Reflections of the Israel-Iran Conflict on the Cyber World

Update: $90M Heist, June 19, 2025

Update: Iran Faces Major Internet Blackout, June 18, 2025

Update: Over the Weekend, June 16, 2025

In the early hours of June 13, 2025, Israel launched a major air offensive against Iran. The operation, named Operation Rising Lion, targeted nuclear enrichment sites, missile facilities, and homes of senior military leaders. Prime Minister Benjamin Netanyahu described it as a preemptive strike to remove an “existential threat.” Iran’s Supreme Leader Ali Khamenei condemned the attacks and promised a bitter response. Iran retaliated by launching around 100 armed drones toward Israel.

These events followed months of rising tension. The U.S., under President Trump, had been in talks with Iran to limit its nuclear program. Israel doubted Iran’s intentions and feared that diplomacy was just a stalling tactic. Israeli intelligence had warned of an imminent attack, and Netanyahu’s government decided to act alone. Meanwhile, Iran’s response raised alarms across the region. Airspace over Iraq and Jordan was shut down. Civilians in Tehran were caught in the crossfire, and multiple senior Iranian military figures and scientists were killed. This strike marked a new and dangerous chapter in the Middle East.

On Thursday, Prime Minister Benjamin Netanyahu placed a handwritten note in the Western Wall, Judaism’s holiest site. The note read, “The people shall rise up as a lion,” a line from the Book of Numbers 23:24. On Friday, his office released a photo of it. The verse, spoken by the non-Israelite prophet Balaam, compares Israel to a lion that rises in strength and does not rest until its enemy is defeated. In hindsight, the message hinted at the coming strikes on Iran.

Following Prime Minister Netanyahu’s symbolic note, the Iranian-linked group Moses Staff posted a tweet. The image shows a figure before a large gate, facing forward as a group of followers stands behind him.

The Arabic caption reads: “أنا الّذی سَمّتْنی أمّی حيدرة” Translation: “I am the one my mother named Haydra.” (X)

This line comes from a classical Arabic poem attributed to Ali ibn Abi Talib, a key figure in Islamic history. “Haydra” means lion — a name symbolizing bravery and strength. The poem praises Ali’s courage in battle.

Moses Staff, which analysts link to Iran’s IRGC, often uses such cultural and religious imagery in its propaganda. This suggests that the cyber reflections of this conflict may come faster and with more intensity than in past cases. Groups like Moses Staff are not just operating behind the scenes, they’re taking a more visible role from the start, mixing symbolic messaging with digital threats. Their early activity signals that state-linked cyber units may play a larger part in shaping both perception and pressure during this escalation.

Cyber Fallout – Possibilities

Iranian Cyber Units

Iran’s cyber forces, especially those linked to MOIS and IRGC, are likely mobilizing. These groups often use fake identities or front groups to hide their state connections. In the past, they used ransomware and wipers like Shamoon and Deadwood to disrupt enemy networks. The 2023 DarkBit attack on an Israeli university is one example. It included anti-Israel messages and was later tied to Iranian state hackers.

Just before the strikes, Iran’s Intelligence Minister claimed to have obtained secret Israeli documents. Tehran promised to release thousands of files soon. Iranian groups have previously targeted Israeli water systems, energy grids, and transportation networks. Israeli cyber officials expect more spear-phishing, malware, and sabotage attempts in the days ahead.

Hacktivists and Proxies

Iran’s cyber war is not limited to official groups. Aligned hacktivist outfits and proxies also play a role. Groups like Moses Staff and CyberAv3ngers have leaked data and attacked Israeli infrastructure before. Analysts believe these groups are run by or connected to Iran’s IRGC.

Other regional actors, such as Hezbollah, also have cyber units. Hezbollah’s Lebanese Cedar group has hacked telecoms and is likely supported by Iran. Hamas has some cyber capability but suffered heavy losses in earlier conflicts.

Global hacktivist groups are also getting involved. Russian-aligned collectives like the now defunct KillNet and Anonymous Sudan have previously targeted Israel. These groups often launch DDoS attacks and spread propaganda. Already, social media is full of messages promising new waves of cyber attacks against Israel.

Iran Orders Full Cyber Alert Across Government Systems

According to Iranian Shafaq News, Iran has ordered a full cyber alert across all government systems in response to the Israeli strikes. The alert, issued by Iran’s Supreme National Security Council, directs critical infrastructure and public sector networks to activate their defensive protocols and stay on high alert. This step signals that Tehran expects further cyber escalation and is preparing for potential attacks on state systems, communication infrastructure, or strategic industries. It highlights how seriously Iran views the cyber dimension of the conflict alongside the physical one.

