Cyber Implications of the Israel-Iran Conflict – Part 2

Building on our previous analysis of Iranian cyber capabilities and our assessment of likely Iranian cyber responses to the conflict, this blog turns its focus to the role of hacktivist groups: ideologically driven actors that conduct cyber operations to advance political, religious, or social agendas. In this piece, we examine the hacktivist groups on both the Iranian and Israeli sides, examining their targeting patterns, operational methods, and the potential impact of their activities.  We also consider how these trends might evolve in the coming weeks as the wider conflict continues to unfold, concluding that:

• Hacktivist activity is expected to persist throughout the Israel-Iran conflict.
• Targeting will likely remain regionally focused in the immediate to short term, prioritising critical national infrastructure (CNI) targets.
• Western countries perceived to support Israel are likely to face increased targeting, with US and European organisations at particular risk if their governments become directly involved or maintain strong ties with Israel.
• Uninvolved organisations are also at risk due to the often indiscriminate nature of hacktivist activity.

Overview

While its impact remains limited, hacktivist activity is one of the most common forms of cyber activity seen so far in the Israel-Iran conflict—a position it will likely retain. These groups are often categorised as pro-Iranian or pro-Israeli, with pro-Iranian groups outnumbering pro-Israeli ones by roughly 10 to 1 at the time of writing.  

In practice, however, many active entities—including Keymous+, Mr Hamza, Dark Storm Team, and RootSec—have participated in a range of conflicts, supporting pro-Palestinian, pro-Pakistani, and at times pro-Russian agendas. Their current positioning against Israel does not necessarily indicate alignment with Iranian state interests; in many cases, they have targeted Israeli infrastructure regardless, due to separate affiliations or broader ideological motivations. For the purposes of this blog, the actors involved will therefore be referred to as either pro-Israeli or anti-Israeli.

A review of Telegram channels used by these groups shows that the vast majority of activity consists of short-lived DDoS campaigns with limited real-world impact, along with occasional website defacements and data breaches claims. There are also reports of CCTV intrusions, doxxing, and ransomware; however, many of these claims are unsubstantiated and may be claimed as part of information operations.

Some actors, while masquerading as hacktivist groups, are also more likely attributable to state interests: notable examples include Moses Staff and Cyber Av3engers, both linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), and Predatory Sparrow (Gonjeshke Darande), which is widely assessed to be backed by the Israeli state. Their operations reflect a more strategic, intelligence-driven approach, blurring the line between hacktivism and state-directed cyber activity.

Anti-Israeli Activity: Regional Targeting

Following Israel’s strikes on Iran on 13 June 2025, the majority of anti-Israeli hacktivist activity remained concentrated within the region, with targeting patterns closely mirroring those observed over the past two years:

1. Israeli governmental DDoS: Anti-Israeli groups have concentrated their efforts on Israeli government institutions at all levels, along with military-linked organisations. These include technology providers supporting Israel’s defence capabilities, such as Elbit Systems, Gilat Satellite Networks, and ImageSat International. Particularly active groups in this phase included RootSec, R3V0XAn0nymous, Fatimion Cyber Team, Unknowns Cyber Team, MadCap, and Arabian Ghosts.
2. Regional DDoS: Some groups, including Mysterious Team and Keymous+, also targeted assessed Israeli supporters in the region. Jordan and Saudi Arabia were listed due to their claimed involvement in intercepting Iranian drones aimed at Israel. Egypt was similarly targeted, with groups accusing it of complicity in Israeli strikes.
3. CNI attacks: CNI, including telecommunications, has also been in focus, as seen with the listing of Orange’s Jordanian domain. Media outlets, academic institutions, and financial services providers have also been affected. For example, PayPlus, an Israeli payment company, was named by Cyber Islamic Resistance, while BNP Paribas’ Israeli domain was listed by R3V0XAn0nymous.
4. Hack-and-leak claims: There have been at least two major breach claims: DieNet alleged access to at least 3 GB of data from Israeli infrastructure centres, which was published to assist Iranian intelligence. On 15 June, RootSec claimed to have accessed data from the Bank of Israel. Neither of these claims has been independently verified.
   

