Black Wolves Claim Iran Banking Cyberattack Hitting 4 Banks

A coordinated cyberattack struck four major Iranian banks on June 14, knocking mobile banking apps, ATMs, and point-of-sale terminals offline across the country. The hacktivist group Black Wolves has claimed responsibility, declaring on Telegram: "A silent war is unfolding, and Iran is under cyberattack."

The Coordination Council of Iranian Banks confirmed the incident affected Bank Melli, Bank Tejarat, Bank Saderat, and the Export Development Bank of Iran—institutions that collectively serve millions of customers and process significant portions of Iran's domestic financial transactions.

What Happened

The attack targeted a shared communications infrastructure used by all four banks. According to the council's statement, technical teams implemented protective measures that "temporarily affected some banking services for customers" while they worked to secure systems.

The disruption was immediately visible to Iranian residents. Reports from Tehran described electronic payments failing at supermarkets, restaurants, and gas stations. Some businesses resorted to recording purchases manually as card services went down.

Services affected included:

• Mobile banking applications
• Internet banking platforms
• ATM networks
• Point-of-sale terminals
• Card-based payment services

The council stated that no customer data was breached and no information was deleted, though independent verification of these claims isn't available.

Black Wolves: A New Actor?

Black Wolves appears to be a relatively new entrant in the hacktivist space targeting Iran. The group's claim and messaging style suggest ideological motivation rather than financial gain, though attribution in hacktivist operations remains notoriously difficult to verify.

The attack follows a pattern of escalating cyber operations targeting Iranian infrastructure. We previously covered Handala's claimed breach of California water utility Cal-Water, which represented Iranian-affiliated actors targeting Western infrastructure. This incident inverts that dynamic—actors apparently targeting Iranian systems in what Black Wolves frames as an ongoing "silent war."

Critical Infrastructure Under Pressure

Banking infrastructure attacks carry significant real-world consequences. When payment systems fail, supply chains stall. The Tehran gas station disruptions illustrate how cyber incidents cascade into physical impacts—a concern that drives much of the recent CISA guidance on operational technology security.

Iran's banking sector has faced repeated cyber incidents in recent years. The IRLeaks attacks previously exposed data from Iranian financial institutions, and the country's relative isolation from Western cybersecurity services may limit recovery capabilities.

For context on infrastructure targeting, the Handala attack against Cal-Water demonstrated how critical infrastructure—whether in the Middle East or the United States—faces escalating threats from ideologically motivated actors. The difference here is directional: Iran finding itself on the receiving end.

What This Means for Threat Intelligence

Several indicators deserve attention:

1. Shared infrastructure as a force multiplier - Attacking a common communications backbone let the attackers disrupt four banks simultaneously rather than breaching each individually

2. Hacktivist-style operations with real impact - Black Wolves achieved tangible disruption without deploying ransomware or demanding payment, suggesting their goals are primarily disruptive or reputational

3. Attribution complexity - While Black Wolves claimed credit, hacktivist operations sometimes serve as cover for nation-state activity, and Telegram claims alone don't establish definitive attribution

Recovery Status

Iranian authorities have not provided a detailed timeline for full service restoration. The council stated recovery efforts were underway as of June 14, but the scope of protective measures implemented—and whether those involve taking certain systems offline—remains unclear.

For financial institutions elsewhere, this incident reinforces why shared infrastructure requires particularly rigorous security review. A single point of compromise affecting multiple institutions creates systemic risk that exceeds the sum of individual institutional exposures.

Monitoring the Situation

The immediate question is whether Black Wolves has persistent access or if this was a one-time disruptive action. Groups claiming hacktivist motivations sometimes conduct follow-on operations or release data to maximize attention.

Iran's banking sector will likely implement additional monitoring and potentially accelerate infrastructure diversification to reduce shared-infrastructure risk. Whether they have the capability to attribute the attack to specific actors—or respond in kind—remains an open question in an increasingly active cyber landscape.