Thus, the alerts seem to not just be in Iran. On June 13, 2025, at 10:47 AM, a message surfaced that was allegedly from Israel’s Home Front Command alert system. Written in Hebrew, it stated: “End of stay near a protected area in your zone” and “You no longer need to stay near a protected area.” This type of message is typically issued after a rocket or drone threat has passed. However, in this case, the alert is suspected to be fake or manipulated.

The Persian text states: “According to Hebrew media reports, due to a hack, the Home Front Command application in Israel has experienced internal disruptions.”

Israel and Allied Cyber Operations

Reports suggest that Israeli intelligence, possibly Mossad, conducted sabotage inside Iran. These actions may have included cyber attacks on air defense systems and missile launch sites. The slow Iranian response to the airstrike hints that some of their systems were disabled.

In past confrontations, Israel is believed to have used cyber means to augment physical attacks (a famous example being the alleged cyber disruption of Syrian air defenses during a 2007 airstrike). In the current case, by the time Israeli jets entered Iranian airspace on June 13, it appears Iran’s response was delayed and disorganized, suggesting some preemptive cyber sabotage may indeed have blinded or disrupted Iranian systems.

Reports from Tehran noted that some anti-aircraft batteries did not fire at all, and Iran’s promised “immediate counterstrike” was slower than expected. Analysts at the Institute for the Study of War pondered that Israel might have “somehow disrupted Iran’s response by targeting Iran’s ballistic missile launch sites and stockpiles” at the outset, potentially through a mix of air and cyber actions.

To Be Continue

The Israeli strikes on Iran have opened a new front in cyberspace. Iran and its allies are expected to retaliate digitally. From phishing attacks to ransomware, from disinformation to direct sabotage, all options are on the table. Early notable cyber activity posts are as follows:

Team Insane Pakistan has acted as a hacktivist group in cyberspace, showing support for Palestine, Pakistan, and now Iran during each of their respective real-world conflicts.

Russian hacker group, DieNet, though not clearly state-sponsored, tries to associate itself with anti-Western and anti-Israeli alliances.

This Telegram post, shared by LulzSec Black, contains a statement attributed to Hamas in Arabic. The group expresses solidarity with Iran following Israeli strikes and the reported killing of key Iranian commanders and nuclear scientists.

On the other hand, Israel is preparing for this, with possible help from global allies. The cyber domain might be a key battleground in the coming days. This is a fast-moving situation, and sadly, both physical and digital threats remain a serious concern. This blog will be updated as the situation evolves and new information becomes available.

Over the Weekend, June 16, 2025

What began as reactions from a few groups and small-scale hacktivist attacks on the first day quickly turned into a major cyber conflict zone over the weekend. Nearly a hundred hacktivist groups from both sides ramped up their activity in step with the sharp escalation of the physical conflict.

The number of Iranian or pro-Iranian groups appears to be much higher. While activist culture remains strong in Western countries, the hacktivist scene is largely dominated by actors from the Eastern hemisphere, where Iran enjoys broader support.

A hacktivism tracker account, has identified 65 pro-Iranian groups, 11 anti-Iranian, and 6 pro-Israeli groups 82 in total. The number is expected to rise as the conflict continues.

Hacktivist Groups Involved in the Iran-Israel Cyber Conflict by CyberKnow (as of 15 June 2025)

Below are the key developments and highlights from the weekend, grouped under major themes and incidents.

Cyber Threat Escalation

Cyberattacks against Israel surged by 700% in the two days following June 12, compared to the period before, Jerusalem Post reported. Hacker groups took position, prepared, and swiftly executed their attacks.

The spike began almost immediately after news of the operation broke. Researchers attributed this wave to retaliatory efforts by Iranian state-backed hackers and aligned groups, many of whom coordinated openly via pro-Iran Telegram channels. The attacks included:

• DDoS attacks on Israeli websites and services
• Intrusion attempts on critical infrastructure
• Malware and data theft campaigns targeting organizations

The impact was wide-ranging, affecting government portals, banks, telecom providers, and essential utilities. Most attacks were disruptive rather than destructive, causing slowdowns and brief service issues. Still, Israeli cyber defense units raised alert levels to protect vital services.

