In March 2025, anonymous hackers claimed to have stolen 12 terabytes of sensitive data from the systems of Bank Sepah, one of Iran’s largest banks, whose clientele includes a significant number of IRGC and security personnel. While there are indications that the attack may have been executed by a state actor, the identity of the perpetrators remains undetermined. According to Iranian authorities, the impact of the breach was limited, and accordingly, the incident received only terse acknowledgment from senior regime officials and financial institutions in the country.[1]

The “Code Breakers” Hack of Bank Sepah’s Systems

An anonymous hacker group calling itself “Code Breakers” announced on March 14, 2025, that it had breached the systems of Iran’s Bank Sepah (سپه) and stolen 12 terabytes of sensitive data.[2] According to the group, the information includes details from 126 million bank accounts, comprising 114 million accounts belonging to 42 million individual clients (including members of the Islamic Revolutionary Guard Corps (IRGC) and security forces) and 12 million corporate accounts. The stolen data, the group claimed, includes records pertaining to two million IRGC and security personnel. In its initial message, the group demanded a ransom from the bank in exchange for destroying the stolen data. Code Breakers did not specify how much it wanted and on March 30, it offered the data for sale via its official Telegram channel, setting the price at $42 million.[3]

The group claimed that the data in its possession includes full personal details of the bank’s customers, such as: name, national ID number (the Iranian equivalent of a Social Security number), phone number, date of birth, father’s name, account number, account balance (including in foreign currency), credit card identifiers belonging to the customer, information on money transfers (including full details of the sending and receiving accounts), as well as information on deposited checks.

The group also published what it claimed was a categorization of client groups served by Bank Sepah, including the IRGC, the army, the police, the General Staff of the Armed Forces, the country’s Atomic Energy Organization, the Ministry of Defense, and other security bodies.
 

Code Breakers attempted to sell the data both through its Telegram channel and via dedicated forums on the dark web. The group gradually released samples of the data it claimed to possess—among them, personal details of account holders with significant balances and of members of Iran’s security forces—apparently to pressure bank into paying the ransom. In mid-May, the group’s Telegram channel was deleted without any explanation. It is possible that the channel was taken down following successful negotiations with Iranian authorities and the payment of a ransom, or for other unknown reasons.

Who Is Targeting Iran’s Financial System?

The ransomware attack discussed in this paper against Bank Sepah is a “hack and leak” operation, a breach of a system holding sensitive data, followed by its theft and either encryption or gradual public release until a ransom is paid. Such attacks can serve as a means of generating financial profit,[4] while the ransom demand may also act as a cover for politically or strategically motivated cyber operations whose primary goal is to damage the image and stability of the targeted regime. Cyber units operated by states or political entities may disguise themselves behind fictitious fronts to obscure any connection to the attack.

The information currently available is insufficient to definitively determine who is behind the Code Breakers Telegram channel. Ostensibly, it appears to be a group carrying out ransomware operations to compel victims to pay large sums for data it encrypts and/or steals. However, the German research institute Cyfluence Research Center (CRC), which studies cyber activity related to influence and psychological operations, argues that the group’s behavior and public messaging bear hallmarks of influence campaigns conducted for political purposes—funded and/or carried out by states or organized entities opposed to the Iranian regime.[5] CRC points to several indicators suggesting the nature and affiliation of the group, such as statements and phrasing uncharacteristic of criminal cyber actors. Moreover, according to the institute’s researchers, the group’s exposure of the bank account details of Iranians serving in the security forces suggests that political motives are among the hack’s objectives.[6]

According to reports published over the past year, this is the second major attack on Iran’s financial infrastructure. In August 2024, an anonymous hacker group calling itself “IRLeaks” attacked the servers of Tosan (توسن),[7] an Iranian company that provides digital services to a large number of financial institutions in the country. Access to the company’s servers enabled the hackers to infiltrate databases of several institutions and banks and to steal a large volume of data, using a model known as a “supply chain attack.” According to reports, data was stolen from the Central Bank of Iran, Bank Mehr, Bank San’at va Ma’adan, Post Bank Iran, Bank Iran Zamin, Bank Day, Bank Sarmayeh, the Iran-Venezuela Bi-National Bank, Bank Shahr, Bank Eghtesad-e Novin, and Bank Saman.[8] According to those reports, Tosan paid a ransom, and the hacker group subsequently deleted some of the data it had published on its Telegram channel,[9] suggesting that the group’s motive was likely financial.

The cyberattacks on Bank Sepah and the Tosan company indicate that Iran’s financial system is a target for hacker groups driven by both financial and political motives. Criminal actors are primarily motivated by the opportunity to obtain sensitive data stored in these systems, and use it to demand payment. This information is not necessarily limited to customers’ personal details; it may also include data essential to the operational continuity of the targeted institution.

State-sponsored attackers, by contrast, are driven by the desire to inflict as much damage as possible on their adversary. For such actors, targeting a bank carries the added significance of striking a critical national infrastructure and thus undermining the sense of security of the citizens of that country. There is also the potential for state or political actors to embarrass the regime by exposing the personal details of individuals connected to the ruling establishment. CodeBreakers appears to have attempted to achieve precisely that by releasing information on members of the IRGC.

A combination of the two models is also possible: a state or political actor may carry out what appears to be a purely criminal ransomware attack in order to conceal its true objective, while a criminal actor may employ pressure tactics typically used by state actors to achieve its goal.

