Codebreakers Hack Sepah Bank: Financial Motive or Influence Operation?

This week, we examine the recent developments involving the hackergroup "Codebreakers" and the Iranian Sepah Bank, which have surprisingly not made international headlines yet. A Wikipedia entry addresses the incident in detail and compiles relevant sources. See this article for comprehensive coverage of how the leaks have affected discourse in Iran.

In the past, the United States Office of Foreign Assets Control (OFAC) has referred to Sepah Bank as the "financial backbone" of Iran’s ballistic missile program. (1) The bank is also believed to have close ties to the country’s military and security apparatus. It has been listed on the U.S. sanctions list for several years. (2)

On March 25, 2025, the hacker group "Codebreakers" announced it had successfully breached Sepah Bank. However, the group exfiltrated data and publicized the information in a "hack and leak" operation. One particularly notable aspect of this case is the group’s choice of distribution channels. In addition to using conventional leak platforms, they also turned to Instagram, offering the data to the highest bidder. Choosing Instagram appears to have been a deliberate decision, especially considering it is one of Iran's most widely used platforms. This suggests an effort to reach a broad Iranian audience.

The previously unknown group is called "Codebreakers" and presents itself through a simple, stereotypical profile image of a hooded hacker, most likely generated by AI. This kind of visual branding, combined with the choice of platform, seems inconsistent with a genuine ransom-driven motive. The fact that Codebreakers used Instagram to promote and share data from the breach is highly unusual, as is the large volume of information in the sample. Typically, financially motivated cybercriminals avoid obvious public platforms to conceal their tracks.

Threat actors commonly use the deliberate public disclosure of stolen data online to increase pressure on the targeted organization by threatening to release sensitive information unless a ransom is paid. What is unusual in this case is using a WhatsApp group to auction off the information. Threat actors rarely use this messaging service as a platform for communication or data publication. This is partly because WhatsApp is linked to a phone number and because its parent company, Meta, is known to cooperate with law enforcement requests.

Another notable aspect is that the initial posts were written exclusively in Persian. In such cases, threat actors usually communicate in English to reach a broader audience and maximize pressure on the victim. The choice of language in this instance may therefore suggest a regional focus or a politically motivated intent.

This strongly suggests that the goal was to generate public attention primarily within Iran. It indicates that this was not a typical financially motivated cyberattack but an influence campaign. The choice of target, the method of disclosure, and the language used in communication all suggest an intention to undermine trust in state institutions and publicly discredit Bank Sepah.

The identity of the group behind the attack remains unknown. Possible actors include state-sponsored entities pursuing geopolitical interests, exiled Iranian opposition groups with the technical capabilities to carry out such an operation and a desire to influence public perception inside Iran.

However, it seems unlikely that an Iranian opposition group is responsible. These groups generally lack the resources to breach a high-security institution like Bank Sepah successfully. Even if they did, they would likely release the material in English to attract international attention and exert political pressure. The fact that the communication was conducted entirely in Persian indicates an operation explicitly directed at an Iranian audience.

The financial motive also appears to be secondary. While a ransom of $42 million was demanded, the amount was so excessive that payment was never a realistic expectation. This suggests that serious negotiations were not the actual goal. Furthermore, the sample data released was huge. In typical extortion cases, only small data sets are published to demonstrate the validity of the breach. The decision to publish hundreds of thousands of records indicates that the primary aim was to expose as much information as possible.

Some time after the sample files were published, the data was sold on Exploit[.]in at a much more realistic price. The platform is a Russian-language cybercrime forum that has been active since 2005 and operates on both the dark and the clear web. It is considered one of the oldest and most established platforms, used by professional cybercriminals to trade illegal services such as hacking, fraud, and ransomware-as-a-service (RaaS). The data has likely already been purchased multiple times.

A few days later, the Codebreakers announced that they had also compromised additional Iranian government systems and databases.

The group also released personal information of account holders from the database. This included the disclosure of individual banking details.

The release specifically highlighted account holders with a military background. This, too, may indicate that the operation could be part of an information campaign.

Notably, on April 10, 2025, the Codebreakers launched a video competition inviting participants to create short videos highlighting the hack, its potential implications, and the group’s Telegram channel. Prize money in cryptocurrency was offered as an incentive, suggesting an effort to maximize reach and impact. This, too, could be seen as a possible indication of state-backed involvement.

Taken as a whole, the evidence suggests that this operation is less likely to be a traditional financially motivated attack and more likely a targeted influence campaign. The choice of language, the method of disclosure, and the nature of the demands all point to objectives that are not monetary. Instead, the operation appears aimed at reaching an Iranian audience, undermining trust in state institutions, and potentially stirring domestic unrest.

The operation is ongoing and will continue to be monitored closely.

[Footnotes]

(1) U.S. Department of the Treasury, 2007. Iran’s Bank Sepah Designated by Treasury for Facilitating Iran’s Weapons Program. [online] Available at: https://home.treasury.gov/news/press-releases/hp219 [Accessed 16 Apr. 2025].

(2) U.S. Department of the Treasury, 2007. Bank Sepah – Sanctions Listing. [online] Available at: https://sanctionssearch.ofac.treas.gov/Details.aspx?id=25580 [Accessed 16 Apr. 2025].

DISCLAIMER

Copyright and License of Product 

This report (the "Product") is the property of Cyfluence Research Center gGmbH ("Cyfluence") and is protected by German and international copyright laws. The User is granted a limited, non-transferable license to use the Product solely for internal purposes. Reproduction, redistribution, or disclosure of the Product, in whole or in part, without prior written consent from Cyfluence is strictly prohibited. All copyright, trademark, and proprietary notices must be maintained.

Disclaimer of Warranties

The Product is provided "as is" without warranties of any kind, express or implied, including but not limited to warranties of merchantability or fitness for a particular purpose. Although Cyfluence takes reasonable measures to screen for viruses and harmful code, it cannot guarantee the Product is free from such risks.

Accuracy of Information 

The information in the Product has been obtained from sources believed to be reliable. However, Cyfluence does not guarantee the information's accuracy, completeness, or adequacy. The User assumes full responsibility for how they use and interpret the Product. Cyfluence is not liable for errors or omissions; opinions may change without notice.

Limitation of Liability

To the fullest extent permitted by law, Cyfluence shall not be liable for any direct, indirect, incidental, or consequential damages, including lost profits or data, arising from the use of or inability to use the Product, even if advised of such possibilities. Liability for intent or gross negligence remains unaffected under German law.

Indemnification

The User agrees to indemnify and hold harmless Cyfluence, its affiliates, licensors, and employees from any claims or damages arising from the User’s use of the Product or violation of these terms.

Third-Party Rights

The provisions regarding Disclaimer of Warranties, Limitation of Liability, and Indemnification extend to Cyfluence, its affiliates, licensors, and their agents, who have the right to enforce these terms.

Governing Law and Jurisdiction 

This Agreement is governed by German law, and any disputes shall be resolved exclusively in the courts of Berlin. If any provision is found invalid, the remaining terms remain in full effect.