Iranian bots are targeting critics in the diaspora with a phishing campaign despite an internet shut down in the country, campaigners have claimed.
Nariman Gharib, who investigates the cyber attacks and spying operations of the Islamic Revolutionary Guard Corps, warned of WhatsApp messages containing “suspicious links” and invitations to meetings.
He said IRGC intelligence "has initiated a phishing campaign targeting individuals abroad who are involved in Iran-related activities. The current attack specifically targets WhatsApp users. Do not click on suspicious links,” he wrote on social media.
Mr Gharib showed WhatsApp messages from an unknown number inviting him to join an online meeting through a link and QR code. When the user scans the QR code, it gives the attacker full access to their WhatsApp account.
Critics of the regime who live overseas can then be targeted or arrested if they head back to Iran, while their relatives in their homeland might be blackmailed or harassed. Attacks on prominent critics of the Iranian regime – such as journalist Pooria Zeraati, who was stabbed outside his London home in 2024 – are not unknown.
The cyber attacker also requests browser permission to use the targeted phone’s camera and microphone in a bid to upload information, as well as to track the phone’s geolocation.
“The attacker can toggle these remotely,” Mr Gharib wrote. The National could not immediately verify the claims that those behind such a phishing campaign are able to gain access to a mobile phone's camera and microphone.
Iran imposed a near-total nationwide internet shutdown last week in response to the widespread anti-government protests.
At least 2,000 people have been killed during the demonstrations so far, according to regime figures, but rights groups have put the death toll as high as 12,000, most of them demonstrators.
The IRGC is suspected of operating an army of fake news bots intended to sow discord in the Europe and the UK by manipulating online debate. A network of social media accounts posing as Scottish independence supporters fell silent at the time of Iran's internet crackdown, according to the UK Defence Journal, "reinforcing evidence" that these accounts could be traced back to Iran.
Iranian cyber attackers have been known to develop sophisticated phishing campaigns to target dissidents, creating complex but fake online personas to develop trust with a target.
A well-known attacker is the fake social media persona Sara Shokouhi, who targeted female protesters, political activists and human rights advocates during the Women Life Freedom protests in 2022.
Attackers pretended the persona was affiliated to the US-based Atlantic Council, to gain trust from victims over several weeks before attempting to steal credentials or deploy malware, a cybersecurity report by the Canadian government in 2022 found.
Activists in London told The National how they were being extra vigilant about messages from unknown numbers that they receive on their phones.
Meta, the company that owns WhatsApp, has been contacted for comment.
