WANA (Nov 10) – Iran’s Islamic Revolutionary Guard Corps (IRGC) announced the arrest of the leader of a hacker group allegedly tied to Israel’s Mossad intelligence agency, following what officials described as a “complex technical and intelligence operation.”

 

According to Iranian authorities, the suspect was operating under the alias of a “Dutch woman defending Iranian women’s rights” on social media, while secretly collecting and leaking confidential information on Iranian security personnel to foreign-based media outlets — particularly Iran International — and to networks allegedly affiliated with Israeli intelligence.

 

The case, initially dismissed by many as just another online activism campaign, has since evolved into one of the country’s most significant cyber-espionage investigations.

 

The Telegram channel and Twitter account known as “Backdoor”, which surfaced in 2022 after publishing personal data of Iran’s morality police and certain IRGC officers, were reportedly part of a broader intelligence-gathering operation. The IRGC’s cyber units began tracing the source of the leaks after inconsistencies appeared in the group’s digital footprint.

Ameneh Zabihipour and Ali Razavi — two Iranian journalists whose personal information was targeted in a cyberattack by a Mossad-linked network. Social Media / WANA News Agency

Ameneh Zabihipour and Ali Razavi — two Iranian journalists whose personal information was targeted in a cyberattack by a Mossad-linked network. Social Media / WANA News Agency

After months of digital forensics, Iranian intelligence services concluded that the “Dutch activist” persona was in fact a young Iranian man leading a domestic hacker cell. The suspect allegedly confessed that his primary motive was financial gain, stating: “We received payments in cryptocurrency for identifying members of Iran’s Quds Force and IRGC intelligence units.”

 

Documents seized from the group reportedly revealed direct communication with individuals identified as Nariman Gharib and Mojtaba Pourmohsen, both journalists associated with Iran International, who allegedly requested personal information of Iranian security officers as well as journalists and media figures inside Iran in exchange for cryptocurrency payments.

 

Further investigation uncovered ties between “Backdoor,” another cyber group known as “Lab-Dookhtegan” (The Sewn Lips), and foreign intelligence agencies, including Mossad. The Lab-Dookhtegan collective — known for its pro-Israeli stance during recent conflicts — has openly boasted about its role in gathering intelligence from within Iran.

 

The arrested hacker claimed that the collaboration extended beyond data leaks, reaching into targeted operations. In one alleged statement, he said: “A proposal was made to physically eliminate a senior IRGC commander — and they agreed.”

cyber group known as “Lab-Dookhtegan” (The Sewn Lips). Social Media / WANA News Agency

cyber group known as “Lab-Dookhtegan” (The Sewn Lips). Social Media / WANA News Agency

Iranian intelligence officials assert that the stolen information was first circulated on “Backdoor” channels, then amplified by foreign media, and eventually used by Western intelligence agencies to impose individual sanctions or identify targets for sabotage.

 

The IRGC described the operation as a “three-tiered mechanism” connecting hostile media, cyber groups, and foreign intelligence services — designed not only for data theft but also for “psychological pressure and destabilization.”

 

Despite having received cybersecurity training abroad, the suspect was ultimately tracked and apprehended through technical infiltration and digital tracing.

 

Iranian officials have framed the case as evidence of a coordinated Western-Israeli campaign combining cyber espionage and media warfare. Analysts say the development highlights how digital activism narratives can be manipulated into sophisticated intelligence operations in the age of hybrid warfare.