IRGC Moves Hundreds of Millions in Crypto After US-Israel Strikes on Iran

In the first hours after American and Israeli airstrikes hit Iran on Feb. 28, IRGC operatives moved tens of millions out of their crypto wallets. The transfers scaled to hundreds of millions in the days that followed, landing in wallets used by the Houthis, Hezbollah and personal safe havens for regime insiders.

RAKIA, a cyber intelligence firm that develops data analysis platforms for governments and security agencies, tracked the surge in real time. Fox News Digital detailed the findings as they unfolded.

The regime that spent years building a $3 billion crypto operation to fund its proxies used that infrastructure to evacuate its war chest at the start of the conflict. In the two months since, the IRGC has turned it outward against Americans and allies.

Iran's hackers rely on stolen passwords harvested by commodity malware and basic hacking software sold for a few dollars on dark web marketplaces.

President Donald Trump's strikes on Feb. 28 showed the regime responds to pressure. Targeting the credential supply chain, as America does with ransomware infrastructure, could shut down these breaches.

At the end of March, Iran-linked hackers breached FBI Director Kash Patel's personal email and posted years-old photos and documents online. The pro-Iranian group Handala, linked by the Justice Department to Iran's Ministry of Intelligence and Security, said Patel was now "among the list of successfully hacked victims."

On March 11, Handala crippled Stryker, one of America's largest medical device makers. The group wiped more than 200,000 devices across 79 countries and disrupted care for the 150 million patients it serves a year.

On March 18, Iranian hackers defaced the website of Yeshiva World News, a major Orthodox Jewish news site in America. They replaced its homepage with images of the Iranian supreme leader.

The Justice Department has documented Handala sending death threats to Jewish journalists and Iranian dissidents in America. The group also solicited Mexican cartel partners to carry out violence.

None of these attacks needed sophisticated malware. They traced to a single stolen administrator credential for Stryker, likely from commodity malware sold on a Russian-language forum. The same supply chain fueled the Patel breach and Yeshiva World News defacement.

That supply chain operates on dark web marketplaces where infostealer operators sell millions of stolen American credentials monthly. Iranian intelligence buys there and sells credentials harvested from Western users via Iranian IP addresses.

On May 4, Handala claimed it penetrated the Emirati port of Fujairah, stealing 430,000 documents including oil pipeline maps. It said IRGC missile units then struck the port minutes later. Bloomberg and Reuters confirmed the strike. The cyber claim is unverified, but the model matches what RAKIA analysts have observed.

A top UAE cybersecurity official said the country now faces 500,000 to 700,000 cyberattack attempts per day, with a jump after Feb. 28.

Treasury sanctions wallets, the FBI seizes Handala websites and indicts operators, and the State Department offers $10 million rewards. These address symptoms, not the credential supply chain.

Infostealer marketplaces should be treated like ransomware infrastructure: as military and intelligence targets. The Pentagon's Cyber Command has taken ransomware sites offline. The same applies to markets selling Iran access to American hospitals.

The federal government can mandate real-time stealer log monitoring for agencies, defense contractors and critical infrastructure operators. Somebody should have known about the Stryker credentials within minutes.

Any future deal with Iran must treat crypto sanctions like the nuclear issue. An agreement ignoring financial pipelines to Hezbollah, the Houthis and IRGC funds the next war.

Defense alone has failed. The credentials are mapped, the marketplaces visible, and operators leave fingerprints. The window to act remains open.