Anti-Israeli Activity: Global Targeting

A limited number of incidents have been reported beyond the region. Mr Hamza, for example, carried out a coordinated campaign against defence companies in both the UK and the US. Targets included Raytheon Technologies, CACI, and Ultra Electronics—all linked to military or intelligence operations supporting Israel. The 13 June post suggests the targeting is likely a response to Israel’s wider military actions, including those against Iran, although Mr Hamza and others have previously targeted US and Western entities prior to the escalation of hostilities between Israel and Iran.  

There have also been claims of targeting government departments abroad. Team Fearless, for instance, claimed an attack on the UK Foreign, Commonwealth & Development Office.

On 14 June, R3V0XAn0nymous launched a campaign under the #OpIsrael banner, naming several German domains, linking the activity to ‘military or political support for Israel’ and ‘censorship and digital repression’. The group also listed Polish domains, although their stated motivations were more in line with general rights advocacy than direct support for Israel. Meanwhile, the Cyber Jihad Movement launched ‘Operation Storm’, with vague claims of targeting European governments, adult sites, and universities—although no concrete evidence of impact on government or education sectors has surfaced so far.

Pro-Israeli Activity

Pro-Israeli hacktivist activity remains limited, with only a small number of identified groups and few maintaining an active public presence. Those that do, such as Predatory Sparrow and Lefaroll, focus primarily on sharing military updates and challenging narratives from opposing groups, rather than claiming frequent compromises.  

Predatory Sparrow has, however, engaged in some cyber operations, as evidenced by the release of what it described as classified documents from the Iranian Parliament, allegedly revealing plans to strengthen the IRGC against the US. This leak is likely to heighten tensions between Tehran and Washington, especially following the recent breakdown of nuclear negotiations.

The group also claimed responsibility for a wiper attack on Bank Sepah in Iran, which reportedly disrupted basic banking services, including withdrawals and account access. The group also claimed to have compromised the cryptocurrency exchange Nobitex, which, like Bank Sepah, is assessed to play a role in helping Iran evade international sanctions. These incidents stand out due to their relatively high impact compared to typical hacktivist operations. Predatory Sparrow also drew attention to the Wikipedia page of the Tehran Stock Exchange, indicating a realistic possibility for targeting occurring in the short term.

As of 18 June, there has been no evidence of pro-Israeli hacktivist attacks outside the region.

Future Developments

Hacktivist activity is almost certain to continue as the conflict between Israel and Iran unfolds. While pro-Israeli groups have demonstrated the capability to conduct more advanced and disruptive operations due to their assessed state backing, most operations are expected to remain symbolic, with low-impact campaigns such as DDoS attacks dominating the landscape.

• Activity is likely to stay regionally concentrated in the immediate to short term, with government and defence sectors remaining primary targets. This targeting is likely to expand to include a wider set of organisations operating in sectors such as transport, telecommunications, financial services, and technology.
• Recent incidents indicate a likely expansion of targeting beyond the region in the short to medium term, particularly against Western countries perceived to support Israel. Should the US become directly involved in the conflict, it is almost certain that US-based organisations—especially those with ties to Israel’s defence, manufacturing, or technology sectors—will come under attack.  
• A similar trend is likely to be seen in Europe, as well as in countries that have existing defence or diplomatic agreements with Israel, show public support, or become directly involved in the conflict. Such activity would likely be conducted by groups such as Mr Hamza and Keymous+, which have previously demonstrated both intent and capability to target Western organisations, often under a pro-Palestinian banner, and across a broad range of sectors.
• It should also be noted that hacktivist targeting is frequently indiscriminate, so organisations not directly involved in the conflict may nevertheless be affected.
• Additionally, there is an increasing convergence between anti-Israeli and pro-Russian hacktivist activity. While some Russian-linked actors have not publicly commented, others—such as NoName057 and Alixsec—have been referenced in support posts. Should groups like NoName057 join the campaign, this would likely result in a surge in activity, particularly through the use of botnet-driven tools such as DDoSia. This could further expand the scope of targeting to include European organisations already affected by pro-Ukrainian narratives, now caught in the crossfire of a broader agenda.

‍

SecAlliance provides detailed and timely analysis to clients via our dedicated ThreatMatch platform and bespoke intelligence outputs. For more information, please contact info@secalliance.com