Protect What Matters
Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
IRLeaks Attack on Iranian Banks Data Breach
The IRLeaks attack on Iranian banks stands as a cautionary tale for both organizations and cybersecurity professionals, exposing critical vulnerabilities in financial systems. This breach, targeting multiple Iranian banks, led to the compromise of sensitive financial and personal data, shaking public trust and showcasing the devastating impact of sophisticated cyberattacks. Below, we break down the incident, its timeline, and the lessons it offers for bolstering cybersecurity defenses.
IRLeaks attack on Iranian Banks data breach explained: what happened?
In mid-August 2024, a group known as IRLeaks compromised Tosan, an Iranian IT vendor that provides digital banking infrastructure to roughly 45% of the country's banks. By going through Tosan, the attackers accessed data from as many as 20 of Iran's 29 active credit institutions—including both private banks and the central bank.
The stolen data included account numbers, full names, dates of birth, nationalities, home addresses, and detailed transaction records for several million bank customers.
IRLeaks announced the breach themselves on their Telegram channel on August 9, 2024, threatening to sell the data publicly unless they received $10 million in cryptocurrency. That post—not a bank disclosure, not a regulatory notice—is what set off everything that followed.
When did the IRLeaks attack on Iranian Banks happen?
The breach occurred in mid-August 2024. Iran International first publicly reported the attack on August 14, 2024, describing it as potentially the largest cyberattack ever against Iranian state infrastructure. Politico Europe confirmed the ransom payment and additional details on September 4–5, 2024, followed by CyberScoop's reporting on September 6, 2024, which included documentary evidence of the negotiations.
The Iranian government never officially acknowledged the breach.
Who hacked Iranian Banks?
IRLeaks, a group with a documented history of targeting Iranian companies and government entities, claimed responsibility via their Telegram channel on August 9, 2024. The group emerged publicly in July 2023 and had previously claimed attacks against Iranian insurance companies, Snapp Food (Iran's largest food delivery app), and the ride-hailing service Tapsi.
Western officials and analysts briefed on the incident told Politico that IRLeaks is affiliated with neither the US nor Israel. The available evidence—including the group's pattern of ransom demands, negotiated payments, and financially motivated targeting—suggests these are freelance attackers driven by financial gain, not political actors conducting state-sponsored espionage.
How did the IRLeaks attack happen?
The attack exploited vulnerabilities in a third-party IT vendor closely tied to Iranian banks. By compromising vendor tools, attackers achieved lateral movement across banking networks. A lack of stringent security practices, including inadequate patch management, amplified the attack's success.
IRLeaks Attack on Iranian Banks Timeline
- Mid-August 2024 — IRLeaks compromises Tosan's systems and exfiltrates data from up to 20 Iranian banks. ATMs are shut down across the country.
- August 9, 2024 — IRLeaks posts on their Telegram channel (nearly 19,000 subscribers) threatening to sell the stolen data publicly unless they receive $10 million in cryptocurrency.
- August 8–9, 2024 — Ransom negotiations begin. Emails between IRLeaks and Tosan CEO Arash Babaei show Tosan initiating contact and sending an initial bitcoin payment.
- August 14, 2024 — Iran International publicly reports the attack. Iran's Central Bank denies any hack occurred.
- Early September 2024 — Politico Europe publishes the first comprehensive account of the breach, ransom demand, and payment.
- September 6, 2024 — CyberScoop reports on emails and blockchain evidence documenting the negotiation and installment payments, totaling approximately $561,000 in bitcoin at the time of publication. The total agreed ransom was 35 bitcoin.
- September 6, 2024 — Iran International reports that Tosan's offices are now under the control of Iranian security agencies and its employees are being interrogated.
- Ongoing — Iran never officially acknowledges the breach. IRLeaks deletes the original Telegram post as part of the payment agreement.
Technical Details
Tosan serves as a centralized digital infrastructure layer for much of Iran's banking sector—making it an exceptionally high-value target for a supply chain attack. By compromising Tosan, IRLeaks gained access to data from institutions they never had to touch directly.
After exfiltration, IRLeaks used their Telegram channel as the primary pressure mechanism, posting sample data descriptions and a $10 million demand. Negotiations with Tosan's CEO were conducted over email. The agreed payment schedule was 1 bitcoin upfront, followed by 3 bitcoin per week until a total of 35 bitcoin was paid. Blockchain analysis by Chainalysis confirmed the wallet received payments from at least two Iranian exchanges, consistent with payments from Iranian entities.
The Telegram post was deleted by IRLeaks after Tosan sent the initial payment—a condition of the deal.
