Bank Sepah remains degraded nearly fifty days after the June 17 attack by Predatory Sparrow — core banking functions show partial restoration, with payment rails, checks, and records access still impaired at scale, which indicates destructive effects on production systems and backups, plus a rushed migration to a new core that has not stabilized.
High confidence in the sustained disruption assessment — multiple Iranian sources with on-site checks converge on the same failure modes. Moderate confidence in method inference — effects align with destructive tooling and backup compromise, though forensic proof remains outside public view. Moderate confidence in state linkage — the group’s track record and timing line up with geopolitical escalation, while official denials and plausible deniability remain intact.
Incident framing
Predatory Sparrow claimed a destructive operation against Bank Sepah on June 17 — the group framed the strike as retribution for the bank’s role in Iranian military finance and sanctions evasion. Independent monitoring confirmed outages across public-facing services the same day. Iranian reporting now shows that near day fifty, customers still face disabled ATMs, manual-only wire transfers at branches, and complete failure of check issuance and clearing. Customer statements before late June remain inaccessible, and branches report re-enrolling identity data for some account holders — a marker of back-end record loss.
Operational status — service impacts and workarounds
The table summarizes current effects that persist across channels, based on on-site reporting and follow-up coverage from Iranian outlets.
Bank function Status as of Aug 6 Workaround reported Impact on customers
ATMs Not functioning None at scale Cash withdrawals shift to tellers — queues and rationing risk
Wire transfers Paya and Satna App and online disabled Manual processing at branches only Delays, branch congestion, enterprise payment friction
Checks — issuance and clearing Fully disrupted None — no new checkbooks, old checks not honored Supply chain and payroll breaks for firms that rely on checks
Cards and POS Mostly working Use merchant POS and gateways Retail continuity with sporadic disruption
Account statements Records before 9 Tir 1404 unavailable None reliable Audit gaps — disputes and reconciliation problems
Loans — disbursement and repayment Stalled then partial return Ad-hoc branch processing and staged app features Compliance and delinquency noise due to record gaps
Customer identity records Missing entries for some users Re-capture of KYC fields at branches Time cost and error risk during re-onboarding
Field investigations by Peivast back the ATM, wire, check, statement, loan, and identity-data findings, while additional Iranian coverage shows staggered returns of select mobile features and continued instability during the core switch.
Tradecraft — what the effects reveal about methods
Destructive outcomes point to wiper-class tooling or destructive scripting placed deep in core banking and adjacent systems — the loss of pre-29 June statements and identity attributes shows more than front-end disruption. Manual wire operations at branches signal broken integrations with national rails that usually run through secure middleware. Total failure across check issuance and clearing implies severed or corrupted links with the Central Bank’s SAYAD system. The mix of surviving retail card payments with failed settlement functions fits a pattern where merchant acquiring recovers faster than interbank flows because separate stacks and vendors manage them. Peivast and Iranian tech trade press report a sprint migration from an incumbent core to the Tosan platform — a recovery move aligned with a scorched production environment where restoring from clean backups proved impossible or too slow.
Attribution and motivation — confidence and caveats
Predatory Sparrow publicly claimed the operation and tied its narrative to Bank Sepah’s role in financing defense programs. Reuters, CyberScoop, and regional outlets recorded the outage pattern in real time. The group’s history of destructive actions against Iranian targets and its propaganda cadence align with a coercive strategy that links cyber effects to broader military pressure. Iranian sources add detail on recovery and confirm that service gaps persisted far beyond the first week. Attribution to an Israeli state hand remains unacknowledged officially; open sources tie Predatory Sparrow to prior operations with state-grade capability. The claim remains the strongest explanation for the event, with public evidence consistent with a targeted, destructive strike rather than a transient denial-of-service.
Strategic impact — why the bank still struggles
Core banks recover fastest when the recovery point objective and recovery time objective have credible backing in tested drills and segregated backups. Prolonged outage at Bank Sepah signals weaknesses in off-site, offline, and immutable backup posture. The forced core migration in weeks under pressure introduces integration debt across payment rails, check systems, loan servicing, and KYC — each interface requires mapping, translation, and reconciliation. Branches that re-capture identity data and push customers to open backup accounts at another state bank reflect an institution that lost trust in its own records. Each day of manual wires and non-honored checks spreads second-order damage to suppliers, payroll cycles, and government disbursements, including pensions and regulated bread subsidy settlements rerouted to other banks during the disruption.
