The Cyber-Terrorism Desk at the International Institute for Counter-Terrorism (ICT), Reichman University, focuses on the intersection of terrorism and cyberspace. It provides analysis and insights into how terrorist organizations exploit digital platforms for influence, propaganda, recruitment, psychological warfare, fundraising, and cyber operations. The desk monitors emerging trends in online radicalization, information warfare, and hacker activity, providing timely research to support global counterterrorism efforts.

Iran & Proxies

Iran’s information warfare during the December 2025–January 2026 protests and its continued influence on Israel and the West

During the December 2025 to January 2026 protest wave in Iran, the regime has intensified its information warfare and influence efforts against Israel and Western audiences. As unrest driven by economic factors expanded, regime-affiliated online media promoted a consistent narrative that characterized the protests as foreign-orchestrated destabilization rather than authentic domestic demonstrations.

Regime-affiliated Telegram channels demonstrated a phased approach that included initial acknowledgment of economic grievances, which was rapidly replaced by attributing blame to the United States and Israel. This was followed by the construction of a “victory” narrative and the reframing of protests as elements of an external conflict. 

Simultaneously, the Iranian influence machine continued to sow division in Israel and the United States through Hebrew-language and English channels.

Iran and its proxies intensified AI-driven propaganda in January amid widespread protests and concern over a U.S. attack, emphasizing the need for security analysts and policymakers to recognize these tactics.

Since late December 2025, Iran and its proxies have employed advanced AI techniques such as deepfakes, generative adversarial networks (GANs), and natural language processing to create videos and images on social media for psychological warfare. They aim to intimidate against possible U.S. attacks by portraying Iran as superior and depicting the damaging consequences for the other side.

The quick dissemination and the ability to rapidly produce high-quality AI-generated videos and media enable wide, fast, and repeated distribution. This capability is accessible not only to regime organizations but also to Iranian proxies and affiliated channels, highlighting the need for collaborative efforts to counter such threats.

The use of AI is not confined solely to intimidation or psychological warfare. It is also designed to shape internal perceptions and influence narratives toward different target audiences.

Countering this phenomenon constitutes a significant challenge and requires compliance and active cooperation from social media platforms, mechanisms that, at present, largely do not exist.

Example: An AI-generated video published on TikTok shows a giant hand in Iran’s flag colors rising from the sea toward a U.S. warship, using exaggerated scale and symbolism to project power, intimidation, and confrontation.

Example: An AI-generated propaganda image, shared on a pro-Iranian hacker group’s Telegram channel, depicts a burning city scene with a Jewish Menora. The image shows flames and widespread destruction, accompanied by threat messages in multiple languages, intended by pro-Iranian media and hacker networks to intensify intimidation and psychological warfare.

A pro-Iranian hacker alliance actively defends Iran during protests, highlighting their role in safeguarding national interests, which can reassure the audience of Iran’s cyber resilience.

Led by the hacker group Islamic Cyber Resistance, a pro-Iranian hacker group alliance claimed it protected Iran during a wave of cyberattacks following the riots. The group stated, “Your brothers in operational and intelligence units are monitoring any attempts by groups and individuals to attack Iran or support the protests. We will not tolerate any attack or action. Our enemies should expect our reactions if they attempt to do so.” The groups also published official statements, such as the Iraqi 313 hacking team, which stated, “If there is an attack on the Islamic Republic of Iran, we are prepared to strike sensitive Israeli servers at the same time. Iraqi Cyber Resistance,” emphasizing their readiness to defend Iran and its interests.

The alliance calls itself the Islamic Cyber Resistance Axis, a name commonly used for Iranian proxies. Its members reportedly include the 313 team, Holy League, Tharulla Brigade, Conquer Electronic Army (C.E. Army), Cyber Fatach Team, and others, as listed in a Telegram file to which they all belong. However, available evidence does not clarify whether the alliance has a defined internal hierarchy, decision-making structure, or coercive relationships among its groups.

Such an alliance serves as a force multiplier in attacks, enabling the hacker groups to organize and leverage each team’s tools and capabilities. While this coordination enhances their operational reach, the extent of their technical sophistication, resource availability, and ability to sustain long-term campaigns remains uncertain. 

The scope of more alliances of this kind is not clear. However, Iran has a vast capacity of hacker groups working under their umbrella or independently. This strategy allows Iran to focus on internal crises and defense, while these online proxies assist in both offensive and defensive operations.

Pro-Iranian and Pro-Hamas Hackers continue cyber war against Israel: selected attacks

C.E. Army Claims Series of Cyberattacks Against Israeli Government, Political, and Religious Websites

In January, a pro-Iranian hacker group identifying itself as C.E. Army claimed responsibility for a series of cyberattacks against Israeli targets under the title “The Battle of Olya Bass within the War of the Promised End Times.” The group framed the activity as part of a broader ideological campaign.

According to its statements, C.E. Army allegedly attacked websites linked to Israeli government bodies such as the Ministry of Agriculture, Israeli political parties, and religious movements. 

