✅ Report Title: Detailed Analysis of Iran-Israel/USA Cyberwarfare
✅ Executive Summary:
1. Deep & Dark Web:
- Activity among Iranian hacktivists is surging across Telegram, X (Twitter), and Dark Web forums.
- On March 9, 2026, it was confirmed that mentions of Israel and Iran on DDW hacking forums had increased approximately threefold respectively since the outbreak of the war. Furthermore, cyber hacktivist groups active on the DDW have launched the #OpIsrael and #OpIran campaigns targeting each nation.
2. Expanded Target Scope:
- Although the Iran war began as a military conflict between the two nations, the scope of targets in cyberspace is expanding to include neighboring and third-party countries.
- Particularly, Gulf nations are primary targets for hacktivists due to their geographical proximity, the presence of U.S. military bases, their roles as energy and logistics hubs, and their friendly relations with Israel and the United States.
- Furthermore, hacktivist groups tend to select targets based not only on headquarters locations but also on international branches, supply chains, and military or defense cooperation relationships. Even if physically distant from the conflict zone, companies and organizations in nations with friendly relations are highly likely to be included within the scope of potential targets.
3. 2026 Iran Cyber Warfare Ecosystem:
- The ecosystem is characterized by a pyramidal structure consisting of APTs, ransomware groups, dark web threat actors, and hacktivists, categorized by their technical sophistication, level of organization, and attack impact.
- Generally, as the layers ascend, groups tend to take the form of small, elite units with high technical complexity and destructive impact. Conversely, descending to the lower layers, the number of participants increases, while technical proficiency and actual attack influence tend to decrease relatively.
- This structure demonstrates that the cyber warfare ecosystem is composed of diverse layers of threat actors.
📌 2026 Iran War
- On February 28, 2026, the war broke out as the United States and Israel initiated a large-scale airstrike: Operation Epic Fury, targeting military bases, missile facilities, and nuclear-related sites throughout Iran. Iran retaliated by attacking Israel and U.S. military bases in the Middle East using missiles and drones. Simultaneously, armed groups linked to Iran, such as Hezbollah, joined the attacks, leading to a widening of the conflict across multiple regions in the Middle East.
📌 Timeline of Pro-Iran vs Pro-Israel Hactivist Group
- 2023-10-07: The Israel-Hamas war broke out as the Palestinian militant group Hamas launched a large-scale attack against Israel. In response, Israel officially declared war on Hamas, and cyber hacktivist groups launched #OpPalestine and #OpIsrael campaigns targeting both nations.
- 2024-07-31: The Palestinian militant group Hamas stated that “Ismail Haniyeh, the supreme leader of Hamas, was killed in an Israeli attack while visiting Tehran to attend the inauguration of the Iranian president.” Following this event, pro-Palestinian hacktivist groups used the #Free Palestine tag to declare cyber warfare against Israel and carried out DDoS attacks.
- 2026-02-28: The cyber warfare associated with the Iran War is not a short-term development between Israel and Iran; rather, it is the result of years of cumulative military and political tensions in the Middle East spilling over into the cyber domain. In particular, the launch of the joint U.S.-Israeli military operation, Operation Epic Fury, in 2026 caused tensions to escalate once again; it is analyzed that cyber warfare expanded in earnest during this process, with cyberattacks and information warfare being conducted in parallel.
- Immediately after the start of the Iran War, pro-Iranian hacktivist groups posted political messages and united to announce upcoming cyberattacks. On Telegram, at least 94 pro-Iranian hacktivist groups and more than 15 anti-Iranian hacktivist groups have been identified, with numerous new hacktivist Telegram channels emerging since the onset of the Iran War.
📌 Analysis of Israel and Palestine Trend in Deep & Dark Web / Telegram
- 2025-03-01 ~ 2026-03-09: The volume of posts and messages related to Iran and Israel—monitored across approximately 80 pro-Iranian and pro-Israeli hacktivist groups on major hacking forums including DDW and Telegram—exhibited a triple-peak growth trend triggered by specific geopolitical events.
- Following the military conflict between Iran and Israel on June 13, 2025, the volume of related posts and messages surged sharply. Compared to pre-conflict levels, activity on the DDW increased approximately fivefold, reaching a daily average of 21.2 posts. Meanwhile, Telegram saw a threefold increase, with a recorded daily average of 1,591 messages.
