How Israel and Iran brought cyber conflict to centre stage

In the brief but intense war between Israel and Iran from June 13 to June 25 this year, battles raged not only in the skies but across cyberspace too. Soon after Israel launched Operation Rising Lion with drones and airstrikes on Iranian nuclear facilities, the digital front also escalated: over two days on June 17 and 18, the pro-Israel hackers known as Predatory Sparrow (they use the Persian ‘Gonjeshke Darande’) crippled Iran’s Bank Sepah and burned around US$90 million in cryptocurrency from Iranian crypto exchange Nobitex. By hitting Iran’s financial lifelines, the hackers delivered a strategic blow akin to a precision strike, one that could disrupt funding flows and sow domestic chaos without a single missile. The message was clear: cyberpower is no longer peripheral but a core tool of modern warfare.

Predatory Sparrow: state-backed hacktivism or covert cyber forces? 

The takedowns of Bank Sepah and Nobitex do not appear to have been rogue hacks, but rather a cyber extension of Israel’s military campaign. Both financial institutions have links to the Iranian military. The military created Bank Sepah by merging several state-owned banks into one institution; it has since been sanctioned by the US for backing Iran’s Ministry of Defence. Nobitex has been linked to the Islamic Revolutionary Guard Corps (IRGC), IRGC business partners, and relatives of Supreme Leader Ali Khamenei. 

Israeli officials did not openly claim these hacks, maintaining plausible deniability, but experts saw the hallmarks of state coordination. Predatory Sparrow has a track record of aligning with Israeli interests – from paralysing steel plants in 2022 to sabotaging Iran’s fuel distribution in 2023. The attack on Bank Sepah did not just degrade Iran’s financial resilience; it also signalled an uncomfortable truth to Iran’s leadership: Israel can penetrate and disrupt core economic systems at will. 

A report by blockchain analytics firm Elliptic suggests the Nobitex hack was not financially motivated but symbolic. The attackers transferred around US$90 million to crypto wallets with specially crafted vanity addresses that contained anti-IRGC messages. Due to the computational difficulty of generating private keys with such specific, long phrases, the funds are now permanently inaccessible. The operation was meant to send a message.

Predatory Sparrow’s actions look more like those of a deniable unofficial special forces unit than a loose collective of civilian hackers. The group’s public social media posts mirror the language of military operations, framing the attacks as retaliation for IRGC aggression and stressing that they avoided harming ‘innocent civilians’. While hacktivists often act on their own agendas, the synchronisation here – in targets, timing, and strategic effect – suggests high-level coordination. 

Tehran’s digital retaliation: influence operations and perception warfare

Iran’s cyber response during the 12-day war diverged sharply from Israel’s, emphasising perception over destruction. Tehran turned to influence operations designed to intimidate and confuse. This included fake data leaks, spoofed text alerts, and a surge of distributed denial-of-service (DDoS) attacks. Like Israel, Iran has employed hacktivist proxies to conduct cyber operations, allowing plausible deniability and extending its cyber reach.

In the days before Israel attacked, from June 4 to June 12, cybersecurity firm Radware tracked three or four DDoS attacks per day targeting Israel. In the two days following the strikes, they reported a 700% increase in cyberattacks against Israeli targets, indicating a sharp escalation in malicious network activity targeting Israeli infrastructure. Iran’s cyber units and affiliated hacktivists inundated Israelis with spoofed alerts warning of imminent fuel shortages or fabricated terrorist threats, mimicking official emergency communications. Experts suggested that Iran may be reserving more disruptive cyber capabilities in case of further escalation. 

By thickening the fog of war through disinformation and harassment, the regime in Tehran underscored a grim reality of modern conflict: in cyberspace, perception is a crucial part of the battle. Its primary audience was the domestic public, framing Iran as a victim of Israel and the West, thus justifying its current actions and future retaliation. But the psychological play extended to Israel, aiming to provoke anxiety about possible security breaches and fake emergencies. This strategy reflects a pattern of Tehran inflating its cyber exploits to highlight Iranian strength and reinforce regime stability.

Fuzzy lines between military and civilian domains

The once-sacrosanct boundary between military and civilian domains is increasingly hard to define. Traditionally, banks, stock markets, and fuel stations have been seen as civilian infrastructure; attacking them was considered outside the realm of conventional warfare. But in the grey zone of cyber warfare, these targets have become fair game – partly because cyber tools offer a way to hit them without bloodshed and partly because the interdependence of civilian and military infrastructure has grown. 

During the recent war, economic disruption was not collateral damage; it was a goal. Accompanying physical attacks, Israel-affiliated hackers intentionally damaged financial data and emptied crypto wallets, thus directly weakening Iran’s state apparatus, along with impacting everyday Iranians’ livelihoods. Iran likewise tried to undercut Israel’s economy with both missiles and malware – whether by targeting an oil refinery physically or spreading panic about food or fuel shortages digitally.

This convergence raises thorny questions. How should nations protect critical financial networks in wartime? Should those networks be considered part of the national defence infrastructure? During this conflict, Iran’s internal internet shutdown was effectively an act of financial self-defence – by disconnecting, Iran prevented further immediate draining of its banks and exchanges. Nevertheless, that came at the cost of paralysing commerce and communication, as well as blocking vital information, including alerts warning of Israeli strikes. 

Lessons for the next multi-domain conflict

The Iran-Israel war demonstrated that the future of warfare is multi-domain by default. Drones, fighter jets, special forces, and hackers all operated in concert. Cyberattacks were not a sideshow; they were a core part of the campaign, used to deter, disrupt, and demoralise. Malware has become an instrument of state power, one that can extend the reach of conventional force.

This is not the first time the financial sector has been targeted by cyberattacks during a state-on-state conflict. Both Russia and Ukraine, for example, have disrupted each other’s banking systems, causing widespread economic instability. 

The international community must grapple with the blurring of civilian and military targets in cyber conflict. When hacktivists, state-directed or not, can take down a hospital, a pipeline, or a bank as part of a war, how do we protect those assets and deter such attacks without crossing into all-out cyber chaos? 

In the Iran-Israel clash, cyberattacks, while disruptive, remained largely controlled – limited to psychological warfare and economic sabotage rather than catastrophic infrastructure failure. However, it is easy to imagine a darker scenario. What if Iran had knocked out parts of Israel’s power grid or if Israel’s hackers had caused a financial meltdown in Tehran? The Iran-Israel war of 2025 stands as a testament – and a warning: cyberpower is now a firmly entrenched extension of conventional force, inseparable from the calculus of modern warfare.