https://www.international.gc.ca Date modified: 2025-09-12
Summary
Rapid Response Mechanism Canada (RRM Canada) has detected a “hack and leak” operation by Iran-linked hacker group, “Handala Hack Team” (Handala). The operation targeted five Iran International journalists, including one from Canada. RRM Canada assesses that the operation began on July 8, 2025.
The hacked materials ranged from photos of government IDs to intimate content. They were first released via the Handala website, then further amplified via X, Facebook, Instagram, Telegram, and Iranian news websites. At the time of assessment, engagement with the hacked materials has varied from low to medium (between 0 to 2,200 interactions and 1 to 225,000 views), depending on the platform. The social media campaign appears to have stopped as of early August.
Following the aftermath of the initial “hack and leak” operation, RRM Canada also detected amplification of the leaked information through multiple AI chatbots—ChatGPT, Gemini, Copilot, Claude, Grok, and DeepSeek. These platforms all outlined detailed information about the “hack and leak” operation, providing names of the affected individuals, the nature of the leaked information, and links to the released images. RRM Canada notes that some of these chatbots continue to surface the leaked images upon request.
Many sources, including the Atlantic Council, have associated the Handala Hack group with Iran’s intelligence services. Footnote1
Targets and content
Initial “hack and leak” operation
On July 8, 2025, alleged “hacktivist” group “Handala Hack Team” claimed to have accessed the internal communication and server infrastructure of Iran International—a Farsi satellite television channel and internationally-based English, Arabic, and Farsi online news operation.Footnote2 The group released several uncensored photos of government IDs (including passports, permanent resident cards, and driver’s licences) of five Iran International staffers. In some instances, released content included email address passwords, along with intimate photos and videos. (See Annex A)
RRM Canada detected the operation on July 9, 2025, following the release of the information on a Telegram channel associated with Handala. The group claimed to have acquired information of thousands of individuals linked to Iran International, including documents and intimate images of journalists who worked for the news agency.Footnote3
On July 11, 2025, RRM Canada detected further distribution of materials on X and Facebook. The information appears to focus on a Canadian resident employed by Iran International. The leak included several photos of the individual’s ID, including their provincial driver’s licence, permanent resident card, and Iranian passport, and other personal photos and videos. Three other internationally based staff of the news agency were targeted in a similar fashion, with the release of government-issued ID on Handala’s website and then distributed online.
It is believed that more journalists have been affected by the hack, and there are suggestions that the group is also using the hacked intimate images as a source of revenue by implementing pay-for-play access to some images.
Information amplified through AI chatbots
RRM Canada tested six popular AI chatbots—ChatGPT, Gemini, Copilot, Claude, Grok, and DeepSeek—to assess whether the platforms would retrieve and share the information leaked by Handala. While the required prompts varied, all tested chatbots outlined detailed information about the operation, providing the names of the individuals implicated in the lead in addition to the nature of information. (See Annex B)
In addition to providing information, links, and, in some cases, images related to the leak, the chatbots provided citations that included links to unreliable or state-linked sources or repeated unverified accusations against Iran International regarding its credibility from Handala.
Tactics, techniques and procedures
“Hack and leak” operations are a type of cyber-enabled influence campaign where malicious actors hack into a target’s systems or accounts to steal sensitive or private information and then leak the information publicly. Operations are often implemented with the intent to damage reputations, influence public opinion, disrupt political processes, and even put personal safety at risk.
These operations are often associated with state-sponsored actors, hacktivist groups, or cybercriminals.
Links to Iranian intelligence
Handala established their web presence in December 2023. The group has limited social media presence, likely resulting from frequent violations of the platforms’ terms of service.
Atlantic Council and several threat intelligence firms (including Recorded Future, Trellix, and others) report that Handala has connections or is affiliated with other Iranian intelligence-linked groups such as Storm-842 (also known as Red Sandstorm, Dune, Void Manticore, or Banished Kitten).Footnote4 Iran International asserts that Handala and Storm-842 are the same group operating as a cyber unit within Iran’s Ministry of Intelligence.Footnote5
Implications
The leak of personal information increases the risk to the personal safety of the affected Iran International staff. The ease of access to the information resulting from search engine algorithms and availability on AI chatbots further increases this risk. Such operations are used as a form of digital transnational repression (DTNR), which is leveraged to coerce, harass, silence, and intimidate those who speak against foreign actors or against their interests.
Annex A: Sample images of leaked information
Image 1
Image 1: Government-issued ID and personal photos of a Canadian resident working for Iran International.
Image 2
Image 2: post likely from Handala Hack Team associates amplifying leaked materials.
Annex B: Large language model outputs
Image 3
Image 3: Web version of ChatGPT producing leaked images.
Image 4
Image 4: Google’s Gemini reproducing images of the leak.
Image 5
Image 5: Grok showing X posts that include leaked information.