📌 Analysis of Ecosystem Iran and Israel Hacktivist Groups
- It has been confirmed that pro-Iranian hacktivist channels do not simply act individually; instead, they form a loosely but structurally connected network facilitated by message forwarding and declarations of alliance.
- In particular, pro-Iranian, pro-Russian, and pro-Islamic hacktivist groups are indirectly linked through several core channels. Even among channels with no confirmed direct interaction, numerous indirect connections at a two-to-three-step level—mediated by intermediate channels—have been identified.
- Due to these structural characteristics, when a specific group initiates an attack campaign or declares a target, identical or similar attack campaigns tend to spread within a short period, centered around adjacent allied channels.
- In contrast, for pro-Israeli hacktivist groups, the scale of alliance networks between Telegram channels is relatively smaller than that of pro-Iranian groups, and no distinct alliance structure centered around specific core channels has been significantly observed.
- While pro-Iranian hacktivist groups target Israel as their primary objective and expand their scope to various nations and organizations such as Ukraine, Western countries, and NATO-related institutions by forming alliances with pro-Islamic or pro-Russian groups, pro-Israeli hacktivist groups tend to focus more narrowly on targets directly associated with Iran, such as Iranian government agencies, corporations, infrastructure, and web services.
📌 Major Hacktivist Groups
- In the event of a physical military conflict, there is an observable trend where a linked cyber warfare also unfolds within cyberspace. In such cyber warfare, various types of threat actors—including APTs: state-sponsored attack groups carrying out state strategic objectives, as well as ransomware groups, hacktivists, and opportunistic actors—participate, each conducting cyber-attack activities with different motives and methods.
- APT groups, which are assessed to pose the highest level of risk, operate according to national strategic goals, and in recent times, ongoing offensive activities targeting major Israeli institutions and the United States have been continuously observed.
- 2026-03-06: Evidence was discovered that Seedworm, an APT group linked to the Iranian Ministry of Intelligence and Security: MOIS, conducted attacks against US banks, airports, non-profit organizations, and software companies.
- In contrast, cases where hacktivist-aligned attack groups target the United States directly are relatively limited; instead, they tend to focus on countries friendly to the U.S. and Israel, as well as neighboring Middle Eastern nations, as their primary targets.
📌 Analysis of Threat Actors’ Hacking Methods
- Analysis of the attack types used by pro-Iranian and pro-Israel hacktivist groups confirms that DDoS: Distributed Denial of Service attacks account for the largest proportion of all attack types.
- Due to its relatively low technical barrier and the characteristic that many individuals can participate simultaneously, it is the most widely used attack method in hacktivist campaigns. In fact, on Telegram channels, after a specific attack target is disclosed, there have been many confirmed cases where related channels simultaneously encourage participation in DDoS attacks or share whether the attack was successful.
- Other attack methods identified include Website Defacement, Data Leak and Sale, and activities related to vulnerabilities and malware. In some cases, attempts to attack OT: Operational Technology or industrial control systems have also been observed.
✅ Recommended Threat Detection and Mitigation Actions:
- In preparation for the main attack methods of pro-Iran hacktivist groups, it is necessary to review the DDoS response system for external services and strengthen monitoring of abnormal traffic, and to check the overall security system, including enhancing web service vulnerability management, in anticipation of additional attacks such as website defacement and data leakage.
- Since there are many cases of exaggerating attack results or posting fake or re-distributed data as if newly leaked, it is recommended to assess the risk of leaked data and verify whether it contains actual sensitive information before taking action.
- It is necessary to conduct an attack surface review to determine whether critical internal services such as Admin, Dev, Git, and DB are exposed externally, and to promptly strengthen access controls and apply vulnerability patches for identified exposed assets.
- Threat actors operating on the dark web actively use account information leaked on DDW to attempt logins to critical systems, so enforcing MFA for key accounts such as SSO, VPN, and admin, and blocking legacy authentication methods, is necessary.
🧑💻 Author: S2W TALON
👉 Contact us: https://s2w.inc/en/contact
*The full report is available upon request or with a subscription to the S2W platform.