ICNA

Iranian Cyber News Agency

    • Tapandegan

    ICNA Posted on

    List of names used by industry:

    • Tapandegan
    • Palpitaters (English translation)
    • Also been accused of being the same as LabDookhtegan

    Date founded:

    • First appeared in May 2018

    Affiliation:

    Iranian hacktivists. The group refer to its acts as an act of protest demanding the Iranian leadership to improve the economy and to stop ignoring the demands of the people. No verified state/foreign affiliation.

    Social media handles/websites:

    Previous operations:

    • 24 May 2018 – The group defaced the arrival/departure boards at Mashad Airport, posting messages claiming the hack and highlighting that they took control of the system as an act of protest. The attack lasted for several hours. The messaging displayed on the boards protested against the “wasting of Iranian lives and financial resources” by the IRGC in Syria and Iraq. The email of the Mashad Airport Civil Aviation Head was also hacked and news of their activity was distributed from his account.
    • 6 June 2018 – Another defacement attack against the arrival/departure boards at Tabriz Airport. The hack displayed anti-government messages and imagery. The attack occurred at 2130. The group claimed that the attack was to voice the support for Iranian strikers including the bazaris and truck drivers.
    • 10 July 2018 – The group hacked the Tehran Municipality’s email, X/Twitter and their Instagram accounts. The group defaced the social media pages sharing anti-government propaganda. The group claimed the attack was to highlight corruption and provided their email [email protected] as a way for people to share corruption information with them.
    • August to November 2018 – The group exposed confidential documents including a list of companies owned by the IRGC, a document detailing the purchase of a Mashad hotel, a contract forgiving government debt, and evidence of corruption.
    • October 2018 – The Chief of Iran’s police claimed that the hacking group has been identified and arrested.
    • January 2019 – The group hacked into the Islamic Republic International Broadcasting (IRIB) computer systems and the email of the Iranian consult in Berlin. The group used their access to send emails from key individuals including the IRIB director, Deputy Director and Political News Director. The emails were sent to employees, the Majlis speaker, Majlis members and journalists. The email exposed alleged corruption of the Iranian Foreign Minister Javad Zarif laundering money to the Lebanese Hezbollah. The exposure highlighted the hypocrisy of Zarif accusing other offices in Iran of laundering money.
    • 10 April 2019 – Another attack targeting the computer network at Mashad Aiport. The group claimed the attack was in protest of poor floor management and wider corruption. In May 2019 a representative of the group did an interview on Radio Zamaneh discussing their activities.
    • 30 May 2019 – The group announced they had hacked the Iranian Social Security Organization and exposed details such as its debts, its ongoing collapse and inefficient economic management. They also briefly defaced the tasmin.ir website.
    • July 2019 – The group leak documents including a list of debts related to the Social Security Organization in a protest against government corruption.
    • 12 September 2019 – The group hacked and defaced the website or parsfootball.com in support of protests for improving living conditions for the Iranian people. Later that month they encouraged people to storm the Azadi Stadium in protest of discrimination against women.
    • November 2019 – January 2020 – Mass messaging campaigns (SMS and emails) encouraging continued protest across the country and demanding the resignation of senior Iranian officials.
    • 23 January 2020 – The group hacked the systems of the Food and Drug organizations and sent a mass messaging campagin to Parliamentarians, and journalists highlighting the drug shortage crisis.
    • March to April 2020 – Leaked internal documents relating to the Iranian handling of the Coronavirus outbreak, claiming it was ineffective. Alleged that the documents were sent to them by an insider.
    • 7 November 2020 – The group exposed confidential and internal documents exposing deliberate manipulation of the Iranian stock exchange. The group claimed data was manipulated in an attempt to hide systematic corruption and a stock exchange bubble. The group again alleged an insider leak and encouraged people to protest in response to the exposure.
    • 17 March 2021 – The group hacked into and defaced the official website of the Ministry of Economic Affairs and Finance and leaked the government’s financial report for 2019.
    • April 2021 – The group continued to leak documents allegedly sent to them by supporters.
    • 5 May 2021 – Exposed confidential documentation detailing the IRGC budget.
    • 15 December 2021 – Emailed classified documents to international journalists relating to Iran’s intervention in Iraq and Syria.
    • 6 July 2022 – The group leaked documents detailing Iranian financial activities in Syria. Claim to have received these from an insider.
    • August 2022 – Leak of documentation detailing the purchase of 17,000 tons of phosphates as part of the construction of the new IRGC headquarters. The xposure primarly seemed to protest the involvement of the IRIN in Arab countries. Continued to release further documentation detailing plundering of Syria’s natural resources by the Islamic Republic and sale of Iranian oil to Syria.
