The ZENDATA Threat Intelligence Unit is actively monitoring the evolving cyber conflict between Israel and Iran. This confrontation, unfolding in parallel with conventional warfare, offers unprecedented insight into the offensive capabilities, strategic objectives, and tactics, techniques, and procedures (TTPs) employed by both state-linked and non-state cyber actors.
Our intelligence efforts not only support our mission to protect and advise clients operating in high-risk environments, but also contribute to a deeper understanding of how cyber warfare is used as a force multiplier during geopolitical escalations.
In this analysis, we have compiled the most relevant and high-impact cyber events observed so far. The goal is to provide our community with a clear and objective view of the digital operations targeting both Israeli and Iranian infrastructures. Understanding these developments is essential to anticipating potential spillovers, preparing for imitation campaigns, and reinforcing defenses in a time of heightened regional volatility.
Impact on Iran
1. Predatory Sparrow Wipes Iran’s Bank Sepah
Facts:
In mid-June, the cyber group Predatory Sparrow (Thought to be an Israel cyber unit hiding behind anti-Iranian hacktivist group) claimed responsibility for a destructive attack against Bank Sepah, one of Iran’s largest state-owned financial institutions. The operation reportedly involved the deployment of a wiper malware, with public statements by the attackers indicating that they deleted critical systems and data. Iranian media confirmed service outages, ATM failures, and temporary branch closures. The bank, deeply tied to Iran’s government operations, including salary disbursements for public servants and IRGC-linked transactions, was a high-value target.
While Iranian sources suggested services would resume within hours or days, independent observers and leaked internal reports hinted at the loss of backups and long-term disruption.
Analysis:
This attack marks a major escalation in the use of cyber tools as strategic weapons. Predatory Sparrow appears to be positioning itself not merely as a nuisance actor (as it has been in the past) but as a cyber force capable of inflicting systemic economic disruption. If Bank Sepah’s backups were indeed destroyed, this could be the first deliberate attempt in modern history to fully erase a national banking institution’s operational capacity through cyber means. It also signals the increasing alignment of cyber campaigns with kinetic objectives, demonstrating how financial paralysis can be engineered as part of broader hybrid warfare. Considering Israel’s objective to dismantle the Iranian regime’s strategic foundations, targeting public banking infrastructure is a calculated move designed to erode citizen trust in state institutions. If government employees are left unpaid, the result may be civil disobedience, administrative paralysis, and a progressive breakdown of loyalty within the public sector.
2. $90 Million in Cryptocurrency Burned from Iranian Exchange
Facts:
Shortly after the Bank Sepah incident, Predatory Sparrow claimed another high-profile attack: this time on an Iranian cryptocurrency exchange. In this operation, the attackers reportedly transferred approximately $90 million in crypto assets to burn wallets, making the funds permanently inaccessible. The group justified the operation by citing the exchange’s alleged involvement in evading international sanctions and supporting activities tied to Iran’s nuclear and ballistic programs.
Analysis:
Destroying digital assets with no chance of recovery illustrates the maturation of offensive cyber capabilities targeting financial systems, particularly those operating outside traditional regulatory frameworks. While cryptocurrency exchanges have long been used to bypass global sanctions, this act goes beyond disruption, it is a form of irreversible economic sabotage. The message is both deterrent and punitive: “associate with sanctioned entities, and your assets are not safe.” If replicated, this tactic could reshape how rogue state-affiliated financial services perceive operational risk, especially in the shadow of great-power cyber deterrence strategies.
The selected crypto addresses were not chosen at random. They give a clear message, that the objective is not financial, but disruption and a show of power:
- Bitcoin – 1FuckiRGCTerroristsNoBiTEXXXaAovLX
- Tron – TKFuckiRGCTerroristsNoBiTEXy2r7mNX
- Dogecoin – DFuckiRGCTerroristsNoBiTEXXXWLW65t
- Ethereum – 0xffffffffffffffffffffffffffffffffffffdead
- Ton – UQABFuckIRGCTerroristsNOBITEX1111111111111111_jT
- Solana – FuckiRGCTerroristsNoBiTEXXXXXXXXXXXXXXXXXXX
- Harmony – one19fuckterr0rfuckterr0rfuckterr0rxn7kj7u
- Ripple – rFuckiRGCTerroristsNoBiTEXypBrmUM
3. Iranian State TV Hijacked Mid-Broadcast
Facts:
In a highly symbolic act of cyberwarfare, Iranian state television was hijacked during a live broadcast, with viewers witnessing anti-regime messages and imagery flashed onscreen. The intrusion lasted only moments but was widely circulated on social media and amplified by diaspora media outlets. Attribution remains unofficial, but many observers point again to Predatory Sparrow or other Israel-linked groups due to the operation’s narrative alignment and technical sophistication.