The Iranian hacker team Handala claims it hacked a Mossad agent in Iran

The Iranian Handala Hacking Team announced the release of a new hack targeting Mehrdad Rahimi. The group alleges that a so-called Mossad agent named Rahimi served as a guiding officer for Iranian agents within Mossad’s Iran Desk and assisted in organizing networks associated with the protests in Iran. According to Handala, Rahimi coordinated operatives, facilitated communications, and supported activities against Iran. The group further claims that Rahimi was under continuous monitoring and infiltration, including by Handala.

The Children of Gaza hacker group claim cyberattack against several Israeli companies.

The Children of Gaza Hacker team claimed a cyberattack against several Israeli companies, naming Skynet Cloud Computing Ltd., Daniel Paz (DPaz), and Cardinal Tours.

Fastattacker hacker group claims a cyberattack against Israel’s healthcare sector.

Fastattacker hacker group claims a cyberattack against Israel’s healthcare sector, alleging unauthorized access to data linked to Clalit Health Services, including purported information related to medical staff and patients. The message frames the incident as a warning and references the potential sale of data, though no independent verification is provided.

Hamas

Hamas-linked Telegram channels are used to report alleged collaborators, deter actions against the organization, and share operational security instructions, highlighting their strategic importance for security monitoring.

Two Telegram channels associated with Hamas have been active in supporting the organization in Gaza amid the ongoing conflict and broader efforts to delegitimize and disarm Hamas.

Operating under the name ‘Deterrent’ (رادع), this channel issues warnings and deterrence messages against collaboration with Israel and the Palestinian Authority, reinforcing operational security.

The second channel, operating under the name “The goalkeeper” (الحارس), provides safety guidance, including instructions on information protection, social media use, movement within Gaza, and espionage awareness. Deterrence messaging is reinforced by visual cues indicating severe consequences for collaborators.

Collectively, the content of these channels reflects the current environment facing Hamas in Gaza. While this activity does not necessarily indicate a breakdown in formal command-and-control structures, it suggests that Hamas’s ability to exert control and influence at the street level has diminished compared to previous periods.

Entering the second phase of the ceasefire agreement: Hamas’s intensified online campaign

Since the ceasefire agreement came into effect, Hamas has shifted its online campaign toward accusing Israel of violating the terms of the agreement, highlighting the importance of strategic messaging to the audience.

Simultaneously, Hamas aims to sway Arab states by framing the situation as evidence of its essential role in protecting Palestinians, mirroring Hezbollah’s approach after its ceasefire with Israel.

A possible outcome of this trend is increased political pressure on Israel, strengthening Hamas’s political position, and deepening the difficulty of maintaining a stable ceasefire, as a continued narrative of “violation” may serve as a basis for justifying the renewal of the conflict in the future.

 Global Jihad

Islamic State supporter on RocketChat discusses uncensored AI as a tool to plan a terror attack.

 
An Islamic State supporter posted content promoting the use of so-called “uncensored AI” tools, claiming they could be accessed anonymously and used to obtain guidance on producing weapons and conducting attacks, specificly mentioning Trump Tower in the U.S. The user described testing the AI with hypothetical scenarios involving large-scale explosive attacks against symbolic targets, asserting that such systems would provide detailed, technical responses assessing destructive potential and structural collapse.
 
This discussion reflects a broader trend within extremist online spaces: the use of AI technologies and the belief that emerging tools can be leveraged to support or justify large-scale terrorist attacks. In April 2025, an individual identified as an Islamic State supporter discussed an AI-based cyber defense system. The user framed the technology as a tool for protecting members from surveillance, tracking, and hacking attempts targeting computers, mobile devices, and digital identities.
 
This discourse highlights how extremist supporters increasingly conceptualize cybersecurity and artificial intelligence within a broader narrative of digital conflict, blending defensive language with aspirational offensive capabilities.

Terrorism Financing in Cyberspace

Terrorist entities are increasingly using Telegram Stars to fund their operations.

Terrorist entities increasingly use a Telegram-based payment system, called Stars, as an alternative financing method. Unlike cryptocurrency wallets, Stars work directly within Telegram. This allows payments to be embedded in posts and engagement features.

Terrorist entities such as the Handala hacker group, for example, have solicited payment for leaked data through Stars. Channels affiliated with Hamas, such as the “Gaza Now” channel, have similarly used Stars to solicit donations. The Islamic Revolutionary Guard Corps, for example, is integrating a donation option into most posts on its Telegram channel. 

The adoption of Telegram Stars shows adaptation to pressure on traditional terrorist financing. As banks, crowdfunding platforms, and major cryptocurrency services face stricter regulation, extremist actors look for new and accessible solutions. They exploit gaps between content moderation, financial compliance, and jurisdictional enforcement. This trend highlights the need to expand counter-terrorist financing frameworks beyond traditional intermediaries and to include the quick suspension of platform-based payment features linked to terrorist organizations.