Image 6
Image 6: Claude generating responses with a citation linking directly to Handala's website.
Image 7
Image 7: DeepSeek generating responses with a citation linking directly to Handala’s website.
nytimes.com By Farnaz FassihiRonen Bergman and Mark Mazzetti 2025/08/30
Israel was able to track the movements of key Iranian figures and assassinate them during the 12-day war this spring by following the cellphones carried by members of their security forces.
The meeting was so secret that only the attendees, a handful of top Iranian government officials and military commanders, knew the time and location.
It was June 16, the fourth day of Iran’s war with Israel, and Iran’s Supreme National Security Council gathered for an emergency meeting in a bunker 100 feet below a mountain slope in the western part of Tehran. For days, a relentless Israeli bombing campaign had destroyed military, government and nuclear sites around Iran, and had decimated the top echelon of Iran’s military commanders and nuclear scientists.
The officials, who included President Masoud Pezeshkian, the heads of the judiciary and the intelligence ministry and senior military commanders, arrived in separate cars. None of them carried mobile phones, knowing that Israeli intelligence could track them.
Despite all the precautions, Israeli jets dropped six bombs on top of the bunker soon after the meeting began, targeting the two entrance and exit doors. Remarkably, nobody in the bunker was killed. When the leaders later made their way out of the bunker, they found the bodies of a few guards, killed by the blasts.
The attack threw Iran’s intelligence apparatus into a tailspin, and soon enough Iranian officials discovered a devastating security lapse: The Israelis had been led to the meeting by hacking the phones of bodyguards who had accompanied the Iranian leaders to the site and waited outside.
Israel’s tracking of the guards has not been previously reported. It was one part of a larger effort to penetrate the most tightly guarded circles of Iran’s security and intelligence apparatus that has had officials in Tehran chasing shadows for two months.
According to Iranian and Israeli officials, Iranian security guards’ careless use of mobile phones over several years — including posting on social media — played a central role in allowing Israeli military intelligence to hunt Iranian nuclear scientists and military commanders and the Israeli Air Force to swoop in and kill them with missiles and bombs during the first week of the June war.
“We know senior officials and commanders did not carry phones, but their interlocutors, security guards and drivers had phones; they did not take precautions seriously, and this is how most of them were traced,” said Sasan Karimi, who previously served as the deputy vice president for strategy in Iran’s current government and is now a political analyst and lecturer at Tehran University.
The account of Israel’s strike on the meeting, and the details of how it tracked and targeted Iranian officials and commanders, is based on interviews with five senior Iranian officials, two members of the Islamic Revolutionary Guards Corps and nine Israeli military and intelligence officials.
The security breakdowns with the bodyguards are just one component of what Iranian officials acknowledge has been a long-running and often successful effort by Israel to use spies and operatives placed around the country as well as technology against Iran, sometimes with devastating effect.
Want to stay updated on what’s happening in Iran and Israel? , and we’ll send our latest coverage to your inbox.
Following the most recent conflict, Iran remains focused on hunting down operatives that it fears remain present in the country and the government.
“Infiltration has reached the highest echelons of our decision making,” Mostafa Hashemi Taba, a former vice president and minister, said in an interview with Iranian media in late June.
This month Iran executed a nuclear scientist, Roozbeh Vadi, on allegations of spying for Israel and facilitating the assassination of another scientist. Three senior Iranian officials and a member of the Revolutionary Guards said Iran had quietly arrested or placed under house arrest dozens of people from the military, intelligence and government branches who were suspected of spying for Israel, some of them high-ranking. Israel has neither confirmed nor denied a connection to those so accused.
Spy games between Iran and Israel have been a constant feature of a decades-long shadow war between the two countries, and Israel’s success in June in killing so many important Iranian security figures shows just how much Israel has gained the upper hand.
President Masoud Pezeshkian of Iran attending a protest in Tehran on June 22, following the U.S. attacks on nuclear sites in Iran. Mr. Pezeshkian himself escaped an attack on a bunker on June 16.
Credit...
Arash Khamooshi for The New York Times
Israel had been tracking senior Iranian nuclear scientists since the end of 2022 and had weighed killing them as early as last October but held off to avoid a clash with the Biden administration, Israeli officials said.
From the end of last year until June, what the Israelis called a “decapitation team” reviewed the files of all the scientists in the Iranian nuclear project known to Israel, to decide which they would recommend to kill. The first list contained 400 names. That was reduced to 100, mainly based on material from an Iranian nuclear archive that the Mossad, the Israeli intelligence agency, had stolen from Iran in 2018. In the end, Iran said the Israelis focused on and killed 13 scientists.
At the same time, Israel was building its capacity to target and kill senior Iranian military officials under a program called “Operation Red Wedding,” a play on a bloody “Game of Thrones” episode. Brig. Gen. Amir Ali Hajizadeh, the commander of the Revolutionary Guards’ Aerospace Force, was the first target, one Israeli official said.
