Iran’s cyberwar targets ordinary Americans. We need to dismantle the hacker network
In the first hours after American and Israeli airstrikes hit Iran on Feb. 28, while most of the world was watching missile tracks across the Middle East, something quieter was happening on the blockchain. Islamic Revolutionary Guard Corps (IRGC) operatives moved tens of millions out of their crypto wallets in the first hours, scaling to hundreds of millions in the days that followed.
RAKIA, a cyber intelligence firm that develops data analysis platforms used by governments and security agencies, had its analysts track the surge in real time, and Fox News Digital detailed the findings as they unfolded. The funds eventually landed in wallets used by the Houthis, Hezbollah and personal safe havens for regime insiders.
It was a tell. The same regime that spent years building a $3 billion crypto operation to fund its proxies was, in the opening hours of a war, using that infrastructure to evacuate its war chest. The two months since have brought the second act: the IRGC turning that infrastructure outward, against Americans and our allies.
Iran’s hackers are not sophisticated. Every major Iranian operation against Americans this year has run on the same cheap fuel: stolen passwords, harvested by commodity malware, basic widely available hacking software, sold for a few dollars on dark web marketplaces America already has the tools to dismantle.
IRAN MOVES HUNDREDS OF MILLIONS IN CRYPTO DURING NATIONWIDE INTERNET BLACKOUT, REPORT REVEALS
President Donald Trump’s strikes on Feb. 28 proved this regime responds to pressure. Extending that posture into cyberspace, going after the credential supply chain the way America already goes after ransomware infrastructure, is how to shut the door on these breaches before they get any closer to home.
At the end of March, Iran-linked hackers reportedly breached FBI Director Kash Patel’s personal email and posted years-old photos and documents online. The pro-Iranian group Handala, which the Justice Department has formally linked to Iran’s Ministry of Intelligence and Security, announced that the head of America’s premier law enforcement agency was now "among the list of successfully hacked victims."
Patel was not the only target. On March 11, the same group crippled Stryker, one of America's largest medical device makers, wiping more than 200,000 devices across 79 countries and disrupting care for the 150 million patients it serves a year.
IRAN-LINKED HACKERS TARGET US MEDICAL TECH COMPANY
On March 18, Iranian hackers defaced the website of Yeshiva World News, one of the most-read Orthodox Jewish news sites in America, replacing its homepage with images of the Iranian supreme leader. The Justice Department has documented Handala using its infrastructure to send death threats to Jewish journalists and Iranian dissidents living in America, and to solicit Mexican cartel "partners" to carry out violence on its behalf.
None of these attacks required sophisticated malware. They required one thing: a stolen password. The Stryker wipeout traces back to a single administrator credential almost certainly harvested by everyday commodity malware called an infostealer and sold for a few dollars on a Russian-language forum. The Patel breach, the Yeshiva World News defacement, the broader pattern, all of it runs on the same supply chain.
That supply chain is not in Tehran. It is in dark web marketplaces operating largely in plain sight, where infostealer operators sell millions of stolen American credentials a month to anyone with a wallet address. Iranian intelligence is one buyer in those markets. It is also a vendor, running campaigns from Iranian IP addresses against Western users to feed the same markets. Same operators. Same infrastructure. Different targets.
AMERICA COULD BE HIT WITH 'HIGH-IMPACT' CYBERATTACK TARGETING ENERGY GRID, FMR WH TECH CHIEF SAYS
The escalation has not stayed in America’s lane. On May 4, the same Handala group that breached Patel and Stryker claimed it had penetrated the strategic Emirati port of Fujairah, stealing 430,000 documents including maps of the port's oil pipelines, and handing those maps to IRGC missile units, which then struck the port minutes later.
The strike itself was confirmed by Bloomberg and Reuters. The cyber-enabled-targeting claim is unverified, but the operational model Handala is advertising, cyber reconnaissance feeding kinetic targeting, is precisely the integrated doctrine RAKIA analysts have observed across this campaign. Either it happened, or Iran wants its adversaries to believe it can. Both are strategic threats.
The UAE is one node in a wider pattern. Their top cybersecurity official disclosed the country is now absorbing between 500,000 and 700,000 cyberattack attempts per day, with a clear jump after Feb. 28. The supply chain that feeds American breaches feeds these operations too.
IRAN’S NUCLEAR GAMBLE LEAVES AMERICA ONE CHOICE — AND IT CAN'T BE A DEAL
The administration has every existing tool in play. Treasury sanctions wallets. The FBI seizes Handala’s websites and indicts the operators. The State Department offers $10 million rewards. Each addresses the symptom, not the source. None touches the credential supply chain that makes every one of these attacks possible. The next move is going upstream. This is no longer a foreign policy problem. It is a supply chain problem, and it has a supply chain solution.
Infostealer marketplaces should be treated the way America treats ransomware infrastructure: as legitimate military and intelligence targets. The Pentagon’s Cyber Command has the authority and capability to take dark web credential markets offline, and has used those authorities against ransomware operators with real effect. There is no defensible reason to treat the marketplace selling Iran the keys to American hospitals as a lower priority than the one selling Russia the keys to American pipelines.
1.7 BILLION PASSWORDS LEAKED ON DARK WEB AND WHY YOURS IS AT RISK
The federal government can also mandate real-time stealer log monitoring for every federal agency, defense contractor and operator of critical infrastructure. When the Stryker administrator’s credentials surfaced on a dark web market, somebody should have known within minutes.
CLICK HERE FOR MORE FOX NEWS OPINION
And any future deal with Iran must put crypto sanctions compliance on equal footing with the nuclear file. An agreement that ignores the financial pipelines funding Hezbollah, the Houthis and IRGC operations is an agreement that funds the next war.
Some will say going on offense against credential markets is too aggressive. The status quo is more aggressive, against Americans, against allies and against anyone in range of an IRGC missile guided by stolen data. Stryker patients felt it. Patel felt it. Yeshiva World News readers felt it. The UAE is feeling it now. Defense alone has failed.
The credentials are mapped. The marketplaces are visible. The operators leave fingerprints. The window to act is open.
It will not stay open forever.