The recent hacking scandal involving Bank Sepah, Iran’s oldest and most prominent financial institution, has revealed more than just a catastrophic failure of cybersecurity. It has laid bare the incompetence of a regime that prizes secrecy and control above the welfare of its own citizens.
On March 26, 2025, the hacker group “Codebreakers” announced that it had breached Bank Sepah’s systems, extracting over 12 terabytes of data belonging to 42 million customers, spanning a century. Far from admitting fault or addressing the vulnerabilities in its infrastructure, the clerical dictatorship’s response was predictably defensive and aggressive.
Bank Sepah officials initially dismissed the hackers’ claims as “baseless” and “an attempt to cause public distress.” But when the hackers released sensitive information concerning military officials, including Hassan Polarak, the bank reluctantly admitted to the breach. What followed was a familiar regime tactic: legal threats, censorship, and efforts to cover up the scandal rather than solve the problem.
Power Struggles, Corruption Scandals, and #Cyber Attacks Over Influence in #Iranian Regime’s Upcoming Parliamenthttps://t.co/fP6LsxZAsM
— NCRI-FAC (@iran_policy) May 21, 2024
Iranian state-affiliated media predictably portrayed the hacking as part of an anti-regime plot. An article published by Khabar Fori described the incident as a “psychological operation aimed at discrediting the reputation of Hassan Polarak, head of the Reconstruction of Holy Shrines Headquarters.” The regime’s mouthpieces claimed that the financial records published by Codebreakers were misleading, designed to tarnish the reputation of the armed forces.
The official narrative insisted that many of the exposed accounts belonged to organizations rather than individuals, registered under personal names for convenience. This clumsy attempt at deflection only highlights the regime’s desperate efforts to contain the fallout from the breach.
Instead of focusing on securing citizens’ sensitive information, Bank Sepah issued legal threats against anyone disseminating the leaked data. “Any dissemination of alleged information related to individual and institutional accounts, particularly those related to military entities, constitutes a violation of confidentiality principles and will be subject to legal action,” the bank’s statement read.
Watch and judge how an Iranian #cyber group exposed the #regime's vulnerability pic.twitter.com/HTy5m0qmHa
— NCRI-FAC (@iran_policy) June 1, 2023
The bank’s thinly veiled threats against journalists and social media users further underscore the regime’s instinct to punish those who expose its incompetence rather than address the systemic flaws that led to the breach. Critics argue that this approach typifies the clerical dictatorship’s obsession with silencing dissent rather than acknowledging its own failures.
The hashtag #بانک_سپه_غلط_کرد (#BankSepahMessedUp) trended for days on Iranian social media, with users condemning the regime’s negligence and lack of accountability. For many, the scandal is yet another symptom of a failing system that cannot protect its own citizens but remains obsessed with suppressing any form of criticism.
The fact that even state-affiliated reporters have addressed the Bank Sepah hacking scandal raises suspicions about the broader implications of the breach. While their reports attempt to blame certain powerful factions, the regime’s willingness to allow such discussions to surface through controlled media channels suggests there may be more to the story. Whether intentionally leaked or not, the incident remains a significant blow to the regime’s credibility.
Mysterious Death of #Cyber Activist Raises Questions Amid #Iran’s Political Turmoilhttps://t.co/bOXQER2h7R
— NCRI-FAC (@iran_policy) October 24, 2023
The Bank Sepah breach is only the latest in a long line of cybersecurity disasters for the Iranian regime. From the 2021 gas station hack that paralyzed the country’s fuel distribution network to the 2023 breach of Tehran Municipality’s systems, the regime has repeatedly demonstrated its incapacity to protect critical infrastructure.
The clerical dictatorship’s approach to such crises is always the same: denial, blame-shifting, and a refusal to engage in preserving the public’s interests. The Iranian people, however, are no longer fooled. The wave of anger that accompanied the Bank Sepah scandal is a testament to the public’s deepening frustration with a regime that values secrecy and control over competence and accountability.