Cyber warfare
Cyberattacks Freeze Card Payments at Iran's Biggest State Banks
A second wave of intrusions froze card and online services at Bank Melli, Saderat and Tejarat, exposing the fragility of a sanctions-hit financial system battered by the 2025 conflict with Israel.
By Marc Weber · · 5 min read

Iranians met shuttered card readers and frozen banking apps in late June as a fresh cyberattack forced the nationwide suspension of card-based services at three of the country's largest state lenders — the second assault on the banking network in under two weeks, and the latest sign that financial infrastructure has become a frontline weapon in the confrontation between Iran and its adversaries.
The earlier strike, on 13-14 June, disrupted four institutions at once: Bank Melli Iran, Bank Saderat Iran, Bank Tejarat and the Export Development Bank of Iran. Rather than breaching each bank's own defences, the attackers hit a shared communications system that links the lenders, according to Iran's Banking Coordination Council and reporting by Reuters. Mobile and online banking, cash machines and card payments went dark; shops, restaurants and petrol stations in Tehran and beyond were left to record purchases by hand for later settlement.
By 23-24 June, three of the same banks — Melli, Saderat and Tejarat — had again suspended card services across the country. The Informatics Services Corporation, which runs much of Iran's payment plumbing, said on 24 June that the disruptions had been resolved, and the Banking Coordination Council reported that online transactions were functioning normally again. Private banks were not affected.
A shared weak point
What unsettled analysts was less the damage than the method. By striking the network that ties the state banks together, attackers knocked out several institutions in a single move — a reminder that shared infrastructure concentrates risk far beyond any one bank's balance sheet.
"Rather than going after each bank one by one, the attackers appear to have targeted the shared communications network," Javvad Malik of the security-awareness firm KnowBe4 told the business outlet AGBI. The disruption was visible and humiliating but, on the available evidence, shallow: officials said no customer data was stolen and core records stayed intact.
Iran's Banking Coordination Council described the episode as a "limited cyberattack" and said there had been no unauthorised access to customer information and no data leakage. Its IT department framed the card-service shutdown as a defensive measure, saying it was "intended to prevent unauthorized access and ensure the security of customers' assets" while "experts are currently working to restore operations as quickly as possible."
A transient outage that the public experiences at the supermarket till is almost optimised for visibility and embarrassment rather than lasting harm.
That assessment came from Alan Woodward, a cybersecurity professor at the University of Surrey, who told AGBI the attacks looked designed to erode public confidence rather than destroy data.
Who is behind the attacks
A group calling itself Black Wolves — an Iranian anti-government collective — claimed responsibility on Telegram, casting the operation in political terms. "A silent war is unfolding, and Iran is under cyberattack," it wrote, echoing a pattern of domestic hacktivism that has targeted the establishment since the 2022 women's-rights protests, when activists breached the central bank and Evin prison's surveillance cameras.
Iranian authorities, notably, did not publicly attribute the June 2026 attacks to any state or group. Suspicion initially fell on Predatory Sparrow, the pro-Israel outfit blamed for some of the most destructive strikes on Iranian targets, but expert analysis cited by AGBI pushed back on that link, pointing to the limited, reversible nature of the outages. The ambiguity is itself part of the story: in a crowded field of hacktivists, criminals and state-backed crews, attribution is slow and contested.
Echoes of the 2025 war
The outages land in the shadow of a far heavier campaign a year earlier. During the 12-day Iran-Israel war in June 2025, Predatory Sparrow — known in Persian as Gonjeshke Darande and widely linked to Israel — crippled Bank Sepah, the lender tied to the Islamic Revolutionary Guard Corps. Accounts became inaccessible, branches closed nationwide, some government and security salaries were delayed, and the Central Bank of Iran's website went offline. The group said it had "destroyed the data" of the IRGC's bank, accusing it of evading sanctions to finance the regime's military programmes.
