Iran interrogating software firm at epicenter of ‘worst-ever’ bank hack

Tosan Company
Tosan Company

Iran International has learned that "Tosan," the company whose system was used in the hacking of over 20 Iranian banks, is now under control of security agencies, with its employees being interrogated.

Earlier in the week, Politico reported that an Iranian entity paid hackers $3 million in ransom to dissuade them from releasing the data of over 20 hacked banks, confirming Iran International’s earlier report about the “biggest-ever” cyberattack on Iran’s banking system.

Iran International reported on August 14 that the major cyberattack targeted several Iranian banks, leading to the theft of a huge amount of data. Initial assessments indicated at the time this could be one of the largest cyberattacks ever against Iranian state infrastructure, even though Iranian officials kept mum about the revelation.

In its report on Wednesday, Politico wrote that the cyberattack targeted 20 of the 29 active credit institutions in Iran, threatening the stability of the Islamic Republic's banking system. The report said it appears to be the “worst cyberattack” against the country.

Citing unnamed sources, Politico noted that the group “IRLeaks” which has a history of hacking Iranian companies, is likely behind the cyberattack.

“IRleaks entered the banks’ servers via a company called Tosan, which provides data and other digital services to Iran’s financial sector,” the officials told Politico. “Using Tosan as a Trojan horse, the hackers appear to have siphoned data from both private banks and Iran’s central bank... The regime ultimately forced Tosan to pay the IRLeaks ransom.”

The report said the affected banks included “the Bank of Industry and Mines, Mehr Interest-Free Bank, Post Bank of Iran, Iran Zamin Bank, Sarmayeh Bank, Iran-Venezuela Bi-National Bank, Bank Day, Bank-e Shahr, Eghtesad Novin Bank, and Saman, which also has branches in Italy and Germany.”

The same hacker group, IRLeaks, had earlier in December 2023 claimed responsibility for a cyberattack on Snapp Food, the country's largest food delivery app, boasting access to the personal details of over 20 million users, and exposing a vast trove of sensitive information.

The compromised data, reportedly up for sale at $30,000, included usernames, passwords, email addresses, full names, and mobile numbers. The hackers claimed to possess detailed information on over 51 million user addresses, complete with GPS coordinates and phone numbers.

In that case, too, ransom money was paid to dissuade the hackers from releasing the personal data of Iranian users.

Also in September 2023, the hacking group reported a breach on the ride-hailing service Tapsi, affecting more than 33 million users. The hackers claimed to have engaged in negotiations with Tapsi's management for two weeks before making the breach public. However, the company refused to meet the hackers' demand of $35,000.

The recurrent nature of such incidents in Iran highlights the absence of stringent laws and penalties for negligence in safeguarding private information.

The lack of user rights, including the inability to request the deletion of personal data, underscores the urgency for regulatory reforms to address the growing threat of information leaks in the country.