The cyber onslaught was broad in scope, a wide range of sectors in Israel came under attack, including:

• Government websites (official portals and online public services)
• Financial institutions (banks, stock exchanges, fintech systems)
• Telecommunications companies (ISPs and mobile providers)
• Critical infrastructure operators (energy, water, transportation systems)

Hacktivist Arena

At the same time, Telegram, where the current hacktivism still thrives on, accounts linked to hacktivist groups are being taken down rapidly. Handala Hack, one of the most active groups, lost its latest account. Before its removal, the group claimed it was sending mass emails to Israeli citizens with threats of missile strikes.

Over the weekend, Handala Hack launched a wave of high-profile cyberattacks targeting key Israeli institutions. The group claimed responsibility for allegedly leaking 300,000 documents from Delek Group, Delkol, Aerodreams, and YGI, exposing alleged military fuel supply ties and internal databases.

They also announced a major breach of the Weizmann Institute, stealing over 4TB of classified research and framing the operation as a strike on Israel’s scientific and military infrastructure.

In another attack, they allegedly compromised TBN Israel, accusing it of being a propaganda tool linked to Shin Bet. A 542GB data dump followed, with documents allegedly proving state-directed information control.

Handala positioned these breaches as part of a broader campaign to disrupt what they describe as systems of occupation and disinformation.

Of course, not all activity comes from the pro-Iran side. Israeli or allied Telegram-based hacktivist groups are also active. One notable example is Predatory Sparrow, a group that first appeared in 2023 during the Israeli-Palestinian escalation. They launched a Telegram channel announcing plans to target Iran.

After nearly two years of inactivity, the group has resumed operations with the latest conflict. Their channel is titled “Predatory Sparrow / Gonjeshke Darande”, combining English and Persian, and they post messages in English, Persian, and Hebrew.

On June 16, 2025, the 89th Cyber Unit claimed to have hacked into Israeli military systems, stealing sensitive data on weapons and nuclear sites. As with many cyber claims in the Israel-Iran conflict, the focus was on secret files and high-value targets. These statements often aim not just to show technical success, but to shape public perception.

The group Nation of Saviors claimed to have taken down the website of Israel’s Alon Group via DDoS, framing it as a response to the ongoing conflict. While data leaks have become more popular in this round of cyber activity, DDoS attacks remain the most common tactic used by hacktivists. Notably, South Asian hacktivist groups are heavily involved, amplifying the scale and reach of the ongoing cyber conflict.

While many Muslim-majority countries in South Asia show support for Iran, Indian actors often align with Israel, a pattern also seen during the recent Kashmir escalation, reflecting a broader ongoing trend.

There are also Muslim groups that likely oppose Iran due to sectarian differences, rather than alignment with Israel. These are more accurately described as anti-Iran rather than pro-Israel.

Anti-Iranian activity isn’t limited to sectarian motives—political opposition groups, both Iranian and those posing as Iranian, also play a role in targeting the regime.

And of course there is no show without Punch, Russian hacktivist groups are taking part in ongoing attacks.

Another interesting point is that groups like Arabian Ghosts are now targeting Jordan as well, accusing it of siding with Israel. They recently claimed attack on several Jordan News Agencies and announced plans to go after “Arabian Zionists”—a term they use for Arab states with ties to Israel. This shows that some hacktivist groups are not aligned with Iran but are driven by regional or ideological motives, including opposition to normalization with Israel.

APT Activity Heats Up

Experts warned that Iran’s APT groups could escalate their operations if the conflict continues. Future actions may include:

• Wiper malware to destroy data
• Ransomware claims to gain financial support
• Disruptive intrusions into water, fuel, or power systems
• Exploitation of PLCs, SCADAs and similar OT

The group has previously had members sanctioned by the U.S. government for targeting critical infrastructure and engaging in hostile cyber operations.

Another alleged APT, a group affiliated with Iran Cyber ICG, published a post claiming it had gained access to servers tied to Israel’s healthcare and financial sectors. The screenshot shows a Windows Server 2016 environment with system directories, likely meant to suggest deep access into alleged infrastructure.

According to the group, they are preparing software payloads targeting these systems, which they describe as part of the “Zionist regime’s child welfare and financial networks.”

Iran Faces Major Internet Blackout, June 18, 2025

Iran has restricted internet access across the country. Officials claim the move is to stop Israeli cyberattacks and limit the spread of information about strikes and protests. Bandwidth was cut by 80%, and full disconnection from the global internet is underway. Only the national network (N.I.N.) remains available, which most Iranians might distrust.

People report trouble contacting loved ones, using bank apps, or accessing news. VPNs are being blocked, making foreign apps and websites inaccessible. Many fear they can’t get timely war warnings, such as Israel’s recent evacuation alert for part of Tehran.

