The Iran-Israel Conflict: Dark Web Trends Following Iran’s Attack
About a month ago, Iran launched an unprecedented strike on Israel, deploying hundreds of drones and missiles in retaliation for the assassination of a senior Iranian official—a strike attributed to Israel. As is typical with significant geopolitical events, deep and dark web networks surged with discussions immediately afterward. These networks have become integral in modern warfare today.
Even before delving into these digital spaces, a notable surge was evident in daily average posts, comments, and messages featuring keywords associated with Israel and Iran, mainly within the context of Iran’s attack on Israel.
In this article, we take a broader perspective, summarizing the distribution of discourse on Iran’s attack on Israel across deep and dark web networks. Notably, platforms fostering extensive user interaction, including alternative social networks, imageboards, and the widely used chat network Telegram, emerge as prominent hubs for discussion.
Our cyber team utilized Lunar to analyze these discussions, categorizing them based on the trends they identified.
Deep and dark web trends stemming from the Iranian attack
#1: Escalation of extreme and adverse discourse online
Not surprisingly, geopolitical conflicts inherently produce a lot of hate speech. We saw an increase in the amount of extreme discourse against Israel and against Jews in general right after the attack.
One discussion that caught our attention came from the 4chan imageboard website, where numerous threads featured Iranians saying that Iran will not hesitate to employ nuclear weapons to eliminate Israel. Here is a screenshot that shows one of those threads:
Furthermore, we observed extensive discussions, including on dark web forums, where users discussed the Iranian attack, analyzing potential outcomes and even expressing concern about the onset of a third world war because of it. This screenshot shows examples of posts that highlight this concern:
It’s worth noting that the Iranian regime may be involved in fostering such discussions. An example of this occurred in a Telegram group named after a term — “True Promise” in English — used in Iran for this Iranian attack, where Iran purportedly warned Israel against responding to their attack.
#2: Distribution of misinformation and fake news
Many videos were shared among Telegram groups shortly after the attack, some of them fake. These videos aim to make fun of Israel, showing panic that prevails in the public. You could confirm that the videos were not taken that day, but during demonstrations where people were running and shouting – which can simulate panic among the public. Other videos show people panicking over a fire that happened or ambulances going around them — neither are in the context of the Iranian attack.
There were reports circulating on the net about many massive hits in Israel, along with videos that showed flashes of light explosions in the sky – which in reality turned out to be relatively minimal physical hits.
#3: Increase in cyber warfare by Islamic hacktivist groups
Our analysis reveals a sharp and consistent rise in Islamist hacktivist activity since the Iranian attack, mirroring the previously reported surge in group activity and scope during the Hamas-Israel conflict. Israel continues to be a key target for these groups, the country enduring a relentless stream of cyberattacks.
These assaults include:
- Disruptions aimed at halting activity on Israeli websites and systems, like DDoS attacks.
- Endeavors to pilfer sensitive data concerning public and private entities, Israeli citizens, and IDF personnel.
SYLHET GANG-SG, a hacker group that holds anti-Israel sentiments and operates independently from Iran, claimed responsibility for disrupting the water supply system of Haifa, a major city in Israel. The attack in Haifa coincided with the onset of the Iranian attack. The group explicitly stated their support for Iran in executing the nefarious operation. However, it’s crucial to highlight that this attack has not been officially acknowledged or confirmed by Israeli authorities.
It’s worth noting that many hacker groups on the dark web claiming responsibility for cyberattacks against Israel may not necessarily have ties to Iran but show their support to it.
#4: Iranian internal resistance against the attack
Zooming in on the Iranian narrative, we encountered oppositional perspectives across the deep web. Among Iranian residents, there were those who expressed dissatisfaction with the regime’s decision to execute a substantial attack against Israel using a combination of missiles and drones. They argued that such a strike inflicted further damage on Iran’s already fragile economy.
For instance, a Telegram group contended that the attack ultimately burdened citizens, leading to a depreciation of the Iranian currency. They also deemed the attack futile, asserting that it failed to yield any significant outcomes.
Another intriguing example of resistance comes from a Telegram channel linked to an Iranian hacker group known as “LabDookhtegan” (translated as “Read My Lips” in English). This group, in opposition to the Iranian regime, aims to gather additional information about the unit behind the Israel attack. They may intend to employ this information for doxxing or potential cyberattacks, motivated by their belief that the Iranian assault on Israel was a misallocation of funds.
Geopolitical events stir up more activity on the dark web
As you can see, geopolitical events like Iran’s recent strike on Israel led to increased nefarious activity on the dark web. Immediately after the event, threat actors spread misinformation and fake news, and online discourse became more extreme. Islamic hacktivist groups increased their cyber warfare activities while some Iranian citizens voiced opposition to the regime’s decision to launch the strike. Governments and law enforcement agencies need to track threats amid growing global tensions and regional conflicts — and Lunar helps them do that. With Lunar, organizations can monitor dark and deep web activity, taking steps to mitigate the damage from the actions of criminal organizations and individual threat actors.