Ultimately, Israeli officials said, the basic idea in both operations was to locate 20 to 25 human targets in Iran and hit all of them in the opening strike of the campaign, on the assumption that they would be more careful afterward, making them much harder to hit.
In a video interview with an Iranian journalist, the newly appointed head of the Revolutionary Guards Corps, Brig. Gen. Ahmad Vahidi, said that although Israel had human operatives and spies in the country, it had tracked senior officials and scientists and discovered the location of sensitive meetings mostly through advanced technology.
“The enemy gets the majority of its intelligence through technology, satellites and electronic data,” General Vahidi said. “They can find people, get information, their voices, images and zoom in with precise satellites and find the locations.”
From the Israeli side, Iran’s growing awareness of the threat to senior figures came to be seen as an opportunity. Fearing more assassinations on the ground of the sort that Israel had pulled off successfully in the past, the supreme Iranian leader, Ayatollah Ali Khamenei, ordered extensive security measures including large contingents of bodyguards and warned against the use of mobile phones and messaging apps like WhatsApp, which is commonly used in Iran.
Those bodyguards, Israel discovered, were not only carrying cellphones but even posting from them on social media.
“Using so many bodyguards is a weakness that we imposed on them, and we were able to take advantage of that,” one Israeli defense official said.
Iranian officials had long suspected that Israel was tracking the movements of senior military commanders and nuclear scientists through their mobile phones. Last year, after Israel detonated bombs hidden inside thousands of pagers carried by Hezbollah operatives in Lebanon, Iran banned many of its officials in particularly sensitive jobs from using smartphones, social media and messaging apps.
Smartphones are now completely off limits for senior military commanders, nuclear scientists and government officials.
The protection of senior officials, military commanders and nuclear scientists is the responsibility of an elite brigade within the Revolutionary Guards called Ansar al-Mehdi. The commander in chief of Ansar, appointed last August after the new government came into office, is Gen. Mohamad Javad Assadi, one of the youngest senior commanders in the Guards.
General Assadi had personally warned several senior commanders and a top nuclear scientist, Mohammad Mehdi Tehranchi, that Israel was planning to assassinate them at least a month before they were killed on the first day of the war, according to two senior Iranian officials with knowledge of the conversation. He had also called a meeting with the team leaders of security details asking them to take extra precautions, the officials said.
The cellphone ban initially did not extend to the security guards protecting the officials, scientists and commanders. That changed after Israel’s wave of assassinations on the first day of the war. Guards are now supposed to carry only walkie-talkies. Only team leaders who do not travel with the officials can carry cellphones.
But despite the new rules, according to officials who have held meetings with General Assadi about security, someone violated them and carried a phone to the National Security Council meeting, allowing the Israelis to carry out the pinpoint strike.
Hamzeh Safavi, a political and military analyst whose father is the top military adviser to Ayatollah Khamenei, said that Israel’s technological superiority over Iran was an existential threat. He said Iran had no choice but to conduct a security shakedown, overhaul its protocols and make difficult decisions — including arrests and prosecution of high-level spies.
“We must do whatever it takes to identify and address this threat; we have a major security and intelligence bug and nothing is more urgent than repairing this hole,” Mr. Safavi said in a telephone interview.
Iran’s minister of intelligence said in a statement this month that it had foiled an Israeli assassination attempt on 23 senior officials but did not provide their names or details of their positions and ranks. It said in the months leading up to the war, Iran had discovered and foiled 13 plots by Israel that aimed to kill 35 senior military and government officials. (An Israeli intelligence official disputed the Iranian account, saying that Israel had not been carrying out operations ahead of the surprise attack in June that could have led to heightened alertness on the part of Iran.)
The statement also said that security forces had identified and arrested 21 people on charges of spying for the Mossad and working as field and support operators in at least 11 provinces around Iran.
Iran has also accelerated efforts to recruit its own spies in Israel since the attacks of Oct. 7, 2023, which ignited the war in the Gaza Strip and triggered aggressive Israeli military operations in Iran and Lebanon.
Over the past year, Shin Bet, Israel’s domestic intelligence service, has arrested dozens of Israelis and charged them with being paid agents of Iran, accused of helping collect intelligence about potential targets for Iranian strikes on Israel.
Israel has made killing Iran’s top nuclear scientists an urgent priority as a way to set back the nation’s nuclear program, even poisoning two young upcoming scientists.
As Iran made steady progress over the years toward enriching its uranium stockpile into near-weapons grade material, Israeli military and intelligence officials concluded that the campaign of sabotage and explosions in the enrichment apparatus, which the Mossad had been engaged in for many years, had only a marginal impact.
