Introduction: The New Battlefield
In the early hours of March 1, 2026, as joint US-Israeli military strikes—dubbed "Operation Epic Fury"—pounded Iranian military installations, a different kind of warfare was being waged silently across server racks and fiber-optic cables. While missiles fell on physical targets, digital commandos were breaching firewalls, hijacking mobile applications, and disrupting financial flows from Tel Aviv to Tehran. The long-predicted convergence of kinetic warfare and cyber conflict has arrived in the Middle East, and it is proving to be a double-edged sword for all parties involved.
The current escalation, triggered by the death of Iranian Supreme Leader Ayatollah Ali Khamenei and subsequent US-Israeli strikes, has unleashed a torrent of cyber activity. However, contrary to the fearsome reputation of state-sponsored hacking groups, the digital battlefield has revealed surprising asymmetries. On one side, pro-Israeli operatives have demonstrated a stunning capability to physically degrade Iranian infrastructure. On the other, Iranian-backed hacktivists have largely resorted to disruption and propaganda, though not without causing significant economic jitters across the Gulf .
This article explores the major cyber incidents targeting parties involved in the Iran-US-Israel conflict, detailing the specific companies and institutions caught in the crossfire and analyzing what this means for the future of modern warfare.
The Opening Salvo: US and Israeli Cyber Dominance
The current conflict did not begin with a bomb, but with a click. According to General Dan Caine, Chair of the Joint Chiefs of Staff, US Cyber Command was one of the "first movers" in the early phases of the war, tasked with disrupting Iranian communications and military coordination before the first sorties were launched .
This digital pre-emption was followed by a wave of highly symbolic and damaging attacks targeting the Iranian public's trust in their institutions.
The Hijacking of BadeSaba
One of the most ingenious attacks targeted not a military installation, but the spiritual lives of Iranian citizens. BadeSaba, a popular Iranian prayer and religious calendar app downloaded over 5 million times, was reportedly hijacked. Users opening the app were greeted not with daily prayers, but with messages stating, "The time of reckoning has come," and urging members of the Iranian armed forces to surrender and join the people .
This attack was particularly potent because it penetrated the echo chamber of regime supporters. Hamid Kashfi, a security researcher and founder of DarkCell, noted that targeting BadeSaba was a strategic masterstroke, as the app is predominantly used by government supporters and the devoutly religious—demographics typically loyal to the establishment. By turning that tool into a vessel for dissent, the attackers sowed confusion and broke the regime's monopoly on information .
Media Blackouts and Propaganda
Simultaneously, pro-regime news agencies were compromised. Iranian television stations briefly lost control of their broadcasts, which were replaced with videos of US President Donald Trump and Israeli Prime Minister Benjamin Netanyahu . Internet monitoring firms like NetBlocks reported that Iranian connectivity plummeted to just 1% of pre-attack levels, a digital siege intended to limit Tehran's ability to coordinate a response and control the narrative .
The Economic Front: Gulf States in the Crosshairs
While US and Israeli forces were on the offensive against Iran, the conflict quickly spilled over into the broader region, particularly the wealthy Gulf states. Iran have long threatened to target US interests in the Gulf, and the digital domain offered a way to make good on those threats without triggering a direct military response.
Between February 27 and March 2, 2026, cybersecurity firm CloudSEK logged coordinated cyber disruption attempts against ten financial institutions. The targets included major banks in Saudi Arabia, Jordan, and Israel, as well as seven aviation and logistics entities, government ministries, and telecoms providers .
The AWS Data Center Incident
The fragility of the modern, interconnected economy was exposed when an Amazon Web Services (AWS) data facility in the UAE reported a fire after being struck by "objects." While the physical cause was separate from hacking, the incident highlighted the vulnerability of digital infrastructure .
