In a startling revelation set to embarrass Iran's mullah regime, an opposition-aligned media outlet unveiled new details on Sunday night about cyberattacks launched from Tehran. The report includes the identities of key operatives within two covert units run by the regime.
Iran International, a Farsi-language TV channel broadcasting from London and associated with Iranian opposition forces, claims that two secret cyber units under the Revolutionary Guards' intelligence office operate from an office building on Firoozi Street in Tehran. These Iranian hackers have targeted not only Israel and other adversarial nations but have also attempted to infiltrate sensitive computer systems in countries considered friendly to Iran, such as Qatar.
The groups, dubbed MuddyWater and Darkbit, are reportedly engaged in cyber espionage against sensitive databases across a broad spectrum of nations in Europe, Asia, Africa and North America—Israel included.
MuddyWater, also known by its public aliases Mercury, SeedWorm, Static Kitten and Mango Sandstorm, has launched attacks on databases in countries like Israel, the U.S., Armenia, Azerbaijan, Egypt, Jordan, Oman, Qatar, the UAE, Tanzania and Sudan.
Iran's cyber operatives against Israel
According to the report, Iran leverages this network to conduct cyberattacks against targets in countries deemed friendly, such as Oman, Qatar and Russia. This strategy allows Iran to gather extensive information about key figures, senior officials, infrastructure and citizens in these nations.
3 View gallery
Iran International report purportedly reveals the faces of the members of Iran's offensive cyber center. From right to left: Mohammadreza Kharoush, Younes Valiayi and Mohammad Khoush Lahan
(Photo: Iran International)
MuddyWater hackers have executed cyberattacks against government organizations, military bodies, educational institutions and communication networks in Jordan, Turkey, Azerbaijan and Pakistan. They have also targeted sensitive databases in Mali, Austria, Russia and Bahrain, and have repeatedly attacked state institutions in Iraq and Saudi Arabia.
The report identifies three central figures in the network who work directly with the Revolutionary Guards' Ministry of Intelligence: Mohammadreza Kharoush, Younes Valiayi and Mohammad Khoush Lahan.
The Darkbit group, according to the report, operates under the MuddyWater network and from the same office building, named "Jalal," in Tehran—photos of which were included in the report. Iran International claims that Darkbit is the unit within MuddyWater that targets Israeli entities.
Among other activities, at the beginning of 2023, hackers from this group conducted a ransomware attack on the Technion in Haifa. In early 2024, they claimed responsibility for attacks on the Tel Aviv Municipality's systems, the National Cyber Directorate and the Mental Health Department of the Health Ministry. However, evidence for these claims remains elusive.
The report also disclosed the identities of senior network members. According to Iran International, these individuals operate alongside and under many others. The head of the network is identified as Amir Hossein Fard Sia-Poush, who uses the alias Parsa Sarafian. Other senior members include Seyyed Ali Emami, Pouria Kazemabadi Farahani, Ahmadreza Irani, Amin Dadashi and Seyyed Hossein Siadat.