Analysis:
While not technically destructive, the hijacking of Iranian state TV represents a strategic narrative strike, aimed at undermining regime credibility and penetrating its tightly controlled information space. The symbolic value of temporarily seizing the government’s main propaganda channel is immense. By projecting a message that suggests the regime is vulnerable and losing control, the operation subtly encourages civil unrest and dissent, while signaling the existence of an alternative to state authority. This type of operation aligns with information warfare doctrines, where psychological effect outweighs technical depth.
4. GPS Jamming Impacting 1,000+ Ships Near Iran
Facts:
According to a Bloomberg investigation citing maritime monitoring organizations, nearly 1,000 commercial vessels per day have experienced GPS signal interference or spoofing near Iranian coastal waters, particularly in the Persian Gulf and Strait of Hormuz. The disruptions escalated in June 2025, coinciding with broader cyber and kinetic tensions between Israel and Iran. The jamming incidents have caused erratic ship positioning, AIS blackouts, and loss of navigational stability across a critical maritime chokepoint for global oil and trade flows.
Analysis:
This campaign likely reflects electronic warfare operations conducted by Israeli-aligned forces. The strategic objective appears twofold: impair Iranian naval and drone fleet positioning, while simultaneously disrupting logistics and trade to exert economic pressure. The scale of disruption suggests the use of sophisticated directional jamming infrastructure, possibly airborne or satellite-assisted. Beyond military implications, this also increases the risk of civilian maritime accidents and sends a clear signal: cyberspace and the electromagnetic spectrum are now fully militarized in this conflict.
5. Iranian Internet Disruptions: Tactical Self-Denial
Facts:
Iran has experienced severe, widespread internet outages since the start of the conflict. While at first interpreted as the result of external cyberattacks or infrastructure sabotage, it is now believed these are deliberate self-imposed shutdowns by Iranian authorities. The goal is to deny external intelligence access, disrupt enemy C2 via SIGINT tools, and prevent internal dissident coordination. Open-source threat intelligence platforms observed erratic traffic from Iran, consistent with controlled disconnection patterns and intentional bandwidth throttling.
Analysis:
This tactic represents a double-edged sword: on one hand, it inhibits digital espionage, cyber operations and target acquisition by adversaries. On the other, it suppresses Iranian civil society’s access to information, disrupts economic activity, and silences media reporting. It reflects a regime operating in full wartime posture, willing to sacrifice connectivity to control the digital terrain. It also reveals Iran’s escalating fear of internal unrest, and how cyberspace has become not just a tool of resistance, but a battlefield for information control and psychological resilience. Most governments today possess some form of an internet “kill switch”, a mechanism to isolate the national network from the global internet in order to block foreign cyberattacks and restrict the flow of external information. However, activating such a measure is typically considered a last resort, as it carries severe consequences for public morale, economic continuity, and overall national stability.
6. Iran Orders Top Officials to Abandon Mobile Devices
Facts:
In a move indicating a serious counterintelligence concern, Iran’s Cyber Command issued orders for senior political and military officials, including their security details, to abandon all network-connected mobile devices. This measure follows intelligence indicating that Israeli cyber operations are using mobile signals and app metadata to build targeting packages for precision kinetic strikes. The timing corresponds with notable missile strikes on IRGC leadership convoys and command centers.