In 2021, according to three Israeli security officials, the focus turned to what Israeli officials called “the weapon group” — a cadre of Iranian scientists who the Israelis believed met regularly to work on building a device to trigger the enriched uranium and cause a nuclear explosion. This is one of the most technologically difficult parts of a nuclear project. (Iran has said its nuclear program is for peaceful purposes, and the U.N.’s atomic watchdog and American intelligence agencies have long assessed that Iran has not weaponized its nuclear project.)
It was this group of scientists that became the focus of what Israel called Operation Narnia, the military plan to kill off scientists during the war’s early days this spring.
By the time of the June 16 national security meeting of top Iranian officials, Israel had already killed a number of high-profile figures associated with the nuclear program, including Mr. Tehranchi and Fereydoun Abbasi, another nuclear scientist, both killed just days earlier. The cellphones of their bodyguards helped Israel target all of them.
But Israel was also targeting a wide variety of Iranian leaders, including the heads of government branches at the national security meeting, and killed at least 30 senior military commanders through strikes during the war.
General Hajizadeh, the head of the Revolutionary Guards’ air force, assembled his leadership team, accompanied by their security units, at the very start of the war to monitor intelligence about possible Israeli strikes. Israeli warplanes swooped in and carried out a pinpoint strike on the bunker where General Hajizadeh had taken refuge, killing him and other top commanders.
Mr. Hajizadeh’s son Alireza has said that his father took extra caution with phones. On a video published on Iranian media, he said that “when my father wanted to discuss something important he would tell us to take the phones and smart devices out of the room and place it far away.”
The ability to track the bodyguards also helped lead the Israelis to the June 16 meeting. The attendees, in addition to Mr. Pezeshkian, the Iranian president, included the speaker of Parliament, Gen. Mohammad Baqer Ghalibaf, and the head of the judiciary, Gholam-Hossein Mohseni-Ejei. Also on hand were the ministers of the interior, defense and intelligence and military commanders, some brand-new to their jobs after their bosses had been killed in previous strikes.
The attack destroyed the room, which soon filled with debris, smoke and dust, and the power was cut, according to accounts that emerged afterward. Mr. Pezeshkian found a narrow opening through the debris, where a sliver of light and oxygen was coming through, he has said publicly.
Three senior officials said the president dug through the debris with his bare hands, eventually making enough of a space for everyone to crawl out one by one. Mr. Pezeshkian had a minor leg injury from a shrapnel wound and the minister of interior was taken to the hospital for respiratory distress, officials said.
“There was only one hole, and we saw there was air coming and we said, we won’t suffocate. Life hinges on one second,” Mr. Pezeshkian said recently, recounting the attack in a meeting with senior clerics, according to a video published in Iranian media. He said if Israel had succeeded in killing the country’s top officials it would have created chaos in the country.
“People,” he said, “would have lost hope.”
blog.narimangharib.com Nariman Gharib 22.08.2025
Lab-Dookhtegan has been systematically targeting Iranian infrastructure for months now, and when they reached out about their latest operation, I knew it would be significant. This group doesn't mess around - their March attack on 116 vessels proved that. But even knowing their track record, the evidence they shared from their August operation shocked me: 64 ships cut off from the world, navigation systems wiped clean, and digital destruction so thorough that some vessels might be offline for months.
The group hit 39 tankers and 25 cargo ships belonging to Iran's sanctioned maritime giants NITC and IRISL. While they gave media outlets the headline - "ships' communications disrupted" - the technical evidence tells a much darker story.
Let me walk you through what really happened.
The hackers didn't go after the ships directly. That would be nearly impossible - you'd need to compromise dozens of individual vessels scattered across the globe. Instead, they found something better: Fanava Group, an Iranian IT company that just happens to provide satellite communications to the entire fleet.
The screenshots they shared show root access on Linux terminals running iDirect satellite software - version 2.6.35, which is ancient by cybersecurity standards. We're talking about software so old it probably has more known vulnerabilities than my grandmother's Internet Explorer browser.
But here's where it gets interesting. They didn't just pop one system and call it a day. The database dumps show they mapped out the entire fleet - vessel by vessel, modem by modem. I'm looking at MySQL queries pulling records for ships like the Touska, Mahnam, Zardis, and dozens of others. Each entry includes the ship's modem serial number, network IDs, the works. It's like having a complete blueprint of Iran's maritime communication network.
Once inside, the hackers went after something called "Falcon" - the software that keeps these satellite links alive. Think of it as the heart of the ship's communication system. Stop the Falcon, and the ship goes dark. No emails to shore, no weather updates, no port coordination, nothing.
But here's what the email logs actually reveal - and this is huge: the timestamps go back to May and June. That means Lab-Dookhtegan didn't just hit and run in March. They've been sitting inside Iran's maritime network for five months straight. They had persistent access this entire time, could flip systems on and off whenever they wanted, and probably monitored every communication going through.
The "Node Down Notification" alerts I'm seeing are from various points over these months - they were testing their control, making sure they still had the keys. But this time, in August, they didn't just test. They went nuclear.
