Iran Pays Millions in Ransom After Massive Cyberattack
In August, Iran fell victim to a large-scale cyberattack that threatened the stability of the country’s banking system. Sources familiar with the situation report that the government was forced into negotiations with the hackers, ultimately paying a ransom of several million dollars.
According to analysts and Western officials, an Iranian company transferred at least $3 million to prevent the leak of personal data from over 20 banks. The attack, one of the largest in Iran’s history, was likely orchestrated by the threat actor IRLeaks, who had previously carried out similar breaches.
The extortionists initially demanded a $10 million ransom in cryptocurrency, threatening to sell the stolen data, which included banking account information and credit card details of millions of citizens. However, the final settlement was reduced to $3 million. The Iranian government agreed to the deal, fearing that a data leak could destabilize the nation’s financial system, already under strain from international sanctions.
Despite the scale of the incident, Iranian authorities neither acknowledged the breach nor disclosed the ransom payment. During the attack, ATMs across the country were temporarily shut down. Opposition media outlets reported on the event, though no official statements were made regarding the hacker group or the ransom demands.
Following the cyberattack, Iran’s Supreme Leader issued a statement accusing the U.S. and Israel of attempting to instill fear in the Iranian people and waging psychological warfare aimed at undermining the country’s political and economic stability. However, sources indicate that the cyberattack was not linked to the U.S. or Israeli governments but was carried out by independent hackers motivated by financial gain.
The IRLeaks group, previously responsible for hacking Iranian companies, breached the banks’ servers through Tosan, a company providing digital services to the financial sector. By using Tosan as a “Trojan horse,” the hackers gained access to the data of both private banks and the Central Bank of Iran. Among the affected institutions were the Bank of Industry and Mines, Post Bank of Iran, Bank Day, and others.
Iran’s financial system has long been in a vulnerable state. Iranian banks are burdened with domestic loans and face significant challenges, compounded by sanctions and economic instability. Despite these issues, many Iranians continue to rely on banking services and avoid using cash due to an inflation rate exceeding 40%. Nonetheless, the vulnerability of the banking system increases the risks for individual financial institutions, particularly in the event of a mass withdrawal of funds by customers. This very risk may have driven the Iranian authorities to conceal the attack and settle swiftly with the extortionists.
In January, Hudson Rock revealed information about large-scale cyberattacks targeting leading Iranian insurance companies and online food delivery services, affecting a significant portion of Iran’s 88-million-strong population. On December 20, a hacker using the alias “irleaks” posted on a cybercrime marketplace, offering over 160 million records of Iranian citizens’ data from 23 of the country’s top insurance companies for sale.
