Iran’s Dissenting Voices Are Being Targeted Online

Aspects of Tehran’s cyberwarfare apparatus are well known, but the groups currently hacking the country’s own citizens have flown under the radar

Iran’s Dissenting Voices Are Being Targeted Online
Protesters dressed as handmaids from “The Handmaid’s Tale” prepare for a march to the Iranian Embassy in London to highlight the repression of women in Iran. (Dan Kitwood/Getty Images)

On Jan. 3, the Islamic State group detonated two bombs in Kerman in Iran, targeting the memorial procession of the late Islamic Revolutionary Guard Corps (IRGC) Quds Force commander Qassem Soleimani. While global attention has focused on the Islamic Republic’s external response, at home the regime has used the attacks as a pretext to intensify political repression. By political repression, we refer to a range of actions, both clandestine and overt, aimed at detaining, torturing and silencing Iranian citizens who challenge the Islamic Republic and the IRGC.

The reaction to the Kerman bombings by ordinary Iranians was itself quite telling. Many took to social media to claim the attack as an “inside job,” highlighting the absence of Soleimani’s family members and senior IRGC commanders at the memorial procession. Others expressed criticism of Soleimani himself, while some even went as far as celebrating the attacks, which targeted the hard-line pro-regime constituency.

These online reactions captured popular resentment against the regime more than a year on from the “Woman, Life, Freedom” protests. While the regime was able to violently suppress these protests, the fundamental factors that brought people onto the streets have only gotten worse in the past 12 months. The Kerman bombings were another event for Iranians to coalesce around, and through which to express their suspicion of official narratives.

In other words, despite the current veneer of calm, the mood of mass dissent in Iran is still very much alive — and the IRGC, which controls the suppressive machinery, is well aware of this. Just 24 hours after the attack, the Islamic Republic’s attorney general gave the order to “identify and confront” those “manipulating the psychological security of society online.” And the IRGC has not hesitated to preemptively strike Iran’s population.

Since Jan. 3, thousands of Iranian accounts have been doxxed — their private or identifying information leaked on the internet with the malicious intent of embarrassing them and putting a target on their back — by the IRGC and its paramilitary Basij militia on social media platforms such as Telegram and “X” (formerly Twitter). Hundreds of young Iranian citizens have subsequently been detained.

Over the past few decades, the IRGC has developed a multifaceted online apparatus, from well-known cyberwarfare units such as “Charming Kitten” to shadowy entities designed for psychological warfare operations. While there has been a lot of attention on the former from external audiences, the latter, which are responsible for the current doxxing operation, have largely operated under the radar. There are several entities, all tied to the IRGC, at the forefront of the ongoing suppression campaign that are virtually unknown to Western authorities, and to many Iranians for that matter.

The first of these, the Basij Cyberspace Organization, falls under the auspices of the IRGC’s domestic militia, the Basij. The Basij has been involved in psychological warfare since the early 2000s, with the IRGC delegating responsibility for the ongoing “soft war” — which it defines as a cultural war waged against the regime by the West to undermine Islamic ideology — to its paramilitary force, while it remains preoccupied with external hard-power threats. With domestic dissent surfacing throughout the mid-2000s, the IRGC ordered all Basij headquarters at the local level to form “psychological operation” teams and cells — a strategy that began to take shape across various Iranian provinces from 2007-8 onward. The IRGC then began experimenting with doxxing operations online. To expose dissidents, for example, the Basij engineered deceptive websites and encouraged anti-regime conversations as bait to identify dissenting Iranians — an operation that would informally involve senior IRGC intelligence commanders like Gholam Hossein Ramazani, who is elusive and whose name is rarely mentioned in public.

The establishment of the Basij Cyberspace Organization in 2017 as a separate arm of the Basij underscored the priority the IRGC was giving to the internet. The organization’s actions are twofold: undertaking nefarious online operations and supporting the radicalization efforts of the IRGC by creating online apps and games. For example, through the production of online games such as Single Shooter and Shadow Commander, the organization has sought to glorify and promote the IRGC Quds Force’s militant activities across the region. In these games, players take on the roles of characters from IRGC, such as Soleimani, and participate in missions to fight against Americans or Israelis in ways that are similar to fighting “enemies” in Call of Duty. Last week, the organization held its fifth national exhibition for “digital content production,” which was attended by senior IRGC commanders.

The Basij Cyberspace Organization has several branches, the most important of which is the “Popular Cyber Network” (or “Shamsa” network). Shamsa specializes in launching major disinformation and doxxing campaigns against domestic and foreign-based “threats” to the regime. Its members are specifically trained to monitor social media networks, identify active regime enemies online and engineer coordinated attacks against them. This can range from manufactured smear campaigns to doxxing operations to identifying anti-regime Iranians — at home and abroad — as is actively being undertaken today. They deliberately focus on political figures, for example aiming to damage the reputation of Iranian opposition figures by disseminating negative, incorrect or misleading details about their lives and communications. Altering images with Photoshop and circulating unfounded information about people they target are typical examples of such strategies. As Ruhollah Momen Nasab, the former deputy head of the Basij Cyberspace Organization, asserted live on Iranian state TV in March 2022, “We would create similar but fake accounts under the name of influential and anti-regime people on Twitter and start our activities with them.” The purpose of these tactics is first and foremost to divide and alienate Iranians from each other, and to push anti-regime Iranians abroad out of social media, or at least divert them away from politics.

