After U.S. and Israeli strikes on Iran on Feb. 28, 2026, Graphika has been actively monitoring the online information environment around the Iran war. Through this monitoring, we track influence operations (IOs), hacktivist mobilization and activity, the spread of false or misleading information, and other threats. Below is a sample of our findings, which we will continue to update.

March 5, 2026 | Chinese State, Pro-China Actors Signal Support for Iran After Airstrikes, Denounce US and Israel Chinese state media outlets and pro-China accounts on Facebook, X, and YouTube are using government statements, memes, and missile strike visuals to depict the U.S. and Israel as aggressors while defending the Iranian regime.

CGTN, China Daily, and Chinese embassies have posted videos, AI-generated songs and memes, and Ministry of Foreign Affairs statements opposing the airstrikes and calling for de-escalation. Pro-China accounts on X, including Zhao DaShuai (248K followers), have circulated memes suggesting the attack was an attempt to distract from the Epstein files and content praising the late Iranian Supreme Leader Ali Khamenei.

On X, pro-China and Iranian actors attributed China’s continued presence in the Strait of Hormuz to China’s demonstrations of support for Iran. On March 4, China ordered top refineries to halt oil and gas exports.

Notably, Graphika has not observed covert Chinese state-linked actors like Spamouflage engaging in large-scale messaging campaigns — though one Spamouflage-linked account shared a video on March 1, accusing the U.S. and Israel of conducting “terrorist strikes on Iran.”

March 2, 2026 | Copypasta Posts Falsely Claim Trump and Netanyahu Have Been Killed Accounts across Facebook, Instagram, and X are circulating coordinated Arabic-language posts alongside images of President Trump and Prime Minister Netanyahu, falsely suggesting the two leaders were killed in the conflict. Some posts attribute the claims to Iran without providing any source. Several posts repurpose a photograph of Trump from the July 2024 Pennsylvania assassination attempt, pairing it with claims that the "target has been eliminated."

The first observed post appeared on March 1 at 5:06 p.m. EST. At least 40 additional X accounts posted identical or near-identical content within the following 12 hours. The accounts show no other apparent connections.

March 1, 2026 | Iran-Backed Hacktivist Groups Reactivate, Target Regional Allies Iranian hacktivist groups with known or suspected ties to the Iranian Revolutionary Guard Corps (IRGC) and Iran's Ministry of Intelligence (MOIS) have reactivated on Telegram and X following the February 28 strikes.

  • Al-Toufan, dormant since July 2024, reemerged to claim attacks on the Bahraini-administered bahrainusa.com, the U.S. Navy-run website navymwrbahrain.com, and the website of the U.K.-based maritime defense company SCA Group. Microsoft has attributed Al-Toufan as a persona operated by an IRGC-linked threat actor.
  • Handala Hack, linked to a MOIS threat actor, claimed to have hacked "Jordanian gas stations" and teased a coming attack on Saudi Arabia. The relevant video has since been removed from X.
  • Mr. Soul, a Telegram persona associated by the U.S. Treasury with the IRGC-linked CyberAv3ngers group, announced plans to resume offensive operations.
  • Cyber Isnaad Front and Gaza Children Group voiced support for Iran but have not claimed attacks.

February 28, 2026 | Hacktivist Coalition Mobilizes Within Hours of First Strikes Within two hours of the initial strikes on Iran, the pro-Hamas, pro-Iran group Cyber Islamic Resistance (CIR) posted on Telegram calling on "cyber warfare experts" to join a new resistance campaign. CIR is cooperating with approximately 15 allied hacktivist groups spanning the Middle East, Iran, Iraq, Malaysia, Morocco, and Kurdish networks — several of which were previously allied in the pro-Palestine Holy League.

Claimed attacks as of publication remained limited and largely unsubstantiated:

  • CIR-allied group FaD TeaM announced a campaign called "The End of the Flood" and claimed attacks on a U.S. municipal website, U.S. Pennsylvania Township, and an intrusion on routers of an Israeli security company. However, screenshots accompanying the Israeli router claims were traced to the now-defunct Russian hacktivist group Hunt3rKill3rs, indicating recycled rather than new material.
  • The Moroccan Cyber Army claimed responsibility for a DDoS attack on internet provider TCS Telecom.
  • RipperSec claimed targeting of Israeli websites, news outlets, banks, drone and commercial companies.
  • Groups, including Keymous+ and JEArmy, launched their own campaigns or called for pro-Iran groups to join future attacks.

February 25, 2026 | Pre-Strike Context: Pro-Iran and Pro-Russia Networks Worked to Deter U.S. Action

In the days before the strikes, Graphika observed a coordinated pre-emptive influence push across pro-Iranian regime and pro-Russia networks aimed at discouraging U.S. military action:

  • Iranian state media (IRNA, Mashregh News, Javan Online) framed potential U.S. military action as politically costly for Trump and logistically overextended.

  • Pro-regime X accounts warned of severe Iranian retaliation and claimed Iranian missiles could reach the U.S. East Coast.

  • Pro-regime users amplified a claim, originating from a Russian account, that hundreds of coordinated X accounts had been pre-positioned to spread pro-Israel narratives in the event of war.

  • Russian State Influence accounts echoed anti-war messaging, framing Israel, as the true regional threat.

About this coverage

Graphika is tracking the online information environment related to the Iran war in real time. This includes influence operations, hacktivist activity, false or misleading information, and coordinated inauthentic behavior across platforms.

Updates will be published as new findings emerge. For full access to these reports and underlying data, or to learn how Graphika can help your organization monitor and respond to emerging threats, book a demo.