A massive cyberattack that hit Iran last month threatened the stability of its banking system and forced the country's regime to agree to a ransom deal of millions of dollars, people familiar with the case say.

An Iranian firm paid at least $3 million in ransom last month to stop an anonymous group of hackers from releasing individual account data from as many as 20 domestic banks in what appears to be the worst cyberattack the country has seen, according to industry analysts and western officials briefed on the matter.

A group known as IRLeaks, which has a history of hacking Iranian companies, was likely behind the breach, the officials said. The hackers are said to have initially threatened to sell the data they collected, which included the personal account and credit card data of millions of Iranians, on the dark web unless they received $10 million in cryptocurrency, but later settled on a smaller sum.  

Iran’s authoritarian regime pushed for a deal, fearing that word of the data theft would destabilize the country’s already-wobbly financial system, which is under intense strain amid the international sanctions the country faces, the officials said.

Iran never acknowledged the mid-August breach, which forced banks to shut down cash machines across the country. Though the attack was reported at the time by Iran International, an opposition news outlet, neither the suspected hackers nor the ransom demands were disclosed.  

Iran’s supreme leader delivered a cryptic message in the wake of the attack, blaming the U.S. and Israel for “spreading fear among our people,” without acknowledging the country’s banks were under assault.

“The enemy’s goal is to spread psychological warfare to push us into political and economic retreat and achieve its objectives,” Ayatollah Ali Khamenei said.

Election influence

That accusation seemed plausible given the broader tensions between Israel, the U.S. and Iran. While Tehran blames Israel for the recent assassination of a senior Hamas leader in Iran, Washington accuses Iran of trying to influence the U.S. election by hacking into Donald Trump’s campaign operation.

Those tensions notwithstanding, people familiar with the Iranian banking hack told POLITICO that IRLeaks is affiliated with neither the U.S. nor Israel, suggesting the attack may have been the work of freelance hackers driven primarily by financial motives.

Such cases have become increasingly common around the world in recent years as sophisticated hackers seize private data from governments and companies and demand ransom in return for not releasing the information.

Iran is no stranger to such activity. In December, IRLeaks claimed to have stolen the customer data of nearly two dozen Iranian insurance companies, and of hacking into Snapp Food, a delivery service. Though the companies agreed to pay ransom to IRLeaks, it was far less than the group received from the banking hack, the officials said.

Iran’s supreme leader delivered a cryptic message in the wake of the attack, blaming the U.S. and Israel for “spreading fear among our people." | Photo by Ali Khaligh/Middle East Images/AFP via Getty Images

IRleaks entered the banks’ servers via a company called Tosan, which provides data and other digital services to Iran’s financial sector, the officials said. Using Tosan as a Trojan horse, the hackers appear to have siphoned data from both private banks and Iran’s central bank. Of Iran’s 29 active credit institutions, as many as 20 were hit, said the officials, who requested anonymity in order to reveal sensitive information. 

Among the affected banks were the Bank of Industry and Mines, Mehr Interest-Free Bank, Post Bank of Iran, Iran Zamin Bank, Sarmayeh Bank, Iran-Venezuela Bi-National Bank, Bank Day, Bank-e Shahr, Eghtesad Novin Bank, and Saman, which also has branches in Italy and Germany.

The regime ultimately forced Tosan to pay the IRLeaks ransom, a personal familiar with the events said. 

Severe difficulties

What isn’t clear is whether the hackers used Tosan to hit other targets in Iran. The firm has a wide customer base, including government entities beyond the central bank.

Iran’s financial sector has long been the country’s Achilles heel. 

Iranian banks are undercapitalized by international standards and further burdened by loans they are forced to make to the government, which counts as the sector’s biggest borrower. 

In February, Iran’s central bank chief said that eight of the country’s banks were facing severe difficulties and would either be merged or dissolved.

Despite those concerns, Iranians continue to park their money in the banks and rely on them to handle their daily transactions. With an inflation rate of nearly 40 percent, Iranians eschew cash for the convenience of digital payments.

Even so, the banking system’s overall fragility leaves individual lenders exposed to sudden bank runs. That danger might explain why the regime refused to publicly acknowledge the attack and pressured Tosan to pay the hackers.