Iran’s hybrid warfare and exploiting digital technology to spy illustration by Linas Garsys / The Washington Times Iran’s hybrid warfare and exploiting digital … more >

Iran exploiting digital platforms to buy intelligence, cheap

by · The Washington Times

OPINION:

On June 9, when a 20-year-old U.S. citizen living in Jerusalem was arrested on charges of spying for Iran, counterintelligence missed the real story.

The man reportedly ran microtargeted errands via commercial apps to document infrastructure for pocket change. This absolute pettiness — tens or hundreds of dollars per task — is what matters.

Tehran is buying raw civilian behavior through a hyperfragmented, gig economy model of hybrid warfare: Go here, photograph this, collect the crypto. This algorithmic erosion turns everyday platforms into operational cutouts, weaponizing regular civilians as ambient sensors.

Iran’s approach starts lower and spreads wider, targeting individuals near a base, a port or a minister’s residence. The recruit needs no strategic overview; he must only complete the next task.

Consumer apps act as access layers. Instagram handles the approach, Telegram serves as the command channel, WhatsApp builds intimacy and cryptocurrency handles payments. Fake work, flirtation and freelance tasks provide the cover, turning everyday software into an operational cutout.

The scale is clear. A data registry published in June by the Israeli newspaper Haaretz analyzed 72 defendants, revealing that security services had dismantled more than 40 distributed networks and indicted more than 70 individuals since the Iran war began. Forget traditional ideological recruitment; the breakdown is purely opportunistic.

One-third of those recruited are former Soviet bloc immigrants, 20% are Arab citizens and 11% are ultra-Orthodox. Israel’s Shin Bet security agency has reported a 400% compounding annual spike in these funnels designed to find a single open door. This is a market, not a ring.

The pipeline penetrates both minors and adults. Judicial logs cataloged the indictment of a 14-year-old from central Israel who accepted cryptocurrency to map troop concentrations near Ichilov Hospital and record the Tel Aviv skyline over defense headquarters.

Advertisement Advertisement

Asked to target Foreign Minister Gideon Sa’ar’s residence, the boy said he would handle it during vacation.

Adults follow an identical slope. Fares Abu al-Hijja was pulled from Telegram to hide burner phones and photograph streets near the home of former defense minister Yoav Gallant. Dimitri Cohen was sentenced to 8½ years after an Iranian front offered him $500 in crypto payments to photograph ports and the Hadera power plant.

By 2024, these errands had matured into a full collection apparatus. Seven Azerbaijani immigrants in Haifa executed roughly 600 mapping missions over two years, pocketing $300,000 to chart Iron Dome batteries, ports and air bases. Crucially, their tasking included missile impact sites; Tehran was using civilian cameras for real-time battle-damage assessments rather than traditional reconnaissance.

From there, the cases darkened. Moti Maman was sentenced to 10 years for discussing assassination plots against senior officials. By early this year, perimeter breaches had expanded into active military networks. Reports confirmed the arrest of combat soldiers and air force technicians leaking positions and manufacturing explosive payloads via encrypted apps.

Hardened defense installations sit inside an unhardened society, where an ordinary bystander with a smartphone replaces an elite insider. Because the retail price of betrayal has collapsed into pocket-change fragments, each isolated task looks too trivial to report. Yet, taken together, they constitute a lethal targeting file.

Advertisement Advertisement

This is a cybercrime model applied to human subversion. Israel is the proving ground, not the exception. The same global platforms, crypto rails and human fractures run straight through Brooklyn, Los Angeles and Washington.

The evolution from the 2022 scandal of “Rambod Namdar,” an Iranian intelligence agent who posed as a Jewish man on Facebook to recruit female spies, to today’s automated funnels signals that the adversary now deploys mass social engineering attacks against the human operating system.

Now, the handler requires no lateral movement to breach a hardened network. Persistent access is maintained simply through everyday screen time. Subversion does not arrive as a foreign disruption; it operates seamlessly between the lines of standard notification protocols, allowing a routine afternoon of idle scrolling to become the ultimate payload.

Countering this statecraft-as-a-service model requires an algorithmic defense. The U.S. and Israel must deploy cross-platform web intelligence and high-velocity data aggregation to disrupt these behavioral steering funnels at the interface layer, mapping the threat topography before the first transaction clears.

Advertisement Advertisement

• Kevin Cohen is the CEO of RealEye, the head of cyber intelligence at Trident Group America and a regular contributor to The Wall Street Journal, the New York Post and The Spectator.

Story Topics