MuddyWater
List of names used by the industry: Date founded: MuddyWater was first publicly identified in 2017 and is known to use a wide range of tools and techniques in its operations. The name “MuddyWater” was coined by Palo Alto Networks…
Haghjoyan
List of names used by industry: Date founded: Affiliation: Social media handles/websites: Telegram: @Haghjoyann (Allegedly seized) Previous operations: The group’s first activity was to target and deface 50 websites, they provided a Hack-DB link to prove their activities. These attacks…
Behzad Mesri
Behzad Mesri is an Iran-based hacker and former CEO of the Net Peygard Samavat Company (later rebranded as Emennet Pasargad). He is publicly accused, by the US, of conducting high‑profile intrusions, data theft, extortion, and participating in state‑aligned malicious cyber…
Handala Hack
List of names used by the industry: Date founded: Affiliation: Affiliated with Iran, MOIS, Hezbollah and Hamas. Social media handles/websites: Previous operations: Tactics/Techniques/Tradecraft/Procedures (TTP’s): Sources: ict.org.il/bibi-gate-handala-hack-team-a-mask-for-iranian-psychological-warfare/ ict.org.il/wp-content/uploades/2025/12/image-11-1024×341 cyberint.com/wp-content/uploads/2024/07 cyberint.com/blog/threat-intelligence/handala-hack-what-we-know-about-the-rising-threat-actor/ israelhayom.com/2025/12/28/handala-hackers-iranian-cyber-attacks-israeli-officials splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html ransomlook.io/group/handala
Homeland Justice
Homeland Justice is a state-aligned Iranian hacktivist persona used by the Ministry of Intelligence and Security (MOIS) to conduct disruptive cyberattacks and psychological-operations campaigns, most notably against Albania since 2022. The group has carried out ransomware and wiper attacks, leaked…
Ghyam ta Sarnegouni
Ghyam ta Sarnegouni, meaning ‘uprising until overthrow’, is a hacking group that has been active since 2022. They have carried out a number of high-profile hack and leak operations against the Iranian state. They often deface websites, steal data and…
Ababil of Minab
Ababil of Minab is a new pro-Iranian hacking group. The group named itself after the missile attack on Shajareh Tayyebeh School in Minab, Hormuzgan province in Southern Iran which occured on the 28 February 2026 resulting in the death of…
PRANA Network
Date founded: First appeared in August 2023 Affiliation: Group described themselves as “Freedom Fighters From The Cyber World”. Collaboration of different hacktivist groups, some members are known to be Iranian. Social media handles/websites: Telegram: @Iran_EXPOSED (No longer active), @Prana_Network (No…
IRLeaks
List of names used by the industry: IRLeaks (no other names identified) Date founded: Telegram channel was created 13 June 2023 Affiliation: Researchers have analyzed data from irleaks attacks and determined that irleaks’ activity aligns with actions of more organized,…
Anonymous OpIran
In the wake of Mahsa Amini’s death on Sep 16 2022, the international hacktivist group Anonymous launched a new campaign called Op Iran against Iran’s online infrastructure. OpIran also continue to support the “No to Executions” movement and stands with…