Cyber Threat Actor: Predatory Sparrow

Predatory Sparrow, operating under aliases including Gonjeshk’e Darandeh and Gonjeshke Darande, is a pro-Israel threat actor linked to cyber operations against Iranian entities. Public reporting attributes its activities to Israeli intelligence affiliations. The group has conducted disruptive and financially motivated attacks primarily targeting Iran’s critical infrastructure, financial services, and industrial sectors, citing retaliation for Iran’s regional aggression, alleged support for terrorism, and military programs. Its operations align with geopolitical tensions between Israel and Iran, often framing attacks as proportional responses to perceived threats.

The actor’s campaigns demonstrate a focus on high-impact disruption of civilian and economic infrastructure. Notable operations include the December 2023 attack disabling 70% of Iran’s petrol stations, forcing manual operations, and the June 2022 cyber-physical attack on Khouzestan Steel Company that caused machinery malfunctions and production halts. In 2025, the group breached an Iranian cryptocurrency exchange, stealing $81 million via vanity address exploitation while threatening data leaks, and disrupted banking services at a financial institution tied to Iran’s nuclear programs. Additional operations targeted port logistics systems, with foreign officials assessing greater damage than Iran publicly acknowledged. The group claims to execute attacks with controlled precision to avoid harming emergency services, though its steel plant attack demonstrated destructive physical consequences. Technical specifics of tools remain undocumented in public sources, but operations show deliberate targeting of supply chains and financial systems. Attribution to Israeli state interests is consistently asserted in security analyses and group communications, with the actor threatening escalatory cyber responses to Iranian proxy actions.