Iranian hacking groups go dark during US, Israeli military strikes

Follow our live coverage here.

TEHRAN - Iran’s feared hacking groups have failed to play a meaningful role as the

US and Israel wage a new war,

a silence cybersecurity analysts say underscores how far the Islamic Republic’s online attack and disinformation capabilities have withered.

American and Israeli airstrikes against Iran on Feb 28 were quickly followed by cyber operations intended to spread propaganda there.

A popular Iranian prayer app, BadeSaba, was reportedly hijacked to tell its users that “help has arrived” and then urged Iranian army members to surrender.

In the early hours of fighting, pro-regime news agencies were compromised and Iranian television stations were repurposed to broadcast videos of President Donald Trump and Israel’s Benjamin Netanyahu, according to Israeli media outlets.

General Dan Caine, chair of the Joint Chiefs of Staff, said during a Pentagon briefing on March 2 that US Cyber Command helped disrupt Iranian communications and that the military unit was one of the “first movers” in the early phases of the war. 

However, Iran’s military and intelligence hacking groups have so far played a negligible role in the fight, according to Mr Alexander Leslie, threat analyst at cybersecurity firm Recorded Future.

The country also has a history of working with proxy criminal groups that have targeted victims on behalf of Iran in past conflicts, though those allies have been similarly quiet, he said.

A small number of pro-Iranian groups have claimed to breach critical infrastructure targets, including more than 100 remote control systems belonging to an Israeli company, according to the cybersecurity firm Flashpoint.

It remains unclear if those allegations are true.

Pro-Iranian hackers frequently exaggerate their effect to try to boost their psychological impact, said Mr John Hultquist, chief analyst at Alphabet’s Google Threat Intelligence Group. 

Iran’s Ministry of Foreign Affairs didn’t respond to a request for comment. 

More than 130 active pro-Iranian hacking groups were active around the time of Iran’s 2025 military conflict with Israel, but the current number has dwindled to 17, Mr Leslie said. 

The Department of Homeland Security (DHS) said last year that attackers associated with Iran’s Islamic Revolutionary Guard Corps compromised industrial control systems in US wastewater, energy and food manufacturing after Hamas’ attack on Israel in October 2023.

Cyber operators also launched hack-and-leak campaigns to protest the conflict in Gaza, stealing information and then amplifying Iranian political messaging through social media, according to DHS. 

“The Iranian groups we track have gone almost entirely dark,” said Mr Leslie, except for a spate of false claims and low-level, short-lived failed disruptions. 

Western governments and companies are nonetheless braced for possible blowback from the military strikes. 

The UK’s National Cyber Security Centre and cybersecurity firms have warned of heightened risks from distributed denial-of-service attacks, which knock victims offline by overwhelming them with traffic.

Mr Nikita Bier, head of product at X, also posted that the social media site successfully blocked a wave of Iranian bots. Such hacking attempts and influence operations have largely failed, according to cybersecurity experts.

GPS jamming has also impacted 1,100 ships in the Middle East since the war began, according to the maritime intelligence firm Windward. The perpetrator and purpose wasn’t immediately clear. The analysis was previously reported by Wired. 

Iran’s internet blackout seems to be one major reason for the apparent lack of hacking operations originating in the country, said Mr Leslie. 

The relative quiet appears to undercut longstanding concerns about the cyber prowess from the government in Tehran. 

Iranian operators often hyped their own capabilities to spread fear, according to the security researcher and Iran expatriate Mr Hamid Kashfi. Western security firms have played into such concerns to be able to sell their security products despite Iran’s tactics remaining stagnant and relatively unsophisticated over the years, he said. 

The current conflict mirrors the fighting in 2025, when Iran was pummeled with several extraordinary cyberattacks but failed to retaliate in a meaningful way. 

In July 2025, pro-Israeli hackers claimed credit for a cyberattack on Iran’s state-owned Bank Sepah.

The group, Predatory Sparrow, said at the time that it had compromised the financial institution because the bank helped fund Iran’s Islamic Revolutionary Guard Corps. The group also destroyed US$90 million (S$114.6 million) from an Iranian cryptocurrency exchange.

Another Iranian financial service, Bank Pasargad, was also attacked at the same time, resulting in online banking outages and the destruction of data. 

Bloomberg confirmed that at least one technology firm in Iran was unable to pay employees for at least a month due to the bank hacks. Neither Bank Sepah nor Bank Pasargad responded to requests for comment on March 2. 

The primary technology vendor for both banks, the Iranian vendor Dotin, said in a statement in July to Bloomberg News that those breaches were “incomparable to any past cyberattacks in the country”, as they targeted the hardware in data centers and rendered information there “damaged and unusable”.  

In Iranian government briefings with multiple financial organisations, including Dotin, authorities told bank employees that the hack was the result of an insider human threat.

The suggested theory was that someone manually changed firewall rules and opened the way for hackers, the people said. Bank employees were deeply skeptical of the official explanation, according to the people. 

Dotin, one of the most critical technology vendors to Iranian banks, was sanctioned by the US government in 2025 for its alleged role in evading US sanctions. The company didn’t immediately respond to a request for comment. 

While the Iranian government’s digital retaliation has been “nonexistent”, Mr Leslie said, the attacks against Iran over the last year show how cyber can be used during a wider war. 

The pro-Israeli group Predatory Sparrow spent years causing major disruptions inside Iran, including paralysing Iran’s national railway in 2021 and sabotaging a steel mill in 2022. When Israel launched missiles in 2025, Predatory Sparrow launched targeted operations to destabilize the Iranian regime. 

The group hasn’t been seen in the new war but the pro-American and pro-Israeli hacks of 2026 bear many of the same trademarks, all of which exemplify how cyber activity is used in modern warfare.

“Predatory Sparrow highlights the evolving nature of warfare,” said Lance Hunter, professor of international relations at Augusta University.

“We’ll see many more examples of this, including from Western countries, combining cyber, traditional military and information warfare. This is the nature of conflict moving forward.” BLOOMBERG