / Ukrainian power-grid lineage.
cyber-physicalicsirandestructive
Indicators of compromise
2 indicators| Type | Value | First seen | Source |
|---|---|---|---|
| SHA-256 | family · Meteor 'Meteor' wiper sample documented in Check Point Research's August 2021 analysis of the 9-10 July 2021 cyberattack on Iranian Railways and the Ministry of Roads and Urban Development. The payload 'msapp.exe' writes 'Meteor has started.' to its encrypted log file, locks the host and wipes contents. Check Point ties the campaign to a self-identified 'Indra' persona that the wider community tracks as Predatory Sparrow / Gonjeshke Darande. | Jul 8, 2021 | Check Point Research |
| SHA-256 | family · Stardust 'Stardust' wiper variant documented by Check Point Research from earlier Indra/Predatory Sparrow operations against Syrian targets (Katerji Group, Arfada Petroleum, Cham Wings) in 2019-2020. Listed alongside Meteor and Comet in the August 2021 attribution of the Iran Railways attack. | Dec 31, 2019 | Check Point Research |
Related actors
shared ATT&CK techniques- IR · IranHandala2 shared techniques
- RU · RussiaSandworm2 shared techniques
- RU · RussiaCadet Blizzard1 shared technique
- IR · IranHomeland Justice1 shared technique
- IR · IranVoid Manticore1 shared technique
References
cite this page
Threat Intel Tracker. (2026-05-19). Predatory Sparrow — actor profile. Retrieved from https://threatintel.local/actors/predatory-sparrow