The protracted war between Israel and Iran has also been characterised, predictably, by actions carried out on the cyber level. Let us try to delve into some of them in order to understand them better.
Brief history
- 13 June 2025: Israel attacks Iran at around 2 a.m. (op. Rising Lion).
- 22 June 2025: The US intervened with air strikes against three Iranian nuclear sites located in Fordow, Natanz and Esfahan.
Hitting the banks
The Israeli collective Predatory Sparrow (also known as Gonjeshke Darande) attacked the Iranian state-owned Bank Sepah. The collective explained that the attack was necessary because Bank Sepah was financially supporting Iranian military operations against Israel. The original message read:
Destruction of the infrastructure of the Islamic Revolutionary Guard Corps ‘Bank Sepah’ We, ‘Gonjeshke Darande’, conducted cyberattacks which destroyed the data of the Islamic Revolutionary Guard Corps’ ‘Bank Sepah’. “Bank Sepah” was an institution that circumvented international sanctions and used the people of Iran’s money to finance the regime’s terrorist proxies, its ballistic missile programme and its military nuclear programme.This is what happens to institutions dedicated to maintaining the dictator’s terrorist fantasies. We thank the brave Iranians whose help made this operation possible.
The last sentence‘We thank the brave Iranians whose help made this operation possible‘ will not escape the notice of the most observant. It follows that this attack, according to what is stated, was also possible thanks to an internal collaboration of the Iranians.
The attack was in fact not ‘trivial’, but affected the network linking the central systems and ATM terminals, compromising the functioning of the latter. As many readers will be aware, the escalation of the conflict has caused citizens to flee Tehran, TGCom 24 publishes an article in which this passage is excellently summarised:‘Those who can leave the capital, those who are unable to do so feel trapped, looking for shelters in which to protect themselves. However, leaving the city for a long time requires money, and if the banking network does not work, it becomes difficult to escape; this is also in light of the fact that banks in Theran have restricted cash withdrawals.
Change of messaging
In Iran, the population used Whatsapp massively, which, as the reader will know, enjoys a certain level of protection offered by end-to-end encryption. Iran had created a proprietary application for message interchange: the name is Bale Messenger (the Persian meaning is ‘yes’) and it allows people to exchange messages, make payments, in a very similar way to Chinese WeChat or similar. The app was launched in December 2016 by the National Bank of Iran (through SADAD Informatics Corp), with the intention of combining chat, VoIP calls and financial services in a single app, but precisely because it was a ‘state app’, it was frowned upon. The fear of many citizens was that the regime might spy on their conversations and, given the chance, many turned to Whatsapp. Clearly, when war broke out, the Internet was restricted and limited and many uninstalled Whatsapp to install Bale Messenger.
On the technical side, Bale Messenger participates in the ‘Message Exchange Bus’ (MXB), a network operated by the relevant ministry that allows messages to be exchanged between Iranian domestic platforms such as Eitaa, Soroush, Rubika, Gap and iGap. It does not offer end-to-end encryption: messages are client-server encrypted, but can be read by servers and authorities. Expert reports (Open Tech Fund) point to the absence of real privacy, given the absence of end-to-end encryption and the ability of servers to analyse content, URLs, and activity. On this particularly delicate point, it is good to be clear: according to Open Tech Fund, the Iranian government has stated that Bale and other applications are protected by end-to-end encryption (E2EE – End to End Encryption).
According to the Iranian government, as many as 89 million people have signed up to use Iranian messaging apps and Eitaa, Rubika, and Bale, in particular, are gaining in popularity. All three are interoperable and claim to use end-to-end encryption (E2EE)-whereby only the sender and receiver of messages are able to read their contents.
However, technical checks carried out on the application in question revealed the complete absence of cryptographic mechanisms.
OTF’s Security Lab performed an audit of these apps in December 2023 and October 2024 to try and answer these questions. All three apps were confirmed not to use E2EE.
The security audit, for those who would like to learn more about this topic, was conducted on three android applications:
- Eitaa (v6.4.2, SHA256:943d25d2cb842ee91e404922c9eeb7433158ba14ee5da821de3870cd92676731)
- Rubika (v3.7.5, SHA256:9f4ca46bbcec994063376f18cc3c3f7adcdf7c41fd5de9eabaafc4c050d4da6d)
- Bale (v9.41.5, SHA256:9bb94f028bb34e97123b26ca7baefd10c7191fa61b3c6ecbd1f4928a75bc3f8f)
And there are some conclusions that, in my opinion, deserve to be known (source: Open Tech Fund):
- All three apps used different forms of client-server encryption, but none had E2EE enabled to keep conversations between users protected from back-end servers, despite government claims.
- The MXB service mentioned above, which is managed at state level, maintains a directory of participating users and its servers could potentially display messages in the clear due to the lack of E2EE in any of the apps.
- Due to the lack of E2EE in the apps, all chat and user information (e.g. names, phone numbers) was readable by the back-end servers of the apps.
- In the case of Eitaa, unsent draft messages were also reported to the back-end server of the application.
