Hackers Use Telegram and Signal to Assist Protestors in Iran

Written by

Multiple hacker groups are using Telegram, Signal and dark web tools to aid anti–government protestors in Iran to bypass regime restrictions.

The news comes from security experts at Check Point Research (CPR), weeks after the death of Mahsa Amini, a protestor who was arrested for violating laws requiring women to wear a headscarf and died allegedly in police custody.

"What we see are groups from the Telegram, dark and also 'regular' web helping the protestors to bypass the restrictions and censorship that are currently in place by the Iranian Regime, as a way to deal with the protests," Liad Mizrachi, a security researcher at Check Point told Infosecurity Magazine. "We began seeing these groups emerge roughly a day after the protests began."

Hacker groups have been witnessed by CPR, allowing people in Iran to communicate with each other despite the government's censorship attempts. 

"Key activities are data leaking and selling, including officials' phone numbers and emails, and maps of sensitive locations," Check Point wrote in a report shared with Infosecurity Magazine.

"CPR sees the sharing of open VPN servers to bypass censorship and reports on the internet status in Iran, as well as the hacking of conversations and guides."

More specifically, CPR shared five examples of these groups. The first one is the Official Atlas Intelligence Group channel on Telegram. Counting over 900 members, the channel focuses on leaking data that can help against the regime in Iran. 

The second Telegram group spotted by CPR is ARVIN, which counts roughly 5000 members and provides news from the protests in Iran, reports and videos from the streets where the protests are, and information about the internet status in Iran.

The third Telegram group mentioned in the CPR report is RedBlue, a channel with about 4000 members and mainly focusing on hacking conversations and guides.

Beyond these Telegram channels, Check Point also mentions the Tor Project and Signal as platforms providing proxies to enable Iranian citizens to circumvent government censorship, access the internet and communicate securely.

"These groups allow people in Iran to communicate with each other and share news around what is going on at different places," Mizrachi added. "We will continue to monitor the situation."

The CPR report comes weeks after Albania cut ties with Iran over a July ransomware attack that temporarily shut down numerous Albanian government digital services and websites.

What’s hot on Infosecurity Magazine?