Outlook — what most likely comes next
Predatory Sparrow’s concurrent strike on Nobitex and Bank Sepah shows a targeting logic that pressures Iran’s financial lifelines through destruction rather than theft. Messaging that frames burned funds and erased data as punishment signals an escalation path where further waves focus on record integrity, not just availability. Iranian banking stacks that depend on shared vendors and national rails remain exposed while the sector rushes to harden controls. Expect sustained instability at Bank Sepah through late summer as the new core stabilizes, reconciliations grind through backlogs, and interfaces with national systems regain normal throughput. A faster recovery demands clean baselines, staged data rebuilds, and acceptance of partial write-offs where records lack authoritative provenance.
Indicators and validation — how to track recovery and deception
Public status claims from bank officials require cross-checks against field reporting from customers and branches. Verified signs of genuine recovery include reactivation of ATM fleets with normal failover behavior, restored online and mobile Paya and Satna with same-day settlement, issuance of new checkbooks with active SAYAD registration, and account statements that span pre-29 June periods with consistent balances. Signs that point to ongoing damage include persistent manual wires, continued denial of pre-attack statements, and branch-level re-enrollment of KYC data. Iranian outlets already document mixed signals — upbeat notices from officials set against continued outages observed at the counter and in apps.
Defensive lessons — how to reduce exposure under sanctions pressure
Sanctions drive reliance on domestic stacks and unlicensed software, which raises the hazard of tampered binaries and backdoors. Iranian trade coverage describes risks from cracked software and internal server exposure. Banks that operate under such constraints still harden recovery through strict separation of production, staging, and backup networks, frequent bare-metal backup validation, and offline, immutable snapshots. Vendor swaps during crisis windows need pre-built playbooks that define data conversion rules, transaction replays, and authoritative sources for each ledger segment. Cross-bank drills with the Central Bank and rail operators reduce the chance of branch-only fallbacks for wires and checks.
APA references
AFP-Iran International. (2025, June 17). Iranian media confirms cyberattack on Bank Sepah, services disrupted. https://www.afintl.com/en/202506170567
Axios. (2025, June 17). Pro-Israel hackers claim cyberattack on Iranian bank. https://www.axios.com/2025/06/17/iran-bank-sepah-cyberattack-israel
CyberScoop. (2025, June 17). Iran’s Bank Sepah disrupted by cyberattack claimed by pro-Israel group. https://cyberscoop.com/iran-bank-sepah-cyberattack
ILNA. (2025, June). Post-attack service restoration statements by Bank Sepah officials. https://www.ilna.ir/
Le Monde. (2025, June 20). Who is Gonjeshke Darande. https://www.lemonde.fr/en/pixels/article/2025/06/20/who-is-gonjeshke-darande-the-group-behind-the-cyberattack-targeting-sepah-bank-in-iran_6742524_13.html
Peivast. سامانه سمیع. ۱۴۰۴ مرداد ۱۵. چکهای پاس نشده و اپلیکیشن از کار افتاده — اختلال در خدمات بانک سپه ادامه دارد. https://peivast.com/p/239244
Peivast. ۱۴۰۴ تیر ۱۶. مدیرعامل توسن — بازیابی سرویسهای بانک سپه به توسن سپرده شد. https://peivast.com/p/236106
Peivast. ۱۴۰۴ خرداد ۳۱. بانک سپه — مشکل کارت نقدی برطرف شد اینترنت بانک و موبایل بانک به زودی راهاندازی میشود. https://peivast.com/t/بانک-سپه
Reuters. Vicens, A., & Pearson, J. (2025, June 17). Suspected Israeli hackers claim to destroy data at Iran’s Bank Sepah. https://www.reuters.com/world/middle-east/suspected-israeli-hackers-claim-destroy-data-irans-bank-sepah-2025-06-17
Reuters. (2025, June 18). Iran crypto exchange hit by hackers — about ninety million dollars destroyed. https://www.reuters.com/world/middle-east/iran-crypto-exchange-hit-by-hackers-90-million-destroyed-2025-06-18
The Guardian. (2025, June 18). Israel-linked group hacks Iranian cryptocurrency exchange in ninety-million heist. https://www.theguardian.com/technology/2025/jun/18/israel-linked-group-hacks-iranian-cryptocurrency-exchange-in-90m-heist
U S Department of the Treasury — OFAC. (2007, January 9). Iran’s Bank Sepah designated under E O 13382. https://home.treasury.gov/news/press-releases/hp219
Way2Pay. ۱۴۰۴ تیر. بانک سپه به جمع مشتریان توسن پیوست — روایت عملیات احیا. https://way2pay.ir/477450
Zoomit. ۱۴۰۴ مرداد ۱۴. سپه چه زمانی به وضعیت عادی برمیگردد — نرمافزارهای کرکشده و ریسک بانکها. https://www.zoomit.ir/tech-iran/445438-sepah-bank-services-disruptions/
You must be logged in to post a comment.