In the early hours following the U.S. and Israeli airstrikes on Iran on February 28, there was more happening than just missiles racing through the Middle East. Behind the scenes, operatives from the Islamic Revolutionary Guards Corps (IRGC) were busy moving vast sums of money—tens of millions, initially, which soon ballooned to hundreds of millions—from cryptocurrency wallets. This activity was tracked in real-time by RAKIA, a cyber intelligence firm that provides data analysis for governments and security agencies, and the findings were reported as they developed. The money ended up in wallets associated with the Houthis, Hezbollah, and various regime insiders.
This was a significant indicator. The same administration that developed a $3 billion cryptocurrency operation to support its proxies seemed to be using that very infrastructure to withdraw military funds in anticipation of potential conflict. Fast forward two months, and we see the Revolutionary Guard shifting its focus outward, targeting Americans and their allies.
Interestingly, Iranian hackers aren’t particularly sophisticated. Most of their actions against U.S. targets have been executed using fairly basic methods—stolen passwords from generic malware and commonly available hacking software, sold cheaply on dark web markets. It seems like America has the tools necessary to dismantle this.
Iran moved hundreds of millions of dollars in virtual currency during a nationwide internet blackout, recent reports reveal.
President Trump’s abrupt exit on February 28 demonstrated a readiness to respond under pressure. Extending this aggressive posture into cyberspace by going after the credential supply chain mirrors the current U.S. tactics against ransomware networks. This might help contain breaches before they escalate.
In late March, it was reported that hackers with links to Iran had compromised FBI Director Kash Patel’s personal email, leaking old photos and documents. Handara, a pro-Iranian group, was reportedly linked to these activities. The Department of Justice confirmed that the head of America’s leading law enforcement agency was among those hacked.
Patel certainly wasn’t the only target. On March 11, this same group effectively crippled Stryker, a major U.S. medical device manufacturer, affecting over 200,000 devices across 79 countries and disrupting care for millions of patients annually.
Iran-linked hackers are increasingly targeting U.S. medical technology firms.
On March 18, Iranian hackers defaced the website of Yeshiva World News, one of the leading Orthodox Jewish news platforms in the U.S., replacing its homepage with an image of Iran’s supreme leader. The Justice Department noted that Handara used this platform to issue death threats to Jewish journalists and Iranian dissidents in the U.S., in addition to attempting to recruit Mexican cartel members for violent acts.
None of these attacks required advanced malware. Instead, they sought to simply steal passwords. The Stryker incident most likely stemmed from a single administrator’s credentials that had been harvested by a common malware called Infostealer, sold on the dark web. The leaks involving Patel, the Yeshiva site defacement, and other similar incidents all seem tied to the same supply chain.
Interestingly, this supply chain doesn’t originate in Tehran. It thrives in an underground market where data thieves sell millions of stolen American credentials every month. Iranian intelligence has been identified as one of the buyers on this marketplace, and they also run campaigns from Iranian IP addresses targeting Western users, adding another layer to the complexity.
Former White House technical director warns of potential “high-impact” cyberattacks on the power grid.
This escalation in cyber activities isn’t confined to the U.S. On May 4, the same Handara group that compromised Patel and Stryker claimed to have breached the UAE’s strategic Fujairah port, reportedly stealing around 430,000 documents, including maps of oil pipelines, which were then handed to Revolutionary Guard missile units just moments before a strike.
While claims about cyber-enabled targeting remain unverified, the operational model touted by Handara—and noted by RAKIA analysts—suggests that cyber reconnaissance can feed into kinetic targeting. Whether this incident actually occurred or was merely intended to intimidate rivals, it represents a concerning threat on multiple levels.
The UAE isn’t isolated in facing such threats; a top U.S. cybersecurity official recently revealed that the country is experiencing between 500,000 to 700,000 cyberattack attempts each day, particularly since February 28. The same supply chains that lead to violations in the U.S. also fund such aggressive activities.
Iran’s nuclear gamble positions the U.S. with limited options—notably, not a deal.
Governments are utilizing every available tool. Treasury sanctions are aimed at wallets, and the FBI has seized Handara’s website while indicting its operators. The State Department has placed a $10 million bounty on them. However, these measures only address the symptoms rather than the root cause. The crucial supply chain facilitating these attacks remains untouched. The focus should shift upstream; this isn’t just a foreign policy challenge but a significant supply chain issue that demands a supply chain solution.
Dark web marketplaces, like those selling credentials, should be treated as valid military and intelligence targets, akin to the U.S. strategy against ransomware infrastructures. The Department of Defense’s Cyber Command possesses the authority and capability to take these marketplaces offline, having already successfully targeted ransomware operators. There’s no valid rationale for prioritizing the markets selling keys to American pipelines over those supplying keys to hospitals.
1.7 billion passwords have been leaked on the dark web—here’s why your passwords are at risk.
The federal government might consider implementing real-time theft log monitoring for federal agencies, defense contractors, and critical infrastructure operators. When Stryker’s administrative credentials were made public on the dark web, a quick response could have avoided a lot of fallout.
For continued FOX News insights, click here.
Any forthcoming deal with Iran needs to ensure that virtual currency sanctions compliance is treated with the same gravity as nuclear agreements. Ignoring the financial channels facilitating Hezbollah, the Houthis, and the Revolutionary Guards’ activities would merely set the stage for further conflict.
Some may argue that being aggressive about the qualifications market is excessive. Yet, the reality is that the current situation poses greater threats to Americans, allies, and anyone within range of IRGC missiles guided by compromised data. Both Stryker’s patients and Patel felt the repercussions, as did readers of Yeshiva World News. The UAE is also currently grappling with this. Defensive strategies alone have proven ineffective.
Credentials are mapped. The marketplace is visible. Operators leave fingerprints. The opportunity for action exists.
But this window won’t remain open indefinitely.