Analysis:
This policy marks a rare public admission of digital vulnerability at the highest levels of the Iranian state. It underscores Israel’s likely use of real-time SIGINT fusion, combining device metadata, behavioral analysis, and geolocation for lethal precision targeting. While the policy may limit further compromise, it also cripples internal coordination, introduces operational latency, and confirms that mobile infrastructure is now a liability in modern state conflict. This self-protective initiative will significantly degrade Iran’s operational effectiveness. With several key decision-makers reportedly eliminated and growing internal disarray, coordinating military and governmental actions without secure digital tools becomes exceedingly difficult. Israel’s proven track record in device tracking, signal interception, and cyber-enabled targeting has likely instilled deep concern within the Iranian leadership. Fearing further precision strikes enabled by compromised communications, the regime has opted to deny itself access to critical mobile infrastructure, an extreme measure that reflects both tactical desperation and strategic vulnerability.
Impact On Israel
1. Israeli Target value on the dark web
Facts:
Since the onset of the Israel–Iran war, offensive chatter targeting Israel on the dark web has surged dramatically. Approximately 28% of publicly identified cyber incidents are now aimed at Israeli entities, making Israel the most targeted country globally. Of these incidents, 81% are basic DDoS attacks against random organizations, followed by 7% data breaches, 4% initial access attempts, 3% cyberattack alerts, 3% website defacements, and 2% data leaks. Coordination occurs predominantly on Telegram, where analysts have identified 44 distinct hacktivist groups organizing campaigns against Israeli infrastructure.
Analysis:
These low-level operations are mostly nuisance-driven, offering little strategic disruption in the context of the larger conflict. However, they serve as reputation-building exercises for hacktivists, granting street credibility for successfully targeting Israeli entities. The volume of activity also suggests many of these incidents may involve recycled or low-impact exploits, rather than novel threats. Despite their limited technical sophistication, these attack campaigns can generate significant noise-consuming defender bandwidth, inflating incident metrics, and distracting from more serious, targeted threats. Monitoring this landscape is still important, as today’s noisy hacktivist chatter may provide early indicators of escalation into more advanced or coordinated campaigns.
2. Israeli Energy Companies Breached by Handala Hackers
Facts:
In early June 2025, the pro-Iranian Handala Hacking Group claimed responsibility for breaching two major Israeli fuel and energy companies: Delkol and Delek Group. These companies are central to Israel’s energy distribution and retail network. The attackers reportedly exfiltrated sensitive operational data, internal documentation, and partial employee records. Screenshots of the allegedly stolen files were posted on dark web channels and Telegram, with promises of additional leaks.
Analysis :
Targeting the energy sector strikes directly at Israel’s critical national infrastructure (CNI) and aims to erode public trust in essential services. Although there were no confirmed service outages, the breach serves as both a reconnaissance operation and psychological messaging. By going after fuel providers, Handala seeks to highlight vulnerabilities in Israel’s logistical ecosystem and signal that no private or public entity is off-limits. This also mirrors Iranian doctrine of symmetrical retaliation, choosing high-visibility but plausibly deniable targets.
3. Alleged Ransomware on Israeli Critical Infrastructure
Facts:
Iranian-aligned group APT-Iran is believed to have launched a ransomware campaign targeting Israeli critical infrastructure, although official confirmation remains scarce. Darknet chatter and leaked samples suggest that sectors under threat included municipal IT systems, industrial control systems (ICS), and third-party contractors. Some indicators point to the use of custom loaders and domain-specific payloads, though attribution remains circumstantial.
Analysis:
This incident, if confirmed, would indicate Iran’s willingness to use criminal-style tactics for strategic objectives. By deploying ransomware instead of wipers, attackers gain both plausible deniability and psychological leverage. Even in the absence of large-scale disruption, this tactic forces Israeli institutions to allocate resources to containment and response, creating operational fatigue. This also demonstrates Iran’s blending of APT-level sophistication with commodity cybercrime tools, increasing the complexity of attribution and deterrence.
4. Israeli Broadcaster TBN Hacked by Handala
Facts:
The Handala Hacking Group claimed a successful cyberattack on TBN Israel, a popular broadcaster. The operation allegedly involved both network infiltration and partial defacement, along with data theft. Leaked screenshots showed internal communications and archives of editorial content. The group framed the attack as part of a broader campaign to “expose Zionist media manipulation,” and threatened to leak more sensitive materials.
