Report: Iranian hackers are trying to create a psychological war in cyberspace
Etka45/Getty Images
The Iran-linked CyberAv3ngers gang has evolved itself into a digital propaganda machine by combining recycled data leaks and theatrics to manufacture panic about hacks that never happened.
As tensions between Iran and Israel hit a boiling point in the past week, officials warned Americans to brace for cyberattacks from Tehran-aligned hackers. U.S. agencies and other experts focused their warnings on cyber-physical threats, basing their views off of years of past Iranian cyber incursions around the world that have sought to sabotage and degrade critical infrastructure platforms.
But one Iran-linked unit, according to research out Tuesday, has been taking a different approach that’s gone largely under the radar. The CyberAv3ngers, which made waves in late 2023 for defacing numerous water system displays in the U.S., has increasingly shifted its operations from technical intrusions to psychological manipulation, according to threat intelligence firm DomainTools.
The dynamic reflects a growing emphasis within Iran’s national cyber strategy to shape online narratives as much as it tries to disrupt infrastructure. One of the CyberAv3ngers group’s most publicized campaigns — a purported intrusion into Israel’s Dorad power station in October 2023 — never happened, DomainTools determined. The scheme fooled some media outlets and lit up threat monitoring forums, according to the firm, which provides cybersecurity threat intelligence by analyzing website domains and internet metadata.
But the deception was the goal. By staging breaches and creating spectacle, the group transformed into an operator hellbent on backing the Iranian regime as both a digital saboteur and propagandist.
Many cyber-enabled influence campaigns are coordinated across known Iranian threat groups, though the DomainTools analysis of recent CyberAv3ngers activity suggests a tighter integration between psychological operations and technical targeting.
The hacking collective began posting online in September 2023, reviving a dormant alias that had appeared sporadically in previous low-attribution cyber claims dating back to 2020. On October 8, 2023, a day after the Hamas massacre in Israel, the group posted on Telegram that it had hacked into Dorad and shared what appeared to be screenshots of breached systems and control panels.
But DomainTools found that the visuals had been taken from a 2022 leak by another Iranian cyber unit, dubbed Moses Staff, and then cropped, rebranded and falsely presented as evidence of a new intrusion.
Metadata associated with the images showed no recent access, and no technical forensics were released to support the claims, according to DomainTools. The only confirmed activity was a temporary denial-of-service attack against Dorad’s public-facing website. Denial-of-service attacks overload websites with bot traffic to the point where they’re temporarily forced to shut down.
To reinforce the illusion of the Dorad breach, CyberAv3ngers released altered Israeli infrastructure security documentation under titles like “Advice for Victims.”
“It was a performance — but one calibrated to sow fear and disrupt public trust,” the DomainTools report says, later adding: “CyberAv3ngers aren’t just breaching systems, they’re engineering beliefs.”
CyberAv3ngers appears to be building a branded identity aimed at psychological dominance. DomainTools traced the registration of three domain names to June 9 that contain the hacking gang’s name. All three haven’t hosted any content and haven’t been configured for use in command-and-control infrastructure or malware delivery, according to DomainTools. That could change depending on how a fragile ceasefire deal announced Monday night plays out between Israel and Iran.
The group has refined cyberactivity “into a fully realized propaganda apparatus,” DomainTools says. “Their approach is not just to breach systems, but to control the narrative surrounding those breaches — turning each operation into a performance aimed at both foreign audiences and domestic sympathizers.”
When the attacks get real
CyberAv3ngers has still demonstrated operational hacking capabilities. Between November 2023 and April 2024, the group was tied to at least 29 confirmed intrusions into industrial control systems and operational technology environments in the United States, namely municipal water utilities, energy networks and camera systems.
One of the highest-profile incidents occurred in Aliquippa, Pennsylvania, where a Unitronics programmable logic controller used by the town’s water authority was defaced with anti-Israel slogans and rendered partially inoperable. Similar attacks followed across other U.S. utilities and fuel management platforms. According to DomainTools, these attacks were enabled by a custom Linux-based malware tool that allowed for persistent access to the targeted systems.
Unitronics is an Israeli industrial automation company.
“Every equipment ‘Made in Israel’ is CyberAv3ngers legal target,” the group’s message said in a display readout of a water system that it had taken over at the Municipal Water Authority of Aliquippa.
Last February, the Treasury Department sanctioned the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command leader and five other officials suspected of being involved in those water hacks, a move that suggests the CyberAv3ngers maintain strong ties to Tehran’s central cyber offices.
Among the sanctioned people was Mahdi Lashgarian, a senior Iranian cyber operations official who is suspected — though not publicly confirmed — to be operating under the alias “Mr. Soll,” a figure that’s been widely tied to the CyberAv3ngers online persona.
In May 2025, a self-described Israeli hacktivist group calling itself WeRedEvilsOG claimed to have breached Lashgarian’s personal accounts and leaked partial identifying information, including alleged credentials and IRGC-linked communication data, DomainTools says. While the authenticity of the leak remains unconfirmed, it marked the first known instance of retaliatory targeting against a named Iranian official involved in hacks against industrial control systems.
The State Department said last week that it would offer up to $10 million for information leading investigators to Mr. Soll, saying the persona is linked to CyberAv3ngers and “has launched a series of malicious cyber activities against U.S. critical infrastructure on behalf of Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).”