Response patters of the Iranian Regime:
Denial, Obfuscation, Partial Admission—The Iranian Dilemma in Managing Cyber Crises

Iranian authorities responded to the incident with terse statements. On March 29, Bank Sepah spokesperson Reza Hamdaneshi initially denied that the bank’s systems had been breached and dismissed all claims of a data leak.[10] That same day, however, the hacker group published the personal details of half a million wealthy clients.[11] The following day, the bank implicitly acknowledged the breach and issued a public warning: “In light of claims in cyberspace regarding unauthorized access to Bank Sepah customer data by hacker groups, we hereby announce that any redistribution of information allegedly related to the accounts of private individuals, particularly military organizations, constitutes a violation of the confidentiality principle associated with the armed forces and may be subject to legal prosecution.”[12] The reference to military organizations in this official warning effectively confirms Code Breakers’ claim that data on security personnel had been stolen and underscores the sensitivity of the material—suggesting that its exposure may have been one of the group’s motives in targeting Bank Sepah. Later, on April 18, the head of the Supreme Council of Cyberspace, Mohammad Amin Aghamiri, stated that “the bank’s systems were not breached, but data was stolen from them.”[13]

The authorities’ handling of this incident reflects a familiar pattern among Iranian officials in managing crises, including cyber crises: an immediate denial, followed—after a period of hours or days—by partial confirmation of the event’s details, and, in rare cases, full acknowledgment (typically only in large-scale incidents that cannot be concealed or contained). This approach is intended to project control over the situation and prevent anxiety or unrest among the public, which could lead to protests. In this context, the very fact that a senior Iranian official confirmed the theft of data from Bank Sepah lends significant weight to the group’s claim that it succeeded in extracting authentic information from the bank’s servers. We can assume with a high degree of confidence that the authorities would not have acknowledged the incident at all had they not feared the exposure of the data and the ensuing implications.

Cyberattacks present the Iranian regime with a dilemma: whether to publicly acknowledge the incident or to distort and conceal it entirely. The authorities aim to project an image of control and to prevent negative public discourse around the event, as they fear this could spark unrest or even protests. From the regime’s perspective, the ideal scenario is total denial followed by the rapid disappearance of the incident from public discourse. However, many cyberattacks involve a highly visible component that makes it impossible to deny the event’s occurrence—as was the case with the cyberattacks on Iran’s gas stations in 2021 and 2023, during which many stations across the country were shut down for an extended period.

Another option is to distort the details of the incident or portray it as a technical malfunction rather than a cyberattack. While this tactic may present the regime as negligent or incompetent, at the same it contains the public perception that Iran is vulnerable to penetration by its enemies and is incapable of defending itself effectively. The crux of the dilemma for the regime is thus whether to portray itself as unable to govern or as unable to protect the state. At times, as in the cyberattack on Bank Sepah, the authorities opt for a gradual response—initial denial or vague statements, followed later, whether by necessity or choice, by full or partial admission.

In most cases, the regime opts to frame the narrative with visible displays of control, aiming to eliminate any doubt about its ability to manage the crisis. Preserving control is its foremost objective, and its actions are shaped accordingly.

Summary and Conclusions

The cyberattack on Bank Sepah highlights the vulnerability of Iran’s financial system to digital threats—whether criminal activity or sophisticated operations with political motives. The case illustrates the strategic value of sensitive financial information as a tool for pressuring regimes, undermining public trust in institutions, and exposing vulnerable centers of power, especially when security entities are involved.

The Iranian regime’s pattern of response—ranging from denial and obfuscation to delayed admission—reflects the strategic dilemma it faces: balancing the desire to project control and sovereignty against the difficulty of containing information that spreads uncontrollably in the digital sphere.

The incident also points to a troubling trend for the regime: Iran’s economic infrastructure and financial institutions have become fertile ground for cyberattacks, because of the potential public, political, and systemic impact these attacks can yield. This reality demands that Iran—as well as states that view it as a strategic rival—adopt advanced, adaptive responses to cyber threats. In addition to defensive responses, they need to understand the political and psychological implications of such events. A cyberattack can be far more than a technological breach—it can be a form of influence operation aimed at the very heart of a regime’s legitimacy.

---

[1] The information on which this paper is based is current as of May 22, 2025.

https://www.presstv.ir/Detail/2021/10/23/669115/Iran-CEOs-Bank-Melli-Sepah-finnace-minister

[2] The group’s presumed channel was located at t.me/ircodebreakers. This appeared to be the group’s authentic page, as the content cited elsewhere online, including images, was first published there. No competing or duplicate channels were identified. The attack was posted on this channel about two weeks before it was reported by other sources. The channel was taken down in mid-May 2025, just days after information and screenshots were collected for this paper.

[3] t.me/ircodebreakers

[4] A criminal cyberattack group conducts cyber operations for profit, typically in the form of ransomware attacks, in which the group encrypts or threatens to expose data obtained from breached networks and demands payment in exchange for restoring the information.

[5] https://www.cyfluence-research.org/post/codebreakers-hack-sepah-bank-financial-motive-or-influence-operation

[6] https://www.cyfluence-research.org/post/codebreakers-hack-sepah-bank-financial-motive-or-influence-operation

[7] https://www.techcentral.ie/cyber-attack-on-irans-banking-system-exposes-sensitive-data-a-risk-to-stability/

[8] https://www.politico.eu/article/iran-millions-ransom-massive-cyberattack-banks/

[9] https://cyberscoop.com/iranian-it-vendor-ransom-cyberattack-banks/

[10] https://farsnews.ir/behbood/1742989804796664673

[11] t.me/ircodebreakers

[12] https://nournews.ir/fa/news/218559

[13] https://nournews.ir/fa/news/220708

---

JISS Policy Papers are published through the generosity of the Greg Rosshandler Family.

---