Analysis:
This is a classic information operation with dual objectives: to undermine Israeli media credibility and to score symbolic victories against national narratives. Attacking media organizations provides adversaries with both propaganda fuel and a multiplier effect, as compromised broadcasters struggle to retain public trust. For Iranian-aligned actors, the media is not only a communication channel but a battlefield of perception, where even small breaches can seed distrust and confusion. Expect similar attempts on other media outlets or online influencers.
5. Advanced Phishing and OSINT Targeting of Israeli Personnel
Facts:
Reports have emerged of tailored phishing campaigns and open-source intelligence (OSINT) exploitation aimed at Israeli government employees, researchers, and defense contractors. These campaigns, attributed to Iranian-aligned groups such as Charming Kitten, use LinkedIn, fake conference invitations, and impersonated news sources to collect credentials and impersonate targets. In some instances, attackers engaged in multi-week social engineering chains, harvesting personal data and deploying MFA reset tactics.
Analysis:
This reflects a long-standing Iranian strategy of credential harvesting and long-game infiltration, particularly against Israeli intelligence and defense sectors. By combining OSINT with human-factor exploitation, Iranian actors aim to establish persistent access, exfiltrate sensitive data, and mirror Israeli capabilities. The sophistication of these operations, some of which involved real-time engagement, demonstrates a level of maturity that has moved beyond noisy phishing into covert, relationship-driven espionage. These campaigns are especially dangerous in times of kinetic escalation, as they may be used to identify strategic targets or disrupt crisis response chains.
6. Weaponized Misinformation
Facts:
As the Israel–Iran conflict intensifies, both state and non-state actors have turned to disinformation as a deliberate weapon of influence. False narratives, AI-generated imagery, deepfake videos, and forged documents have flooded social media and messaging platforms. Among the most circulated fabrications was a video showing an alleged Iranian missile strike on Tel Aviv, which was later debunked due to its use of AI-generated footage bearing the watermark “Veo.” Other examples include recycled videos from Syria or Gaza repackaged as current attacks, and a forged memo claiming that the United States used Indian airspace to support Israeli airstrikes, an assertion publicly refuted by India’s Press Information Bureau.
Pro-Iranian networks, some even official, have circulated at least a dozen major false stories across dozens of websites. While Israeli-aligned information campaigns have also used bot networks and coordinated messaging to steer public sentiment abroad. The result is a media environment saturated with emotion-driven, low-verification content, often designed to reach viral velocity before truth can catch up.
Analysis:
Disinformation in this conflict is not collateral; it is intentional, coordinated, and strategic. The goal is on one hand to erode public trust, confuse external observers, and manipulate political narratives across borders, and on the other hand to reassure its citizens of power in the conflict. AI tools and social engineering tactics have amplified the reach and believability of these messages, making verification harder for average users and mainstream outlets alike. In the broader scope of hybrid warfare, this wave of fake news serves as a form of cognitive warfare. For organizations and individuals, the best defense remains digital literacy, source verification, and deliberate skepticism in the face of viral content.
7. Iranian Hack of Israeli Cameras
Facts:
Reports indicate that Iranian cyber operators have hacked into private security cameras across Israel to monitor the aftermath of missile strikes and improve targeting accuracy. By exploiting weak credentials and misconfigured devices, Iranian actors accessed live feeds to assess impact zones in real time, marking a shift toward the tactical use of civilian IoT infrastructure for battlefield intelligence.
Analysis:
The infiltration of Israeli home security cameras by Iranian actors is not merely a technical feat, but a clear manifestation of modern hybrid warfare. By converting civilian IoT devices into real-time battlefield sensors, weaponizing everyday infrastructure for strategic advantage. Such access offers a crucial benefit; battle damage assessment (BDA). What once required forward observers or satellite imagery can now be partially confirmed through hacked civilian feeds, allowing near-instant confirmation of strike effectiveness
Final Analysis & Outlook
The cyber conflict unfolding between Israel and Iran today is underscored by well-honed offensive capabilities on both sides, shaped by years of strategic investment.