    • 19 September 2022 – Exposed confidential documents relating to the construction of Khatam-al Anbiya HQ.
    • October 2022 – On 6th October the group hacked aproximately 60 Iranian government websites and defaced them to highlight the WomenLifeFreedom protests. The group launched a mass messaging campagin with similar messaging. Throughout the Mahsa Amini protests the group continued to share messaging and encourage the Iranian people to protest. The group defaced the virtual education system of the Eram Shiraz Institute and shared a music video in support of the protests. The group shared imagery of graffiti. On 13 October the group defaced the onione education system of Al-Zahra University. They enabled an online chat room to enable an open space for discussions about the protests. Also launched a mass messaging capability.
    • 31 October 2022 – The group announced the creation of a new “Partisan” Telegram channel for field activities and guidance on distributing flyers, writing slogans, or confronting repressive forces.
    • 29 November 2022 – Continued exposure of confidential documents relating to the Khatam Al Anbiya IRGC HQ and the relationship between the IRGC and the Assad regime.
    • From October 2022 onwards, the group shifted pattern on social media to become more of an influential voice in the space, encouraging protests and dissent, etc. Asking for support in their activities, including to insert a USB or click a link etc. Declare readiness to work with other hacking groups. Encouraging violence/assassination against Basij.
    • 2023 – Began doxxing Basiji and IRGC officials and encouraging Iranian people to target them. For most individuals personal information was leaked often including things such as national ID, car registration, home address etc.
    • 8 February 2023 – The group hacked the Isfahan municipality and launched a mass messaging campagin (SMS and emails) encouraging the people of Isfahan to protest and withdraw their cash from the banks. Leaked photos and emails from the Isfahan Municipality systems.
    • 13 February 2023 – Leaked documents relating to QF activities in Syria.
    • 23 February 2023 – Exposed claim that the IRGC were behind producing chemical weapons to fight national protests.
    • March 2023 – Exposed IRGC official allegedly behind the production of chemical weapons.
    • 3 May 2023 – Leaked confidential documents, letters and brochures relating to various IRGC affiliated shell companies, investment details and links to Syria. The group continued to release various sensitive documents for a few days relating to the Milad International Group and cargo ships that work with the IRGC.
    • 24 May 2023 – The group DDoSed the webite of the Zahedan municipality website (zahedan.ir). The group mentioned that they had support from a group called DDoSEmpire.
    • 11 September 2023 – The group shared the DDoS of the website of the Sanandaj Municipality (sanandaj.ir). The group mentioned the attack was in co-operation with the group powerproofsziy.
    • 13 September 2023 – The group shared the DDoS of the website of the Rasht Municipality (rasht.ir). The group again thanked powerproofsziy for performing the DDoS attack on their behalf.
    • 28 September 2023 – The group leaked top secret documents relating to IRGC producting of chemical weapons including the use of anaesthetic poisons. The group highlighted these activities are in violation of international obligations.
    • 9 October 2023 – The group shared a DDoS attack against the Mashad municipality website and the Zahedan municipality website.
    • 19 December 2023 – The group exlosed confidential documents detailing financial transactions transferring allegedly billions of dollars from Iran to the Assad family in Syria by the IRGC QF. The group released a second set of related documents on 17 January 2024.
    • 14 March 2024 – The group shared the defacement of the website of an Iranian antibiotics manufacturing company by a group called BLACK WOLVES who shared the flag of the Tapandegan movement on the defacement.
    • 21 June 2025 – The group leaked information relating to 5,000 IRGC officials from the Melli Bank. Over the next couple of days the group also released information about allegedly 73 million bank accounts. The group boasted about how easy their cyber attack was and claimed they could have done significant damage. The group also shared information relating to 31 million accounts from Bank Mellat. The group made a Telegram bot (@banks_leaks_bot) to allow people to more easily navigate the leaks.

    Tactics/Techniques/Tradecraft/Procedures (TTP’s)

    • Defacement and distribution of propaganda
    • Specifically target financial institutions
    • Encouragement of real world activities and organizations of protests
    • Leaking of confidential or classified information
    • Using partners to conduct DDoS

    Sources:

    Telegram – @tapandegan_official

    www.iranintl.com/202506245683

    kayhanlife.com/news/iranian-hacker-group-tapandegan-exposes-irgc-assets

    infosecurity-magazine.com/news/hackers-leak-footage-of-iranian-prison

    LEAVE A RESPONSE

    Your email address will not be published. Required fields are marked *

    ICNA
    View all posts