In the days following, residents across the UAE reported intermittent disruptions to online and phone banking services. While officials remained tight-lipped about the specific cause, cybersecurity experts pointed to a wave of distributed denial-of-service (DDoS) attacks claimed by hacktivist groups such as the 313 Team, DieNet, and Liwa Thar Allah. These groups, galvanized by the death of Khamenei, posted threats on Telegram channels against Israel, Jordan, the US, Saudi Arabia, the UAE, and Kuwait .
DDoS vs. Destruction
However, experts caution against conflating disruption with destruction. Shashank Shekhar of CloudSEK described the activity as a "co-ordinated, narrative-driven disruption campaign" rather than a confirmed systemic compromise. The goal of these attacks was not to steal money or destroy data, but to create a public perception of vulnerability. By targeting high-visibility sectors like banking and aviation, the hacktivists aimed to undermine confidence in the stability of Gulf nations .
Vibin Shaju of Trellix noted that while external-facing services like banking apps may have slowed or failed, the core operational technology of Gulf critical infrastructure remained resilient due to massive investments in cybersecurity over the past five years. "What makes the news is the short-term disruption," Shaju said. "What organisations should worry about is the persistent, targeted attack that stays silent for months" .
The Ghost of Predatory Sparrow: Devastation in Iran
While Iranian-backed groups were launching noisy but superficial DDoS attacks against Gulf banks, pro-Israeli hackers were engaged in a far more destructive campaign deep inside Iran. The most prominent actor in this space is a group known as Gonjeshke Darande, or "Predatory Sparrow."
This group has a history of audacious attacks, including paralyzing Iran's national railway system in 2021 and triggering fires at a steel mill in 2022. However, their operations in mid-2025 and early 2026 represent a quantum leap in the destructive potential of cyber warfare.
The Bank Sepah and Bank Pasargad Breaches
In late June 2025, Predatory Sparrow claimed credit for a devastating cyberattack on Iran's state-owned Bank Sepah. The bank is a critical financial institution that services Iran's armed forces and facilitates payments to suppliers abroad. The attack knocked out online banking services and ATMs, disrupting the financial backbone of the military apparatus .
Simultaneously, Bank Pasargad was hit. The results were catastrophic. Bloomberg confirmed that the attacks rendered data "damaged and unusable" by targeting hardware in data centers. At least one technology firm in Iran was unable to pay its employees for a month as a result . The primary technology vendor for both banks, the Iranian firm Dotin, described the breaches as "incomparable to any past cyberattacks in the country" .
The Nobitex Heist: Destroying Money
Perhaps the most financially devastating attack was the breach of Nobitex, Iran's largest cryptocurrency exchange. In June 2025, pro-Israel hackers drained more than $90 million from the platform's wallets . However, the attackers were not motivated by greed.
According to blockchain analytics firm Elliptic, the stolen funds were sent to cryptographic addresses that the hackers likely could not control. This suggested the money was intentionally "destroyed" as a symbolic act rather than stolen for profit. The wallets receiving the funds bore anti-government messages explicitly referencing Iran's Islamic Revolutionary Guard Corps (IRGC) . A subsequent report from the Wall Street Journal put the figure closer to $100 million, noting that the attack forced the platform to shut down entirely .
The Silence of the Iranian Lions: A Failure to Retaliate?
Given the severity of the attacks on Iranian soil, a massive cyber response from Tehran was widely anticipated. Yet, in the opening days of the 2026 conflict, it never came. Alexander Leslie, a threat analyst at Recorded Future, noted that the number of active pro-Iranian hacking groups had dwindled from over 130 during the 2025 conflict to a mere 17. "The Iranian groups we track have gone almost entirely dark," Leslie said .
Theories for the Digital Quiet
Several theories have emerged to explain Iran's muted response.
1. The Internet Blackout: The most immediate explanation is the drastic internet blackout imposed by Tehran. With connectivity slashed to near-zero, it became exceedingly difficult for hackers inside Iran to exfiltrate data or command and control botnets .
2. Pre-emptive Disruption: US Cyber Command's role as a "first mover" may have successfully degraded the command-and-control infrastructure of Iranian cyber units before they could be mobilized .