On one hand, Israel and its allies have clearly prepared for kinetic and cyber warfare well in advance. Their recent operations, such as the destructive targeting of Bank Sepah, the crippling of Iranian crypto reserves, symbolic state TV hijacking, and large-scale GPS jamming, demonstrate a high degree of planning, coordination, and technical sophistication. These are not one-off hacks, but coordinated campaigns that align cyber tools with broader military objectives, suggesting extensive pre-positioning, rapid deployment capabilities, and interagency collaboration.
On the other hand, Iran’s cyber regime has proven it can strike effectively too. Historically, Tehran has conducted high-impact operations using wipers like Shamoon, targeted industrial control systems via CyberAv3ngers, executed Operation Cleaver attacks against global infrastructure, and run complex espionage campaigns such as Operation Newscaster and Charming Kitten. These operations, spanning data destruction, espionage, and disinformation, highlight Iran’s ability to respond asymmetrically, leveraging cyber as a cost-effective means of retaliation.
Simultaneously, the Israel-Iran conflict has triggered an intense and unprecedented battle for control of the information space. Both sides are engaging in sophisticated disinformation efforts, leveraging AI-generated visuals and manipulating media narratives to influence public opinion. Israel’s messaging emphasizes military strength and operational success, while Iran highlights civilian suffering and frames itself as resilient and defiant. Social media has become a key battleground, saturated with misleading content. Many videos and images being circulated are either taken out of context, often from older conflicts, or are entirely unrelated to the current situation, but are falsely labeled as real-time footage from the ongoing war. This has made it increasingly difficult to separate fact from fiction and to assess the true scope of damage or civilian impact.
Artificial intelligence is playing a growing role in this information warfare. Iranian state media has broadcast AI-generated imagery as if it were real scenes from the battlefield, while the Israeli military has, in one identified case, reposted outdated videos as though they were new. These deceptive practices are undermining efforts to verify events and establish accurate situational awareness.
Given this dynamic, there is strong reason to believe the conflict will continue and likely expand beyond Iran and Israel. Both nations possess cyber capabilities capable of affecting critical infrastructure, supply chains, and civilian systems far beyond their borders. There is a high likelihood of spillover into allied nations, with third-party systems already being used as digital vectors or staging grounds. The operational tempo suggests we may soon see similarly orchestrated cyber campaigns targeting critical infrastructure in Europe, the Gulf, and perhaps even North America.
For organizations operating anywhere in the global ecosystem, this means elevated risk. Adversaries staffed by both state actors and proxy networks will test defensive systems, exploit supply chains, and seek asymmetric access points. The conflict underscores the urgent necessity for heightened threat awareness, layered detection mechanisms, and strategic cyber resilience across allied networks.
Bring home recommendations:
1. Conduct a geopolitical exposure audit across digital supply chains
Map your digital footprint, including all third-party vendors, managed services, infrastructure hosting regions, and software dependencies. Evaluate exposure to supply chain compromise, proxy infrastructure risks, and jurisdictions potentially aligned with Iranian or Israeli cyber interests. Prioritize scrutiny of providers with remote access capabilities, privileged credentials, or control over critical business operations. Embed geopolitical threat modeling into your vendor risk management framework to inform procurement and onboarding decisions.
2. Align threat detection and monitoring with current TTPs and live intelligence feeds
Continuously ingest and operationalize threat intelligence specific to APTs and hacktivist groups active in the Israel–Iran conflict. Calibrate SIEM, EDR, and SOAR platforms to detect TTPs such as metadata-based reconnaissance, initial access vectors via phishing or exposed APIs, DDoS coordination patterns, and wiper deployment indicators. Implement auto-enrichment of IoCs using trusted threat intelligence feeds and reinforce telemetry collection on potentially compromised devices. Ensure 24/7 visibility across cloud, endpoint, and identity layers.
3. Rigorously segment your infrastructure to contain high-impact scenarios.
Reassess your network architecture to enforce granular segmentation between public-facing services, operational systems, and sensitive business assets. Limit lateral movement opportunities with strict firewall zoning, zero-trust access controls, and device identity enforcement. Segment mobile access privileges, particularly for senior leadership and high-risk personnel, and consider deploying hardware-enforced isolation or secure communications platforms for executive functions. Regularly test segmentation controls through red teaming or internal penetration testing to validate effectiveness under adversarial conditions.