- The auditors found no cases based on unexpected data sensors sent, such as unexpectedly enabling a user’s microphone or camera.
- In all three apps, when users clicked on URLs in the messages that were sent to them, they were redirected to the app’s backend server with the original URL in the query string unless the URL was contained in a short list of ‘safe’ URL permissions. This would effectively allow the servers to monitor which websites were viewed by users within the app. This also adds a layer of censorship, as apps are forcing users to go through their own webpage to access unapproved external domains and could block them at any time. A user could easily circumvent this, however, by pasting the link into a separate web browser.
A further aspect of interest is how Bale Messenger came about from a development point of view: the Eitaa and Rubika apps are based on Telegram’s source code, in Eitaa there was the removal of the secret chat management functionalities (which actually exploited E2EE). Bale, on the other hand, was derived from the Actor Messaging Platform, a source code developed and abandoned by a former Telegram engineer. It was last released on 3 August 2016, as can be seen from the screenshot taken on 18 June at around 09:30.
The impact on Italy
In June 2025, the DieNet collective claimed a data breach against the National Confederation of Artisans (CNA). According to KrakenLabs ‘ statement on X, the motivation for the attack was the Israel-Iran conflict. Specifically, the motivation would be:
DieNet accuses the G7 nations, particularly Italy, of supporting the ‘axis of tyranny’ (US, UK, France, Germany, Japan, Canada, Italy). They warn: ‘Do not support the killings. Do not attack Iran. Or you will do as Italy did’.
The data breach allegedly affected a volume of over 34,000 files including contracts and identity documents. The attack, again as reported by KrakenLabs, is just one of those that will hit‘G-7 aligned nations‘.
Who is DieNet?
DieNet announced itself on the network on 7 March 2025 and claimed the attack against social network X as also explained in the article in The Guardian. In particular, according to SITE Intelligence, the attack against social network X was a test. According to Sharon Levin (Radware Linkers Program Manager), between 11 and 17 March, it would have been responsible for about sixty attacks (about 10 attacks per day) against various targets including SpaceX, Nasdaq, and TikTok, employing different techniques including DDoS. Specifically, the Guardian lists the affected sectors as: public transport, Iraqi government offices, web portals, energy, healthcare, and e-commerce. According to the NetScout portal:
DieNet has targeted the Los Angeles Metropolitan Transportation Authority, Port of Los Angeles, and Chicago Transit Authority, as well as the North American Electric Reliability Corporation, and in Iraq, it has targeted the Ministry of Foreign Affairs. The group also has targeted large centres of digital commerce and communication, such as X, medical websites such as MediTech and Epic, the Internet Archive, NASDAQ, and other large ecommerce and software-as-a-service (SaaS) providers.
Collaborations
As often happens in such cases, the DieNet collective also actively collaborates with other collectives. Among the main ones are:
- Mr Hamza is a pro-Palestinian hacktivist group that has shown links with pro-Russian and pro-Iranian circles over time. Its operations mainly focus on attacks against Western government agencies, critical infrastructures (such as transport, energy and communications) and private companies considered close to ‘hostile’ governments according to their political views. On 7 March 2025, Mr Hamza publicly promoted DieNet, suggesting not only an ideological alliance but also a possible technical collaboration to increase capacity and coordination in attacks. We recommend reading the in-depth article on this actor.
- LazaGrad Hack is a hacktivist collective with a double ideological affiliation: on the one hand it supports the Palestinian cause, on the other hand it openly shows sympathy for the Russian geopolitical narrative. This group has actively collaborated with DieNet since its inception, sharing both symbolic goals (such as hostility towards Western institutions) and, probably, part of the technical infrastructure needed to carry out attacks. Their activity on Telegram in March 2025 played a key role in making DieNet’s operational debut visible and promoted.
- Sylhet Gang-SG is a hacktivist group characterised by very explicit rhetoric, with statements of hostility aimed at all those perceived as ‘allies of Zionism’. Their activities focus on DDoS (Distributed Denial of Service) attacks, particularly against Western and Israeli organisations. The group has shown synergy with DieNet by cross-promoting content and sharing common targets. Their membership and support for the launch of DieNet’s activities in early March 2025 is an important indication of the relational network that is being consolidated between these collectives.
- OverFlame is another active player in the landscape of ideological cyber attacks. Although there are no direct public statements of affiliation to DieNet, the analysis of network traffic from DDoS attacks showed a clear sharing of technical infrastructure, especially that based on DDoS-as-a-Service. This suggests a technical collaboration or, at the very least, a coordinated use of common resources, perhaps purchased or rented from specialised underground providers.
- DenBots Proof is a group that, like OverFlame, uses the same DDoS-as-a-Service infrastructure employed by DieNet. Investigations into the origin of malicious traffic reveal that these groups not only adopt similar tools, but probably actively cooperate to make the most of the available attack vectors. This type of sharing – of both tools and targets – helps amplify the effectiveness of attacks and complicates the ability of traditional defences to respond.