The second shadowy organ driving the Jan. 3 doxxing operation is directly under the IRGC’s command: the Seraj Cyberspace Organization. Established in 2013, Seraj operates as a headquarters and umbrella organization tasked with recruiting, training and mobilizing pro-regime internet users to conduct psychological operations for the IRGC and the regime more broadly. These include trolling campaigns on social media, spreading disinformation and misinformation online, trending pro-regime hashtags and engineering divisions among the Iranian opposition. To do so, Seraj has developed and expanded an initiative first launched by the Basij paramilitary organization to increase the IRGC’s human capacity online — the so-called “soft-war officers” (“afsaran-e jang-e narm”). The outbreak of anti-regime protests in Iran saw Seraj’s “soft-war officers” significantly increase their online psychological warfare operations. For example, during the peak of the 2022 nationwide anti-regime protests triggered by the death of 22-year-old Iranian-Kurdish woman Mahsa Amini in police custody, Seraj deployed its forces to undermine the global hashtag #MahsaAmini by trending similar hashtags but with minor incorrect spellings, disrupting the original’s reach and thereby distorting the dissemination of news. Like the Basij Cyberspace Organization, Seraj is also involved in the IRGC’s radicalization efforts through the creation of apps, online content and games as a means to nurture its ideology. It has been particularly active in promoting compulsory hijab enforcement for young girls through an app it produced called “heavenly girls” (“dokhtaran beheshti”).

Having relied on the Basij’s apparatus for cyberspace activities for decades, the formation of Seraj marked the IRGC’s first major direct intervention in soft-war operations. Seraj itself is inextricably linked to the IRGC’s intelligence apparatus, operating as a de facto front for the IRGC’s Intelligence Organization. The nature of this relationship would be exposed during the inauguration ceremony of Seraj, which was attended by Gen. Hossein Nejat, deputy leader of the IRGC’s Intelligence Organization at the time, who rarely operates publicly. Running covert suppression activities against the Iranian population is part of Seraj’s DNA.

The final group involved in the ongoing doxxing operation is perhaps the most rogue, even by the standards of the IRGC. It is being led by an individual informally linked to the IRGC, Ali Akbar Raefipour, and his organization, the Masaf Institute.

Raefipour can best be described as an antisemitic conspiracy preacher and IRGC-linked indoctrinator, who has introduced and nurtured a new strand of radicalism across Iran’s Islamist constituency. The core tenets of the worldview promoted by Raefipour are rooted in antisemitic conspiracy theories about global Jewry, Freemasonry, Holocaust denial and the Shia Islamist apocalyptic doctrine of Mahdism. While conspiracy theories have been an aspect of the clerical regime since its inception, Raefipour took this to a new level, creating an entirely new phenomenon in Iran. The speed at which his message and following grew among young Basij members — due to combining the new form of radicalism with technology previously unseen in Iran — would result in the IRGC unofficially co-opting Raefipour and allocating him funds to set up an organization to radicalize, organize and train the millions of Basiji followers who were at his beck and call.

That organization, the Masaf Institute, was founded in June 2011. The activities of the Masaf Institute (which literally stands for Struggle against Zionism, Humanism and Freemasonry) range from propaganda initiatives — including sponsoring the annual state-backed International Holocaust Cartoon Competition — to developing pro-regime cyberarmies and engineering coordinated attacks against Iranian dissidents. Raefipour initially started his career on the fringes of the regime, with many senior regime officials sneering at his theatrics, which were regarded as ludicrous even by the standards of the Islamic Republic. However, the increasing “dumbification” of the regime would open the door to Raefipour’s rapid rise. (What we call the “dumbification” started with the deliberate replacing of the old cohort of technocrats in state bureaucracy with a younger, less-experienced and more deeply ideological generation of pro-Khamenei hezbollahis, and came as a result of Khamenei’s 2019 manifesto, or the Second Phase of the Islamic Revolution, which removed all traces of “meritocracy” and gave full precedence to extreme ideological commitment over qualifications or expertise.)

The jostling for power and relevance paid off for Raefipour, as exemplified by the fact that the Masaf Institute, which began with low-quality trolling, is now actively participating in coordinated online doxxing operations alongside the IRGC’s formal psychological warfare apparatus. Firsthand accounts of Iranians imprisoned after being doxxed only three days after the Kerman bombing reveal the Masaf Institute’s hand, with detainees underlining that the regime has entrusted Raefipour’s organization with “the creation of dossiers against Iranian online users.” Upon his release, one detainee highlighted that his interrogators had “200-300 printed pages of my tweets … and a significant chunk of this related to my criticism of Raefipour.”

Since Jan. 3, these three shadowy entities — the Basij Cyberspace Organization, Seraj and the Masaf Institute — which overlap and whose members can work for more than one entity at the same time, have been spearheading an ongoing coordinated doxxing campaign against dissenting Iranians in tandem with the IRGC’s Intelligence Organization. This has led to the private details of thousands of Iranians critical of the regime being published online — including home and workplace addresses, family photos and even telephone numbers — resulting in their detention by the IRGC. The ongoing doxxing operation has brought the IRGC’s violent suppression from the streets to the internet — and has only made an already chilling environment more scary for ordinary Iranians, as they watch what they say online and in person. While there has been a lot of attention on the IRGC and Basij’s cyberterrorism abroad, this domestic component has, until now, been overlooked.

“Spotlight” is a newsletter about underreported cultural trends and news from around the world, emailed to subscribers twice a week. Sign up here.

Sign up to our newsletter

    Will be used in accordance with our Privacy Policy