In mid-2025, the 12-day war between Israel and Iran featured an unprecedented cyber campaign against the Islamic Republic’s financial system. Previous state-sponsored hacks aimed to steal data, ransom assets or disrupt operations. Israel did something far more radical: It destroyed digital assets and banking records to undermine the regime. While Israel’s success has undoubtedly been noticed by a US administration looking for new tools to confront what they see as a clear and present threat, it has surely also been noticed by central banks and regulators talked with ensuring resilience in payment systems.
Resilience Is More Than Bunkers
Wars are not only about soldiers and bombs and tanks and things. They are also about money, and attacks on the financial infrastructure of an enemy can be as effective as kinetic assaults. One of my favourite examples highlights the rise of the City of London in England’s ascent to global power. In 1587 it was City financiers who “cornered” bills of exchange drawn on Genoan banks so effectively that they were able to disrupt the build-up of resources for Phillip II’s Great Armada, demonstrating how sophisticated economic warfare had become by the 1580s.
(Adam Anderson, writing in 1787, says that the defeating of the Armada “does equal honour to commerce” which is one of my favourite phrases of all time.)
Well, four centuries on, in June of this year, an Israeli hacking group known as “Predatory Sparrow” infiltrated the Iranian Bank Sepah’s systems and destroyed critical data leading to a shutdown of customer services, failures at connected banks (including Kosar Bank and Ansar Bank, both linkted to Iran’s military) and disruption in the retail payments network. The following day the group attacked an Iranian crypto exchange called Nobitex and stealing $90 in cryptocurrency. Rather interestingly, instead of making off with the loot, the hackers sent the proceeds to addresses with no owners, effectively destroying the value and making recovery impossible, in order to emphasise the political, rather than financial, nature of the raid.
We must expect similar attacks from Iran on Western infrastructure in the future, of course. Iran has a “robust cyber apparatus” spread across three different agencies: the Islamic Revolutionary Guard Corps (IRGC), the Ministry of Intelligence and the Ministry of Defense. In the short term the attacks are expected to be disruptive but not catastrophic. In the longer term, however… The DHS has aready warned of an increased risk of cyberattacks either from Iran-friendly hacktivist groups or from the Iranian regime itself, but of course the cyberwar will be fought on many fronts.
A Russian attack, to choose an obvious example, will need not take the form of bunker busters on NATO command centres or spetsnatz paratroopers taking over Heathrow Airport. Look at the disruption causes around the Paris Olympics due to arson attacks on the rail network. Look at how Ireland’s healthcare system was debilitated by a cyberattack from a Russian-based ransomware group. Russia’s military intelligence Unit 29155 has been behind sabotage campaigns across Europe, where continuing attacks have involved leaking confidential conversations of military personnel (notably in Germany), as well as attacks on the energy grids, financial systems, and data infrastructure across Europe. We would be crazy not to learn from Ukraine’s experiences and prepare for the worst.
(It goes without saying that everyone needs to up their game. Last year, the Office of the Comptroller of the Currency (OCC) said 11 of the 22 large banks it oversees have “insufficient” or “weak” management of so-called operational risk, whether that means sabotage by agents of foreign power or stupid decisions by employees. Earlier this year the OCC revealed that it had been hacked and that sensitive financial oversight data was accessed by intruders for more than a year.)
This side of the Atlantic, the importance of operational resilience as a key requirement in financial services is being amplified and enforced by regulatory changes in the UK and Europe—namely, the UK’s Financial Conduct Authority’s Operational Resilience Mandate, which had a 31 March 2025 deadline, and the EU’s Digital Operational Resilience Act (DORA) framework deadline, which was earlier, in January 2025. Financial institutions complain about the cost of these resilience initiatives, but there is a thoughtful paper on this by Derek Duggan, The impact of the Digital Operational Resilience Act on financial market infrastructures in Europe , in which he concludes that FMIs that proactively embrace the requirements and invest in operational resilience can strengthen their position as trusted partners in the financial ecosystem. See the Journal of Securities Operations & Custody, vol. 16, no. 4, p.344-350, 2024.
Resilience In Payments
If we focus down on payments, one cost-effective way to increase the resilience of this vital national infrastructure is through diversity. Here we can take on board one key lesson from Ukraine which is that the resilience of retail payments infrastructure is enhanced by offline capabilities, not using more physical cash but using offline digital money. It seems to me that with renewed debate around the topic of the digital euro, that is an aspect of the subject that needs more focus.
(In fact, I would go even further and say that there is no point in developing any central bank digital currency that cannot function offline for limited periods at the very least.)
We do not have the luxury of preparing for some future conflict, because the cuberwar is already here. I remember when General Sir Nick Carter (then Britain’s Chief of the Defence Staff) said a few year ago that the UK was already “at war every day” due to constant cyberattacks. Even more interestingly, he then went on to say in the modern world there is no longer a distinction between war and peace (my emphasis). This is precisely as the great media theorist Marshall McLuhan predicted. In Culture is our Business, written half a century ago, he said that “World War III is a guerrilla information war with no division between military and civilian participation”.
This is why we in the fintech world need to bring innovation to the resilience of payment networks as much as to the cost, speed and transparency of payment networks. Let us hope that victory in the cyberwar will do equal honour to fintech!