Tehran’s Looking for a Few Good Spies in Israel

Iran’s Islamic Revolutionary Guard Corps (IRGC) is running an espionage recruitment operation targeting Israeli military and government personnel, according to new research from FDD’s Center on Cyber and Technology Innovation. In contrast to previous Iranian espionage operations, which have cast a wide net to target as broad an audience as possible, this operation likely leveraged cyber espionage or breached data to identify specific targets based on past military or government service. The more sophisticated operation indicates the regime is now investing greater resources in its intelligence asset recruitment, which in turn will require greater counter-intelligence operations.

A More Targeted and Stealthier Campaign

On April 13, a former editor for an Israeli military newspaper received a personalized text message from a number simply labeled as “IRGC” urging the individual to “stand against the brutal and stupid acts of Netanyahu.” The message then provides a URL to a recruitment website where he could sign up as a “partner” of the IRGC.

Notably, the website has above-average operational security compared to other Iranian schemes. Common points of entrance for hacking, such as administrator login pages, are masked to avoid detection, the domain blocks search engine indexing to avoid appearing in searches, and the infrastructure relies on a Russian proxy hosting service, used by other Iranian actors, to mask its server.

Unlike most Iranian recruitment operations, there appears to be no significant influence operations component. Previously exposed Iranian operations have actively advertised themselves on social media platforms and messaging applications, and have headlined news sites. The lack of a psychological warfare component suggests this IRGC recruitment channel is reserved for high-impact targets.

Iran Recruits for Espionage, Sabotage, and Propaganda

Iranian intelligence agencies have been recruiting Israelis since before October 7, but Tehran scaled up these operations beginning in early 2024. Year-over-year, the pace of these operations has doubled or tripled. Iran has recruited dozens of Israelis — many from underprivileged or marginalized backgrounds — to carry out espionage and petty crimes to damage the Israeli public psychologically. In other cases, Iranian actors have recruited Israelis to surveil or threaten other Israelis working in sensitive roles.

Some recent operations have even succeeded in recruiting low-ranking soldiers or convincing those recruited to attempt sabotage or assassinations. One recently foiled operation successfully recruited an Israeli to create explosive devices to be used in assassinations against high-ranking Israelis. To date, however, Iran has not recruited Israeli personnel with access to sensitive intelligence or in senior roles. The new IRGC operation seeks to change that.

Thwarting Iran Requires Counter-Espionage Operations

The rising threat of Iranian infiltration has forced Israel to adapt. The Israel Police and Israel Security Agency have led PR campaigns to emphasize the risk of contacting Iranian intelligence officers and set up a new Israel Police unit to counter Iranian recruitment efforts. The United States, which itself is facing the specter of Iranian cyber and espionage operations, has lessons to learn.

In light of the more targeted nature of this new IRGC operation, the U.S. government should update data breach monitoring protocols for military and government personnel, investing in monitoring systems to detect data breaches online, identifying when they affect government personnel and enable early action to prevent Iranian actors from using the information to identify and target senior military and political figures.

Secondly, Washington should redouble its efforts to take down cybercriminal services and infrastructure that Iranian operations rely on. Taking down or seizing and sanctioning the platforms Iran uses to collect data, send text messages, and host websites would degrade Iran’s operational capabilities. The U.S. intelligence community could also use artificial intelligence to create hundreds of fake applicants to overwhelm Iranian handlers.

The United States has seen how Iran can carry out PR stunts with some exposed credentials and a bit of gumption. It is time to act to mitigate the exposure that enables Iranian cyber operations before they hit military and government personnel in America.

Ari Ben Am is an adjunct fellow at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where he focuses on emerging threats, influence and information operations, cyber operations, and hybrid warfare. Ethan Sheinker is an intern at CCTI. For more analysis from the authors and FDD, please subscribe HERE. Follow FDD on X @FDD, @FDD_CCTI, and @FDD_Iran. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.