The Islamic regime has reacted to domestic unrest with a new cyber campaign against dissidents in the Iranian diaspora, a cyber expert targeted by Iran told The Jerusalem Post on Friday.
Beyond targeting those vocal against the regime’s brutal treatment of protesters in recent weeks, UK-based Iranian opposition activist and independent cyber espionage investigator Nariman Gharib shared that members of the Syrian opposition, journalists, activists, and Israeli diplomats were being targeted.
Gharib’s confirmation came as activists and journalists complained online that the Islamic regime had begun posing as officials from Israeli media station ILTV and well-regarded peace activists in the region.
Israeli-American ILTV journalist Emily Schrader confirmed she was among those targeted by the regime, while Gharib listed some of the Israeli targets as Yesh Atid MK Moshe Turpaz, Deputy Consul-General of Israel in Dubai Dana Filber, and policy advisor Eyal David.
Germany’s Federal Office for the Protection of the Constitution (BfV) confirmed to DW News, in an article centered on the regime’s targeting of exiled Iranians, that "Transnational repression measures by Iranian intelligence services against dissident organizations and individuals from the diaspora include targeted espionage, discrediting, intimidation, threats, and even the use of violence.”
![Iranian flag and cyber code [Illustrative]](https://images.jpost.com/image/upload/f_auto,fl_lossy/c_fill,g_faces:center,h_537,w_822/433124)
Gharib said he was first targeted by the IRGC in 2015 after Tehran arrested one of his friends at an airport in the capital.
Islamic regime attempts to send phishing email
The regime attempted to send a phishing email from a friend’s personal device, seeking to access Gharib’s private information. “The lesson here is that you must be extremely careful about who is sending you messages on WhatsApp, Telegram, or email, and what links you click,” he advised.
Gharib shared he knew where the attacks were coming from as he had a “singular adversary” interested in him: the Islamic Republic.
“Western governments do not need to hack my phones to gather information about me. Even China and Russia have no reason to do so. This is the first step in attribution,” he explained. “Understanding who is being targeted, whether an Iranian or Israeli journalist or activist, and for what reason, helps you identify the hacking group behind an attack.”
Gharib added that the next step in confirming the origins of attacks was to review published data from security researchers and cybersecurity professionals to match new data with past incidents.
Wary of claims that Tehran had purchased cyber weapons from Russia or China, Gharib said he believed most of the technologies Iran used were either developed domestically or purchased on the dark web and customized, making it easy for experts to identify the origins of attempted attacks.
Sharing his research, Gharib outlined how the regime accessed users’ WhatsApp, Gmail, and Telegram accounts despite two-factor authentication.
Using DuckDNS for infrastructure, the regime sends links that impersonate WhatsApp meeting invitations and serves the user a live QR code, which, when scanned, allows the regime to authenticate its own WhatsApp session. This specific hack allows the regime to snap photos from the victim’s device every 5 seconds, record audio in three-second chunks, and geolocate the device every two seconds.
The online publication TechCrunch also confirmed that DuckDNS was masking the actual phishing page, hosted on alex-fabow.online, and that the domain names mimicked those of private chat rooms.
The site was able to confirm that the hackers targeted around 50 targets from the Kurdish community, as well as academics, government officials, business leaders, and other senior figures across the broader Iranian diaspora and Middle East.
Ian Campbell, a threat researcher at DomainTools, confirmed to the publication that most of the sites had been set up between November and August last year and that the attacks appeared to be driven by a cyber motive.