Iran Unleashes Cyber Campaign To Expose Dissident Accounts

An illustration of a man in front of the Islamic Republic’s flag
An illustration of a man in front of the Islamic Republic’s flag

The Islamic Republic of Iran has launched a targeted campaign on X (formerly Twitter), with cyber agents revealing the identities of anonymous dissident users.

As part of the online campaign, several people were arrested in what appears to be a broader intimidation effort against those critical of the regime. Despite widespread reporting and warnings about the severity of the matter, the accounts of Iran’s cyber agents behind such actions remain active.

No one knows how the regime agents uncover anonymous users' identities and expose them on social media, or send messages to them to silence them. It could be the result of a vast and sophisticated intelligence operation, where accounts are scrutinized for clues, and detailed cross referencing leads to identifying users. Also, individuals who use Iranian social media platforms expose their personal information to the government, who controls these platforms.

The so-called "cyberies" employ various methods, with one of the most commonly used techniques being the creation of simple trends, such as "share a black&white photo of yourself" or "what is difficult about your job?". In these trends, individuals innocently share photos or details about their lives, unwittingly assisting in the identification of their accounts.

Another method involves the use of paid accounts on X, which allows calling Application Programming Interfaces (APIs). Calling APIs allows the X user to access servers and retrieve all data on individuals interacting with his/her posts, helping them narrow down information to identify the actual person behind the account. According to IRGC’s Basij paramilitary chief Gholamreza Soleimani, there are a significant number of these cyber units, with him stating in 2021 that there were "3,500 cyber battalions" supporting the regime online. Additionally, Iranian applications used for everyday activities like banking services and online shopping serve as another key source of information. 

“The Islamic Republic’s accounts used in this campaign have been reported to X by thousands of people alongside warnings about the gravity of the matter,” read a post by the activist account 1500 Tasvir, which runs popular Instagram and Twitter accounts. Highlighting that the failure to deactivate these accounts directly endangers Iranian lives, the group said, “Nevertheless, all of these accounts are still active in pursuit of this nasty act of oppression.”

For years, the Islamic Republic has blocked Twitter for Iranians while exploiting the platform for its propaganda, with senior officials and leaders openly – yet hypocritically – actively using it. Millions of Iranians are paying monthly fees for VPNs to skirt the blocking of X and other platforms.

However, recent developments indicate the regime is now using X as a tool to help identify, interrogate and consequently detain dissidents. Addressing tech tycoon Elon Musk -- the X owner, 1500 Tasvir said that the Islamic Republic has “weaponized” the platform into a tool of suppression.

Sample posts by the Islamic Republic agents exposing the identities of dissident accounts
Sample posts by the Islamic Republic agents exposing the identities of dissident accounts

An Iranian online activist told Iran International that the regime's cyber agents exposed her identity after she posted criticisms of the Islamic Republic's propaganda campaign regarding the twin blasts in Kerman. Despite exercising caution to avoid sharing personal information online, the activist revealed that the cyber agents went ahead and disclosed her identity, hometown, educational history, and workplace, warning her that she is under the regime's watch.

Earlier in the week, the Prosecutor's Office in Yazd province announced the arrest of an individual for posting messages on X regarding the Kerman explosions and casualties. The account holder was identified by the cyber agents of the Intelligence Ministry and was transferred to prison. The Prosecutor's Office has accused the individual of having ties to Israel and alleges that they "published insulting tweets about the martyrs of Kerman."

Also on Friday, Iran’s prosecutor-general threatened legal action against individuals publishing norm-breaking content about the twin bombing in Kerman. The bombing targeted a large public gathering commemorating Qasem Soleimani, the late commander of the IRGC's Quds Force, who was killed by a US drone strike in January 2020. Nearly 90 people were killed in the incident and 284 were injured.

Despite the warning, numerous individuals have taken to social media to express their dissatisfaction with the government's perceived inadequate security measures leading to the deadly incident in Kerman. Critics argue that the failure to ensure the safety of public gatherings resulted in this deadly attack.

Another victim of the new intimidation campaign was Nasrin Shakarami, whose 16-year-old daughter Nika was found dead 10 days after she left home to take part in an anti-government protest on September 20, 2022. The cyber agents threatened to disclose her home address in the city of Karaj, near the capital Tehran. They said they would take her from her home, force her into a naked walk of shame around town, and kill her. Shakarami had published a post after the Kerman incident, pointing out that how come none of senior officials or even the family members of Soleimani were not attending the ceremony at his burial site.

As a countermeasure, Iranians have launched a campaign to raise global awareness about the exposures through the hashtag #BanTerroristAccounts. Dissidents plead for support in reporting government accounts revealing personal information, emphasizing the life-and-death stakes for those affected. Individuals and organizations are urged to join the global effort to shed light on the critical issue and shut down government-affiliated accounts using the hashtag.