Scorched Earth at Sea
The attackers didn't just want to disrupt operations - they wanted to cause permanent damage. I found commands showing systematic data destruction:
dd if=/dev/zero of=/dev/mmcblk0p1 bs=1M
For non-technical readers, this is the digital equivalent of taking a hammer to the ship's communication equipment. They overwrote six different storage partitions with zeros. Everything gone - navigation logs, message archives, system configurations, even the recovery partitions that would let you fix the system remotely.
Imagine you're a captain in the middle of the Indian Ocean, and suddenly your satellite terminal isn't just offline - it's been lobotomized. You can't fix it, your IT team can't remote in to help, and the nearest port might be days away.
As if cutting data communications wasn't enough, they also grabbed the entire IP phone system configuration. I'm looking at a spreadsheet with phone numbers, IP addresses, and - this is the embarrassing part - passwords in plain text. We're talking passwords like "1402@Argo" and "1406@Diamond."
With this data, the attackers could theoretically listen to phone calls between ships and ports, impersonate vessels, or just cause more chaos by killing voice communications too.
Why This Matters
NITC and IRISL aren't just any shipping companies. They're the backbone of Iran's sanctions-busting operations. NITC's tankers regularly switch off their tracking systems to secretly deliver oil to China. IRISL has been sanctioned by basically everyone - US, EU, UN - for helping Iran's nuclear program.
These ships operate in the shadows by design, and now they're stuck there - unable to phone home, navigate properly, or even send a distress signal if something goes wrong.
This is Lab-Dookhtegan's second hit this year. They claimed to have disrupted 116 vessels back in March, timing it with US operations against the Houthis in Yemen. This time, the attack comes just as the US Treasury added another 13 companies to the sanctions list for dealing with Iranian oil.
Coincidence? You tell me.
Here's what the public reports missed: this isn't something you fix with a reboot. These ships need physical intervention. Someone has to board each vessel, probably in port, and completely reinstall the communication systems from scratch. We're talking weeks, maybe months, of downtime per ship.
For a sanctions-squeezed fleet that relies on staying under the radar and maintaining precise coordination to avoid seizure, this is catastrophic. You can't evade sanctions if you can't communicate. You can't deliver oil if you can't navigate. You can't even call for help if something goes wrong.
The hackers knew exactly what they were doing. This was precision surgery designed to cripple Iran's maritime operations at the worst possible time.
And based on the evidence I've seen, they succeeded beyond what anyone's reporting.
bleepingcomputer.com - Cybersecurity firm Profero cracked the encryption of the DarkBit ransomware gang's encryptors, allowing them to recover a victim's files for free without paying a ransom.
This occurred in 2023 during an incident response handled by Profero experts, who were brought in to investigate a ransomware attack on one of their clients, which had encrypted multiple VMware ESXi servers.
The timing of the cyberattack suggests that it was in retaliation for the 2023 drone strikes in Iran that targeted an ammunition factory belonging to the Iranian Defence Ministry.
In the ransomware attack, the threat actors claimed to be from DarkBit, who previously posed as pro-Iranian hacktivists, targeting educational institutes in Israel. The attackers included anti-Israel statements in their ransom notes, demanding ransom payments of 80 Bitcoin.
Israel's National Cyber Command linked DarkBit attacks to the Iranian state-sponsored APT hacking group known as MuddyWater, who have a history of conducting cyberespionage attacks.
In the case investigated by Profero, the attackers did not engage in ransom payment negotiations, but instead appeared to be more interested in causing operational disruption.
Instead, the attackers launched an influence campaign to maximize reputational damage to the victim, which is a tactic associated with nation-state actors posing as hacktivists.
Decrypting DarkBit
At the time of the attack, no decryptor existed for DarkBit ransomware, so Profero researchers decided to analyze the malware for potential weaknesses.
DarkBit uses a unique AES-128-CBC key and Initialization Vector (IV) generated at runtime for each file, encrypted with RSA-2048, and appended to the locked file.
Profero found that the key generation method used by DarkBit is low entropy. When combined with the encryption timestamp, which can be inferred from file modification times, the total keyspace is reduced to a few billion possibilities.
Moreover, they found that Virtual Machine Disk (VMDK) files on ESXi servers have known header bytes, so they only had to brute force the first 16 bytes to see if the header matched, instead of the entire file.
Profero built a tool to try all possible seeds, generate candidate key/IV pairs, and check against VMDK headers, which they ran in a high-performance computing environment, recovering valid decryption keys.
In parallel, the researchers discovered that much of the VMDK file content hadn't been impacted by DarkBit's intermittent encryption, as those files are sparse and many encrypted chunks fall onto empty space.
This allowed them to retrieve significant amounts of valuable data without having to decrypt it by brute-forcing keys.
