Iran’s financial system suffered significant damage this week following two devastating strikes by a hacker group thought to be connected to Israel, starkly reminding us how cyberattacks are changing modern warfare. Known as Predatory Sparrow, the group claimed responsibility for erasing data from Sepah Bank, one of the main financial institutions in Iran, and disabling Nobitex, the top cryptocurrency exchange in the nation. Unlike usual cyberattacks driven by financial gain, this was a deliberate digital sabotage campaign.

The attack on Nobitex was very remarkable. Blockchain forensics company Elliptic claims the hackers destroyed almost $90 million worth of cryptocurrency. They moved money into wallet addresses bearing phrases like “FuckIRGCterrorists.” These are sometimes referred to as vanity addresses—that is, tailored and purposefully created to prevent asset recovery. Stated differently, the money was not pilfered. Burned was it.

Co-founder of Elliptic, Tom Robinson, characterised the attack as politically motivated rather than driven by money. “The crypto they stole has essentially burned,” he said. “This is about sabotage, not profit.” The official statement of the group reflected this, charging Nobitex with supporting efforts by the Iranian government to evade sanctions and finance terrorism. “Associating with regime terror financing and sanction violation infrastructure puts your assets at risk,” their admonition to users was direct.

Research by Elliptic’s team confirmed these assertions by exposing blockchain links between Nobitex and a network of approved agents comprising operatives from the Islamic Revolutionary Guard Corps (IRGC), Hamas, and the Houthis. The implication is that Nobitex has long been a strategic and symbolic target for Predatory Sparrow, since it has long been a tool in the attempts of the Iranian government to work around global restrictions.

Still, the group did not stop there.

Sepah Bank caught their eye later that same day. They said in a statement that they had totally wrecked the data infrastructure of the bank. They uploaded records online, purportedly displaying strong financial cooperation between Sepah and Iran’s military to support this. “Caution: Associating with the instruments of the regime for evading sanctions and financing its ballistic missiles and nuclear program is bad for your long-term financial health,” their post concluded. Next is who?

Sepah’s website crashed after the attack but returned one day later. The Nobitex website stayed off-line in the meantime. Neither organization has made an official statement, and Iranian official media has been mainly quiet on the matter, casting doubt on the actual degree of the damage done behind closed doors.

Already, the civilian fallout is underway. Cybersecurity researcher Hamid Kashfi, who founded DarkCell from Sweden, said he heard from contacts in Iran complaining about ATMs and online banking for Sepah being useless since the attack. “There is a lot of collateral damage here,” he said. People are unable to obtain their money. For those who have nothing to do with regime politics, that is also a genuine crisis.

High-impact cyberattacks are not new for predatory sparsons. Iran’s railway systems have already been taken down, fuel distribution has been disrupted by disabled gas station payment networks, and in 2022 hacking into a steel plant’s control systems will cause a near-fatal industrial disaster resulting in a significant molten metal leak. Recorded and shared by the hackers themselves, that attack revealed just how far the group is ready—and able—to go.

Though they assert to be a grassroots Iranian hacktivist group, most cybersecurity experts agree that Predatory Sparrow is intimately connected to Israel’s military or intelligence network. The degree of operational support suggested by the level of precision, political targets, and depth of the attacks all point to high degrees of both.

“This is a group that doesn’t bluff,” Google’s threat intelligence division chief analyst John Hultquist said. “They are quite competent; when they warn, they usually follow through.”

Targeting conventional banking as well as bitcoin infrastructure points to a change in cyberwarfare strategy. It’s about upsetting the financial systems keeping a country running, not only about numbers. In Iran’s case, it is a deliberate attempt to cut off the government from the instruments it employs to survive economically under sanctions.

The risk of more cyberattacks rises along with the mounting hostilities between Iran and Israel. Now the issue is not whether another strike will take place but rather who the next target will be. And how much more damage will be done?