Indicators of Compromise (IoCs)
Specific technical IoCs from this incident have not been publicly disclosed. However, the attack pattern itself is a documented indicator of IRLeaks' operational style:
- Supply chain entry through a centralized IT vendor
- Bulk data exfiltration across multiple downstream clients
- Public Telegram announcement with sample data descriptions as an extortion mechanism
- Ransom negotiated privately via email; post deleted upon initial payment
Forensic and Incident Investigation
Incident investigations revealed inadequate security controls within the vendor’s systems, including missing critical patches and flawed access management policies. Forensic reports highlighted gaps in detection mechanisms that allowed the breach to go unnoticed for weeks.
Data Breach Guide
Our data breach guide breaks down how breaches happen, what they really cost, and, most importantly, how you can stop them from gutting your business.
What data was compromised in the IRLeaks attack?
The breach compromised significant volumes of financial data, including transactional records, account numbers, and customer PII such as national IDs, phone numbers, and email addresses. There is no confirmation that the stolen data was encrypted.
How many people were affected by the IRLeaks attack?
Up to 20 of Iran's 29 active credit institutions were affected, with Tosan's systems serving approximately 27 million Iranians. Affected banks named in reporting include the Bank of Industry and Mines, Mehr Interest-Free Bank, Post Bank of Iran, Iran Zamin Bank, Sarmayeh Bank, Iran-Venezuela Bi-National Bank, Bank Day, Bank-e Shahr, Eghtesad Novin Bank, and Saman Bank (which has branches in Italy and Germany).
No official figure has been confirmed by Iranian authorities.
Was my data exposed in the IRLeaks attack?
The breach primarily affected customers of Iranian banks. Given that Iran never acknowledged the incident, there has been no official notification process or lookup tool made available by Iranian institutions. Customers of affected banks—particularly those named in reporting—should assume their account data and personal information may have been exposed.
Key impacts of the IRLeaks attack
The visible impacts were significant:
- ATMs shuttered nationwide. The attack forced banks to take cash machines offline, disrupting daily transactions for millions of Iranians.
- Ransom paid. Tosan—reportedly under pressure from Iranian authorities—paid IRLeaks approximately $3 million to stop the data release.
- Government suppression of the incident. Iran's Central Bank publicly denied any breach occurred, even as ATMs were offline and negotiations were underway.
- Tosan put under government control. After the story became public, Iranian security agencies took over Tosan's offices and began interrogating employees.
- Chilling effect on financial trust. Iranian officials reportedly feared that public knowledge of the breach would further destabilize an already-fragile financial system under intense international sanctions pressure.
Response to the IRLeaks attack
The Iranian government's response was to deny the breach publicly while negotiating a ransom payment privately. Iran's Supreme Leader addressed "psychological warfare" by unnamed foreign actors without acknowledging the banking attack. Iran's Central Bank called media coverage "fake news."
Behind the scenes, Tosan's CEO entered into email negotiations with IRLeaks and began making bitcoin payments within 24 hours of the Telegram post. The regime ultimately forced Tosan to cover the ransom.
No public incident response, breach notification, or security audit process was disclosed.
Lessons from the IRLeaks attack on Iranian banks
This incident underscores the importance of rigorous vendor security assessments, real-time threat detection, and proactive incident response plans. Organizations must ensure continuous vulnerability management and employee education to avoid similar breaches.
Is it safe to use Iranian banks after the breach?
While affected banks claim to have improved their defenses, vulnerabilities likely persist due to the attack's scale. Ongoing monitoring and transparency will be critical in restoring customer confidence and ensuring systemic security.
Mitigation & prevention strategies
To prevent similar breaches, organizations should:
Implement multi-factor authentication (MFA) across all systems.
Establish robust patch management practices.
Limit third-party access and conduct vendor security audits.
Utilize SIEM solutions like Huntress Managed SIEM for real-time monitoring.
Related data breach incidents
Ticketmaster
Snowflake Data Breach
Equifax
Related educational articles & videos
FAQs
The attack involved exploiting vulnerabilities in a third-party IT vendor’s systems, enabling attackers to infiltrate Iranian banking networks and access sensitive data.
Compromised data included financial transaction records, account numbers, and PII like national IDs and emails. There’s no confirmation about the encryption status.
The attack is suspected to have been conducted by politically motivated cybercriminals, but no official attribution has been confirmed.
Organizations can safeguard their systems by conducting vendor assessments, implementing multi-factor authentication, enforcing patch management, and maintaining SIEM tools for proactive threat detection.