"As we began to work on speeding up our brute force, one of our engineers/team members? had an interesting idea," explained Profero.
"VMDK files are sparse, which means they are mostly empty, and therefore, the chunks encrypted by the ransomware in each file are also mostly empty. Statistically, most files contained within the VMDK filesystems won't be encrypted, and most files inside these file systems were anyways not relevant to us/our task/our investigation."
"So, we realized we could walk the file system to extract what was left of the internal VMDK filesystems... and it worked! Most of the files we needed could simply be recovered without decryption."
iranintl.com - A cyberattack during the 12-day Iran-Israel war destroyed banking data at major Iranian banks Sepah and Pasargad, halting services nationwide and triggering a high-stakes emergency response by an Iranian banking software firm, a senior engineer said.
“Nothing was accessible. Nothing was visible,” wrote Hamidreza Amouzegar, deputy head of product development at the software firm Dotin, in a LinkedIn post recounting the June 17 breach.
“We tried the backup site—same story there.”
The internet banking, mobile banking, and ATMs of the two banks remained largely non-functional until recently.
Dotin, a major provider of digital systems to Iranian banks, found itself at the center of the crisis.
“Sepah Bank’s primary data center had gone dark, with monitoring dashboards frozen and all stored data apparently corrupted,” he added.
When engineers attempted to switch over to the disaster recovery site, they found that it too had failed, with matching damage reported.
“At that point, the priority was no longer identifying the culprit or mapping the technical details,” Amouzegar wrote. “It was about getting public banking services back online—fast.”
To that end, he wrote, teams turned to Samsonite, a portable data center in a suitcase developed by Dotin following service disruptions in 2022. The system was designed to provide core banking functions—particularly card transactions—for short periods without reliance on the main network.
Nobitex, Iran’s largest cryptocurrency exchange, had also confirmed cyberattacks against its systems during the war.
The pro-Israel hacker group Predatory Sparrow, known for prior cyberattacks on Iran’s fuel infrastructure, claimed responsibility for "paralyzing" Sepah Bank and draining more than $90 million from Nobitex.
Sepah Bank is responsible for processing the payments of military personnel.
Pasargad Bank had already deployed Samsonite, allowing it to restore limited services by the early hours of June 19. Sepah, which had not yet installed the system, remained offline longer, Amouzegar added.
Basic card functionality there was only restored by June 20 after a full system rebuild from partial offline backups, he wrote.
“For a bank processing over a billion transactions monthly, losing just one day meant more than 30 million transactions vanished,” Amouzegar said.
Sepah’s full recovery took until June 27, during which time Samsonite processed more than 60 million transactions.
“The cyber war ended three days after the ceasefire,” he added. “But recovery will take months. What I’ve shared here is only a fragment of the story.”
morphisec - In the volatile aftermath of the Israel-Iran-USA conflict, a sophisticated cyber threat has re-emerged, targeting organizations across the West. Morphisec’s threat research team has uncovered the revival of Pay2Key, an Iranian-backed ransomware-as-a-service (RaaS) operation, now operating as Pay2Key.I2P. Linked to the notorious Fox Kitten APT group and closely tied to the well-known Mimic ransomware, previously analyzed by Morphisec for its ELENOR-Corp variant, Pay2Key.I2P appears to partner with or incorporate Mimic’s capabilities. Officially, the group offers an 80% profit share (up from 70%) to affiliates supporting Iran or participating in attacks against the enemies of Iran, signaling their ideological commitment. With over $4 million in ransom payments collected in just four months and individual operators boasting $100,000 in profits, this campaign merges technical prowess with geopolitical motives. Our upcoming report includes personal communications from the group, revealing their dedication and the reasons behind rewriting their ransomware.
This blog introduces our technical analysis and OSINT findings, exposing Pay2Key.I2P’s operations and its ties to Mimic.
ince its debut in February 2025, Pay2Key.I2P has expanded rapidly. Strategic marketing on Russian and Chinese darknet forums, combined with a presence on X since January 2025, indicates a planned rollout. With over 51 successful ransom payouts in four months, the group’s effectiveness is undeniable.
While profit is a motivator, Pay2Key.I2P’s ideological agenda is clear. Their focus on Western targets, coupled with rhetoric tied to Iran’s geopolitical stance, positions this campaign as a tool of cyber warfare. The addition of a Linux-targeted ransomware build in June 2025 further expands their attack surface, threatening diverse systems.
Security experts are dismissing a pro-Iranian hacktivist group's claim to have breached Indian nuclear secrets in reprisal for the country's support of Israel.
The LulzSec Black group last week claimed to have hacked "the company responsible for Indian nuclear reactors" and to have stolen 80 databases, of which it was now selling 17 databases containing 5.2 gigabytes of data. The group claimed the information detailed the precise location of India's nuclear reactors, numerous chemical laboratories, employee personally identifiable information, industrial and engineering information, precise details of guard shifts and "other sensitive data related to infrastructure."