A day later, the same group drained more than $90 million from Nobitex, Iran's largest cryptocurrency exchange, according to the blockchain-analytics firm Elliptic. The funds were funnelled into vanity wallet addresses bearing anti-IRGC slogans that are effectively impossible to spend — destroying the money as a political message — before the attackers leaked Nobitex's source code.
"They have carried out serious attacks that reflect real skill and sophistication." John Hultquist, chief analyst at Google Threat Intelligence Group, offered that verdict on Predatory Sparrow after the Bank Sepah attack. Set against that benchmark, the June 2026 incidents look cruder — which is precisely why analysts doubt the same hand was at work.
A system already under strain
For Iran, the timing is awkward. A US-Iran memorandum of understanding has wound down the overt hostilities of 2025, prompting debate over whether covert sabotage — cyber operations among it — is returning to the table. Each outage, however brief, lands on a financial system already squeezed by years of US and international sanctions, a depreciating rial and recurrent breaches; a 2024 attack by the group IRLeaks was described as among the worst ever on Iran's banks.
The broader lesson reaches well beyond Tehran. As card rails, inter-bank messaging and crypto exchanges become targets in geopolitical conflict, the resilience of payment infrastructure — the unseen machinery that lets a shopper tap a card — is emerging as a question of national security, not merely of IT. Iran's repeated blackouts are an early, vivid demonstration of how quickly a modern economy seizes up when that machinery is switched off.
Frequently asked
- Which Iranian banks were hit in June 2026?
- A 13-14 June attack disrupted four state lenders — Bank Melli Iran, Bank Saderat Iran, Bank Tejarat and the Export Development Bank of Iran — by targeting a shared communications system. A second wave around 23-24 June suspended card services nationwide at Melli, Saderat and Tejarat. Private banks were unaffected.
- Who carried out the attacks?
- An Iranian anti-government group calling itself Black Wolves claimed responsibility on Telegram. Iranian authorities did not formally attribute the attacks; the pro-Israel group Predatory Sparrow was initially suspected, but analysts cited by AGBI doubted the link given the limited, reversible nature of the outages.
- Was customer money or data stolen?
- Iran's Banking Coordination Council described it as a 'limited cyberattack' and said no unauthorised access to customer information or data leakage occurred. The disruptions hit services — cards, ATMs and online banking — rather than account balances, and were reported resolved within days.
- How does this connect to the Iran-Israel conflict?
- The attacks follow a US-Iran understanding that ended the overt hostilities of the June 2025 12-day war, during which the Israel-linked Predatory Sparrow crippled Bank Sepah and drained over $90m from the Nobitex crypto exchange. The new outages have revived debate over a return to covert sabotage.
Sources(12)
- 1Cyberattack hits Iran banks as digital tensions lingerAGBI · agbi.com
- 2Cyberattack hits four major Iranian banks, officials sayCybernews · cybernews.com
- 3Cyberattack On 4 Iranian Banks ConfirmedRadio Free Europe/Radio Liberty (via GlobalSecurity.org) · globalsecurity.org
- 4Cyberattack disrupts services at four major Iranian banksThe Paypers · thepaypers.com
- 5Cyberattack Hits State Banks in IranAsharq Al-Awsat · english.aawsat.com
- 6Cyberattack hits state banks in IranOman Observer (DPA) · omanobserver.om
- 7Cyberattack disrupts banking services in IranYahoo News (DPA) · yahoo.com
- 8Iran's Bank Sepah disrupted by cyberattack claimed by pro-Israel hacktivist groupCyberScoop · cyberscoop.com
- 9Iran's financial sector takes another hit as largest crypto exchange is targetedCyberScoop · cyberscoop.com
- 10Iranian crypto exchange Nobitex hacked for over $90 million by pro-Israel groupElliptic · elliptic.co
- 11Pro-Israel hackers take credit after $90 million stolen from Iran's largest crypto exchangeCNN · cnn.com
- 12Predatory SparrowWikipedia · en.wikipedia.org