When internet traffic plunged in Iran in the late hours of June 17, the first thought was that an Israeli cyberstrike was behind it. Iran’s National Cybersecurity Command claimed Israel had launched “massive cyber attacks.”

Later that day, Iran’s government admitted it was intentional: they slowed and partially shut the global internet to ward off threats from abroad. Spokesperson Fatemeh Mohajerani said this was a “temporary, targeted, controlled” measure, not a cable fault or blackout, taken after the June 12 airstrikes, and not due to damage to physical infrastructure

Iran Limits Tech Use Among Officials

Iran’s cyber command has told top government officials and their security teams to stop using devices connected to public telecom networks. The order was reported by Fars News Agency, which is linked to the Revolutionary Guard.

Experts say Tehran fears Israeli cyber forces could use connected phones, laptops, or other tools for spying, hacking, or targeted attacks. One expert called it a sign of serious concern about digital threats to high-level officials.

Israel has used modified tech in past operations, including explosive-laced pagers used against Hezbollah members. By removing connected devices, Iran aims to limit those risks.

Pro-Israeli Group Claims Breach of Bank Sepah

The hacker group Predatory Sparrow, with possible ties to Israeli intelligence, has claimed responsibility for a major cyberattack on Iran’s Bank Sepah. The group says the strike was retaliation for the bank’s role in financing Iran’s military and nuclear programs.

This is the kind of thing that pushes hacktivism into something else entirely. Predatory Sparrow, described by WIRED as one of the most advanced groups of its kind, has claimed cyberattacks that caused explosions, shut down gas stations, and disrupted key infrastructure in Iran. If they started as hacktivists, they’ve crossed into territory that looks a lot like state-level cyberwarfare.

100+ Groups are Active

Over a hundred hacktivist groups are now active in the cyber conflict, launching coordinated attacks, leaking data, and targeting infrastructure across borders. Highlights of the hacktivist scene are as follows:

On June 18, the Handala group claimed responsibility for two major cyberattacks. The first allegedly targeted Mor Logistics Ltd, a firm linked to sensitive cargo operations in Israel. The group leaked 425 GB of internal documents and said this was just the beginning.

The second, larger alleged breach hit the Weizmann Institute of Science. Handala claims to have extracted over 4 TB of internal research, calling the institute part of Israel’s military and surveillance system. They framed the hack as a political act, not just a technical one.

Handala ended its post flow with a warning aimed at the finance sector. They signaled future targets will include institutions involved in economic pressure, crypto markets, and digital finance tied to resistance nations. The message was clear: those who disrupt or control these systems should not feel secure.

“Stability is not a right; it’s a privilege,” the group wrote. “The systems you trust may already be listening. Something unexpected is coming. And when it does, it won’t knock.”

The pro-Iran cyber coalition continues to grow. Mysterious Team Bangladesh called on hacker groups worldwide to join operations against Israel and its allies. Their message urged coordinated attacks not just on Israeli networks, but also on countries seen as supporting it, such as the US, UK, Egypt, Saudi Arabia, and Jordan.

With Russia heavily tied down in Ukraine, Putin has kept mostly to public condemnations over the Iran-Israel conflict. In that gap, Russian hacktivist groups seem to be putting a bit more on the table. DieNet’s latest post, claiming to take down Trump’s mobile company with DDoS.

Anonymous Syria Hackers claim to have breached an Iranian tech and information services company, purportedly gaining access to internal messages, account numbers, and billing data. Anonymous Syria Hackers and similar groups like Syrian Electronic Army hints at shifting regional dynamics. Syria, long seen as a loyal ally of Iran, now shows signs of distance after the governmental change. Former proxies may be stepping away, and possibly answering to new powers.

Pro-Iran hacktivist groups appear to be working toward a shared playbook as tensions escalate. A message originally posted in the now-closed OpIsrael Telegram channel is being circulated among allied teams as an informal directive.

The post outlines a coordinated approach if the U.S. formally enters the conflict, urging tighter operational security across Telegram, X, and other platforms. The focus is on preserving infrastructure, minimizing exposure, and avoiding unnecessary visibility.

As the message spreads, it suggests that pro-Iran hacktivist circles are aligning their tactics and trying to build consensus for the next phase of cyber operations.

$90M Heist, June 19, 2025

The cyber warfare took a major turn on June 18 when Predatory Sparrow breached Nobitex, Iran’s largest cryptocurrency exchange, stealing nearly $90 million in digital assets. The attack has sent shockwaves through the country’s financial and cybersecurity sectors.