3. Exaggerated Reputation: There is a growing consensus among security researchers that Iran's cyber capabilities have been historically overstated. Hamid Kashfi, an Iranian expatriate researcher, argues that Iranian operators hyped their capabilities to spread fear, and Western security firms played into those concerns to sell products. The reality, he suggests, is that Iran's tactics have remained relatively stagnant and unsophisticated .
The Espionage Backend: "SmudgedSerpent"
However, the lack of disruptive attacks does not mean Iran has been inactive. In the shadows, Iranian intelligence agencies continue to operate. In November 2025, a previously unknown threat cluster codenamed "UNK_SmudgedSerpent" was identified targeting U.S.-based academics and foreign policy experts specializing in Iran .
These attackers used sophisticated social engineering, impersonating think tank figures to engage targets in benign conversations before attempting credential theft. The operation involved deploying legitimate Remote Monitoring and Management (RMM) tools disguised as Microsoft Teams installers, allowing for persistent, hands-on-keyboard access. This campaign, targeting over 20 U.S. experts, underscores that while Iran may not be winning the public war of DDoS attacks, it remains deeply engaged in a long-term espionage war aimed at understanding and influencing U.S. policy .
The Companies and Sectors Under Siege
The following entities have been publicly identified as targets or victims in the current and recent cycle of conflict:
- Banking and Finance:
- Bank Sepah (Iran): State-owned bank servicing the Iranian armed forces. Sustained severe hardware damage and service outages .
- Bank Pasargad (Iran): Major Iranian financial institution. Suffered data destruction and online banking outages .
- Nobitex (Iran): Iran's largest crypto exchange. Drained of over $90 million in a destructive attack .
- Major Saudi and Jordanian Banks: Targeted by DDoS attacks aimed at disrupting online services .
- UAE Banking Sector: Experienced region-wide IT disruptions affecting online and phone banking services .
- Technology and Infrastructure:
- Amazon Web Services (UAE): Data center struck by physical objects, causing fires and service interruptions, highlighting the fragility of cloud dependency .
- Dotin (Iran): Critical Iranian banking technology vendor. Its infrastructure was used as an attack vector against the banks it served; the company was later sanctioned by the US .
- Media and Communications:
- BadeSaba App (Iran): Popular prayer app hijacked to display anti-regime propaganda .
- Iranian State TV and News Agencies: Broadcasts interrupted and replaced with foreign leader messages .
- GPS Systems (Maritime): Approximately 1,100 ships in the Middle East experienced GPS jamming, disrupting navigation .
- Aviation and Logistics:
- Middle Eastern airlines and logistics firms faced operational scrutiny and cyber disruption attempts, causing travel delays and stranded passengers .
Conclusion: The New Normal
The convergence of missile strikes and cyber hacks in the 2026 Iran-US-Israel conflict has solidified a new reality: there is no longer a line between wartime and peacetime, or between military and civilian targets. A banker in Dubai, a Shiite pilgrim using a prayer app in Tehran, and a policy analyst in Washington are now all valid targets in a conflict they did not start.
The conflict has demonstrated a clear divergence in capability. Pro-Israeli forces, exemplified by Predatory Sparrow, have moved beyond simple disruption to physical degradation, destroying hardware and effectively setting money on fire. On the other side, pro-Iranian forces have largely relied on the blunt instrument of DDoS attacks and propaganda, causing inconvenience and reputational damage but little lasting harm.
Yet, as Joe Saunders of RunSafe Security warns, the situation remains fluid. "Our infrastructure operators need to remain on heightened alert, especially since our critical infrastructure sectors are interconnected and even limited cyber incidents could have cascading economic and public safety consequences" .
The digital ghost in the machine has become a permanent resident. As the Middle East braces for the next phase of this conflict, the only certainty is that the next battle will be fought not just in the skies over Tehran, but in the data centers of the world.