LulzSec Black, named after the notorious hacktivist collective that committed a string of high-profile hits in 2011, claims to be a group of "Palestinian hackers." Previous attacks tied to the group include disruptions targeting Israel, as well as countries that support Israel, including France and Cyprus.
Threat intelligence firm Resecurity said the group's nuclear claims vary from being dramatically overstated to outright lies.
"This activity is related to the 'pseudo-hacktivist' activities by Iran" designed to provoke fear, uncertainty and doubt, Resecurity told Information Security Media Group. "Many of their statements are overstatements, having no connection to reality. For example, they clearly do not have '80 databases' or even 5.2 GB of data."
LulzSec Black's claims arrive amidst U.S. government alerts of the "heightened threat environment" facing critical infrastructure networks and operational technology environments, following Israel launching missile strikes against Iran on June 13 (see: Infrastructure Operators Leaving Control Systems Exposed).
While the resulting regional war appears to now be moderated by a fragile ceasefire, many governments are still bracing for reprisals (see: Israel-Iran Ceasefire Holding Despite Fears of Cyberattacks).
What LulzSec Black may actually possess is identity and contact information for nuclear specialists, likely stolen from third-party HR firms and recruitment websites such as the CATS Software applicant tracking system and recruitment software, Resecurity said. This can be seen in the long list of various job titles - "security auditor, heavy water unit," "nuclear engineer, analysis lab, tritium gas," and "radiation officer, fuel fabrication, uranium dioxide" - in a sample of dumped data.
In that data, tags such as "Top Secret," appear, which Resecurity said likely either reflect clearances held by job candidates, or were added by the hackers themselves "so it will look like it is from some nuclear energy facility."
WASHINGTON, June 30 (Reuters) - Iran-linked hackers have threatened to disclose more emails stolen from U.S. President Donald Trump's circle, after distributing a prior batch to the media ahead of the 2024 U.S. election.
In online chats with Reuters on Sunday and Monday, the hackers, who go by the pseudonym Robert, said they had roughly 100 gigabytes of emails from the accounts of White House Chief of Staff Susie Wiles, Trump lawyer Lindsey Halligan, Trump adviser Roger Stone and porn star-turned-Trump antagonist Stormy Daniels.
On 12 June 2025, dozens of anonymous X (formerly Twitter) accounts advocating Scottish independence abruptly went silent. Many had posted hundreds of times per week, often using pro-independence slogans, anti-UK messaging, and identity cues like “NHS nurse” or “Glaswegian socialist.”
Their sudden disappearance coincided with a major Israeli airstrike campaign against Iranian military and cyber infrastructure. Within days, Iran had suffered severe power outages, fuel shortages, and an internet blackout affecting 95 percent of national connectivity.
What appeared at first glance to be a curious coincidence has since emerged as the most visible rupture to date in a long-running foreign influence operation.
Hacktivist attacks surge on U.S. targets after Iran bombings, with groups claiming DDoS hits on military, defense, and financial sectors amid rising tensions.
The U.S. has become a target in the hacktivist attacks that have embroiled several Middle Eastern countries since the start of the Israel-Iran conflict.
Several hacktivist groups have claimed DDoS attacks against U.S. targets in the wake of U.S. airstrikes on Iranian nuclear sites on June 21.
The attacks—most notably from hacktivist groups Mr Hamza, Team 313, Cyber Jihad, and Keymous+—targeted U.S. Air Force domains, major U.S. Aerospace and defense companies, and several banks and financial services companies.
The cyberattacks follow a broader campaign against Israeli targets that began after Israel launched attacks on Iranian nuclear and military targets on June 13. Israel and Iran have exchanged missile and drone strikes since the conflict began, and Iran also launched missiles at a U.S. military base in Qatar on June 23.
The accompanying cyber warfare has included DDoS attacks, data and credential leaks, website defacements, unauthorized access, and significant breaches of Iranian banking and cryptocurrency targets by Israel-linked Predatory Sparrow. Electronic interference with commercial ship navigation systems has also been reported in the Strait of Hormuz and the Persian Gulf.
Jun 18, 2025, 19:09 GMT+1
Iran’s state broadcaster was hacked Wednesday night, with videos calling for street protests briefly aired.
Footage circulated on social media showed protest-themed clips interrupting regular programming.
"If you experience disruptions or irrelevant messages while watching various TV channels, it is due to enemy interference with satellite signals," state TV said.
The hacking of the programming on Wednesday night was limited to satellite transmissions, the Islamic Republic of Iran Broadcasting (IRIB) said.
The government cited the recent hacks on Bank Sepah and cryptocurrency exchange Nobite as reasons to shut down internet access to virtually all Iranians.
Earlier this week, virtually everyone in Iran lost access to the internet in what was called a “near-total national internet blackout.”