Predatory Sparrow’s X post

A possible source of the initial access was a set of credentials leaked through stealer logs. These logs were published for sale on a Russian Market on September 17, 2023, by a vendor known as Hy####ad. The dataset, titled “archive.zip,” was listed for $10 and included data linked to Nobitex infrastructure. It contained employee email credentials from 2023 and 2024, and one admin-level account. The associated domains included bitex-mail[.]nobitex[.]net, testnet.nobitex.ir, and nobitex[.]ir.

SOCRadar, Threat Hunting

Predatory Sparrow claimed responsibility for the attack and, they posted a message on their account:

“8 burn addresses burned $90M from the wallets of the regime’s favorite sanctions violation tool, Nobitex. 12 hours from now, the source-code of Nobitex will be open to the public, and Nobitex’s walled garden will be without walls. Where do you want your assets to be?”

They shared wallet addresses across various blockchains, including Bitcoin, Ethereum, Tron, and Ripple. Twelve hours later, the group published what they claim is the full source code of Nobitex, along with a warning in Persian and English:

“Assets left in Nobitex are now entirely out in the open.

بازمانده دارایی های شما در نوبیتکس هم اکنون در معرض دید و خطر هستند”

They also began releasing internal deployment details from the exchange, starting with a post titled “Exchange Deployment.”

This breach is a significant blow to Iran’s efforts to build on crypto infrastructure, especially as the country faces increasing economic isolation.

Iran’s Internet Blackout Deepens

Over the last 48 hours, Iran has experienced near-total internet outages. While initial reports mentioned only a slowdown, it soon turned into a widespread blackout. Iranian authorities claimed the measures were necessary to maintain network stability and defend against cyberattacks. But many view this as a tactic to block the flow of information and prevent civilians from accessing external news or organizing online.

NetBlocks’ X post

Network monitoring firm NetBlocks observed a dramatic drop–around 97% in overall connectivity across Iran. Local access is now mostly limited to the government-run intranet.

Hacktivist Momentum Fades in Iran, Grows Abroad

As Iran faces widespread internet shutdowns, hacktivist activity, which surged in response to recent military operations, now risks fading out. With connectivity throttled and citizens pushed onto state-controlled networks, coordination, visibility, and real-time impact for many cyber actors are becoming harder to sustain.

The blackout may not stop cyberattacks entirely, but it could dim the momentum that hacktivist groups have built over the past week. However, these are only valid for the groups operating in Iran, supporting groups are still active.

Mysterious Team Bangladesh’s Telegram post

Mysterious Team Bangladesh issued a warning on Telegram, threatening cyberattacks against Middle Eastern countries hosting US bases if the US attacks Iran directly. They claim those countries’ cyberspace will be the first targets.

CYBER U.N.I.T.Y has posted a series of doxxing files on Telegram, targeting pro-Israel groups like Predatory Sparrow, Lefaroll (not a hacker group) as well as individual researchers and influencers. One post included threats and leaked data aimed at a Brazilian cybersecurity expert.

CYBER U.N.I.T.Y’s Telegram post, alleged doxxing txt files

Despite their bold claims, their activity so far is limited to doxxing and hostile messages. Their role in the wider Israel-Iran cyber conflict appears minor.

A visible alliance of pro-Palestinian and anti-Israel hacktivist groups is forming, featuring names like Octo Dark Cyber Squad, Cyber Jihad Movement, Team Fearless, and others, mostly tied to South Asia. These alliances often appear during conflict, and their activity tends to rise during high-tension periods.

Akatsuki Cyber Team’s Telegram post

With many Iran-based groups currently silent due to widespread internet blackouts, South Asian groups would become more prominent. They are coordinating efforts and focusing on Israeli targets, reflecting a shift in the active players of the current cyber conflict.

 In Conclusion

In fast-moving geopolitical conflicts like this one, cyber activity often unfolds in parallel — sometimes even ahead of the physical confrontation. While many attacks or statements from APT groups and hacktivists may be exaggerated or symbolic, their psychological and strategic effects can be real. They shape public perception, test defenses, and add pressure to an already fragile situation.

The Israel-Iran conflict is no exception. With APT groups taking visible roles early, and hacktivist narratives spreading quickly online, the cyber dimension of this crisis may escalate rapidly. Staying ahead of these developments requires both broad threat visibility and deep context.

SOCRadar’s Cyber Threat Intelligence and Advanced Dark Web Monitoring continuously track threat actors, campaigns, and chatter across open and closed sources. This allows organizations to understand the intent behind threats, identify relevant risks faster, and respond with greater precision.