At the time, it was unclear what happened or who was responsible for the shutdown, which has severely limited Iranians’ means to get information about the ongoing war with Israel, as well as their ability to communicate with loved ones inside and outside of the country.
Now Iran’s government has confirmed that it ordered the shutdown to protect against Israeli cyberattacks.
“We have previously stated that if necessary, we will certainly switch to a national internet and restrict global internet access. Security is our main concern, and we are witnessing cyberattacks on the country’s critical infrastructure and disruptions in the functioning of banks,” Fatemeh Mohajerani, Iran’s government spokesperson, was quoted as saying in a local news story. “Many of the enemy’s drones are managed and controlled via the internet, and a large amount of information is exchanged this way. A cryptocurrency exchange was also hacked, and considering all these issues, we have decided to impose internet restrictions.”
The pro-Israeli hacktivist group Predatory Sparrow claimed on Tuesday to have hacked and taken down Iran’s Bank Sepah.
The group, which is also known by its Persian name Gonjeshke Darande, claimed responsibility for the hack on X.
“We, ‘Gonjeshke Darande,’ conducted cyberattacks which destroyed the data of the Islamic Revolutionary Guard Corps’ ‘Bank Sepah,’” the group wrote.
The group claimed Bank Sepah is an institution that “circumvented international sanctions and used the people of Iran’s money to finance the regime’s terrorist proxies, its ballistic missile program and its military nuclear program.”
According to the independent news site Iran International, there are reports of “widespread banking disruptions” across the country. Iran International said several Bank Sepah branches were closed on Tuesday, and customers told the publication that they were unable to access their accounts.
Ariel Oseran, a correspondent for i24NEWS, posted pictures of ATMs in Iran displaying an error message.
TechCrunch could not independently verify the group’s alleged cyberattack. We reached out to two Bank Sepah Iranian email addresses, but the messages returned an error. Bank Sepah’s affiliates in the U.K. and Italy did not immediately respond to requests for comment.
Predatory Sparrow did not respond to a request for comment sent to their X account, and via Telegram.
The alleged cyberattack on Bank Sepah comes as Israel and Iran are bombing each other’s countries, a conflict that started after Israel began targeting nuclear energy facilities, military bases, and senior Iranian military officials on Friday.
It’s unclear who is behind Predatory Sparrow. The group clearly fashions itself as a pro-Israel or at least anti-Iran hacktivist group and has targeted companies and organizations in Iran for years. Cybersecurity researchers believe the group has had success in the past and made credible claims.
Hannah Neumann was targeted in a cyber-espionage operation by an infamous Iranian hacking group earlier this year, she said.
A prominent European Parliament member was the victim of what is believed to be a cyber-espionage operation tied to her role as chair of the chamber's Iran delegation, she told POLITICO.
The office of Hannah Neumann, a member of the German Greens and head of the delegation spearheading work on European Union-Iran relations, was targeted by a hacking campaign that started in January, she said. Her staff was contacted with messages, phone calls and emails by hackers impersonating a legitimate contact. They eventually managed to target a laptop with malicious software.
"It was a very sophisticated attempt using various ways to manage that someone accidentally opens a link, including putting personal pressure on them," Neumann said.
Despite their hacktivist front, CyberAv3ngers is a rare state-sponsored hacker group bent on putting industrial infrastructure at risk—and has already caused global disruption.
The intermittent cyberwar between Israel and Iran, stretching back to Israel's role in the creation and deployment of the Stuxnet malware that sabotaged Iran's nuclear weapons program, has been perhaps the longest-running conflict in the era of state-sponsored hacking. But since Hamas' October 7 attack and Israel's retaliatory invasion of Gaza, a new player in that conflict threatens not just digital infrastructure in Israel but also critical systems in the US and around the world.
The group known as CyberAv3ngers has, in the last year and a half, proven to be the Iranian government's most active hackers focused on industrial control systems. Its targets include water, wastewater, oil and gas, and many other types of critical infrastructure. Despite being operated by members of Iran's Revolutionary Guard Corps, according to US officials who have offered a $10 million bounty for information leading to their arrest, the group initially took on the mantle of a “hacktivist” campaign.
A newly discovered global cyber threat is rapidly expanding, infecting tens of thousands of internet-connected devices to launch powerful cyberattacks.
The Department of Homeland Security knows which countries SS7 attacks are primarily originating from. Others include countries in Europe, Africa, and the Middle East.
The last known cyberattack waged against Iranian infrastructure took place last December with blame placed on Israel and the US.
We banned accounts linked to an Iranian influence operation using ChatGPT to generate content focused on multiple topics, including the U.S. presidential campaign. We have seen no indication that this content reached a meaningful audience.
APT42, which is believed to work for Iran’s Revolutionary Guard Corps, targeted about a dozen people associated with both Trump’s and Biden’s campaigns this spring, according to Google’s Threat Analysis Group.
