After U.S. and Israeli strikes on Iran on Feb. 28, 2026, Graphika has been actively monitoring the online information environment around the Iran war. Through this monitoring, we track influence operations (IOs), hacktivist mobilization and activity, the spread of false or misleading information, and other threats. Below is a sample of our findings, which we will continue to update.
March 20, 2026 | Iran State-Linked Hacktivist Persona Handala, Followers on Mainstream Platforms Promote New Websites After FBI Seizure
Handala Hack, a hacktivist persona linked to an Iranian Ministry of Intelligence threat actor known as Void Manticore (aka Banished Kitten or Storm-0842), has responded to a March 19 FBI seizure of its domains by promoting new websites. Pro-Iran and Iranian state media accounts on Bluesky, Facebook, Instagram, Telegram, VKontakte, and X have also promoted the new domains. In addition to Handala, the FBI seized domains attributed to the Void Manticore personas Homeland Justice and Karma Below. On March 19, Handala, which claimed responsibility for hacking U.S.-based medical tech company Stryker, issued public Telegram statements condemning the seizure of its domains, framing the seizure as a desperate attempt from the U.S. and Israel to hide their "crimes and scandals." Handala quickly started promoting two backup sites.
March 19, 2026 | Pro‑Iranian Regime Accounts Suggest Threats to Oil Trade, Petrodollar Signal Dwindling US Power
**
**Pro-Iranian regime, pro-Kremlin, and pro-China accounts on X, Facebook, and Instagram portrayed Iran as actively challenging U.S. economic and strategic power during the conflict. Key narratives include Iran's threatened closure of the Strait of Hormuz, proposals to trade oil in Chinese yuan as a challenge to petrodollar dominance, and Houthi threats to close the Bab-el-Mandeb Strait in the Red Sea in solidarity with Iran. Pro-regime accounts framed Trump as "begging" other countries to help reopen the Strait after "failing against Iran," with one Instagram user circulating a deepfake video to reinforce the claim. Russian and Chinese state influence accounts amplified the same narratives. This narrative is likely intended to project Iranian geopolitical strength and undermine perceived U.S. influence.
March 18, 2026 | Iranian State Media, Pro-Regime Accounts Push Security Chief’s Claims of False Flag Attack Implicating Iran
Before his death, Iranian official Ali Larijani used his X account (444K followers) to warn that members of Jeffrey Epstein's network were plotting a false flag attack to blame Iran for a 9/11-style terrorist incident. The claim was widely promoted by pro-Iranian regime accounts, including IRGC-run Tasnim and state media outlet Press TV across X, Facebook, and Instagram. Replies extended the narrative further, with users claiming Israel would orchestrate the attack. Several X accounts in our Russian and Chinese State Influence Audience Maps also amplified the statement, underscoring the narrative’s utility to a range of adversarial actors.
Mar. 17, 2026 | Pro-Iran Hacktivist Groups Target Additional Banks, Claim Credit for Microsoft Outage in Response to Iran War
Pro-Iran and allied hacktivist groups claimed attacks between March 12 and 17, targeting banks and companies across Israel, the U.S., and allied countries. Cyber Fattah, Conquerors Electronic Army, COUP Team, and Team Fearless claimed attacks against the websites of Israel’s Mercantile Bank, Bank Otsar, First International Bank, Bank Mizrahi-Tefahot, the Bank of Israel, and Bank Hapoalim, as well as the United Arab Emirates-based Abu Dhabi Islamic Bank.
On March 15, the pro-Palestine group 313 Team launched DDoS attacks against the U.S.-based Commerce Bank and U.S. President Donald Trump's campaign website, donaldjtrump.com. The Bangladeshi group Sylhet Gang SG and the pro-Palestine group DieNet also claimed they attacked Trump's website. It returned a 503 error on March 17. Several groups also opportunistically claimed responsibility for a March 16 Microsoft services outage, targeting Microsoft's CoPilot site among others.
The Russian group Cardinal alleged it stole a U.S. Defense Logistics Agency document confirming it had "disabled the Iron Dome over Tel Aviv." The document is almost certainly fabricated, bearing a 2026 date alongside the signature of former U.S. Secretary of Defense Mark Esper, whose tenure ended in 2020.
March 17, 2026 | Spamouflage Accounts on X Denounce US Actions in Iran, Signal Support for Iranian Military
Nearly three weeks into the Iran war, we have identified 26 likely Spamouflage-linked accounts on X posting content that vilifies the Trump administration and highlights the Iranian military’s offensive and defensive measures. This demonstrates how the Chinese influence operation experiments with new tactics and more developed personas while exhibiting a consistent delay in responding to geopolitical or current events.
Since March 10, accounts including “Autumn” and “Daisy Reid” have shared clips from U.S. and Russian state media criticizing U.S. policymakers, calling U.S. President Trump "reckless" and labeling Homeland Security Advisor Stephen Miller "absurd." Their posts have drawn replies from six other known Spamouflage-linked accounts and an additional 17 likely Spamouflage-linked accounts. The replies are likely AI-generated and use idiomatic language, including words like “pls,” “OMG,” and lack punctuation. They contend that Trump "needs a crash course in diplomacy" and "is trying to distract us from the real issues."
March 17, 2026 | Russian State Media Amplifies Trump Warning to NATO Against Avoiding Strait of Hormuz
Pro-Kremlin state media, FSB-linked outlets, and Portal Kombat influence operation websites quoted Trump's March 15 warning that NATO faces a "very bad future" if allies fail to help the U.S. secure the Strait of Hormuz. Russian outlets framed the remarks as evidence of U.S. weakness and internal NATO fracture, suggesting Trump is dragging allies into war and that U.S. and European strategic interests are increasingly diverging. Portal Kombat websites paired Trump's comments with former NATO Secretary General Jens Stoltenberg's remarks that he hasn't ruled out the alliance collapsing during Trump's presidency. The activity appears aimed at amplifying the perception of NATO disunity and accelerating doubts about the alliance's future.
March 13, 2026 | Chinese State, Pro-China Actors Across Platforms Use Videos, Cartoons to Criticize and Mock US Over Iran War
Chinese officials, state media outlets, and pro-China accounts on Facebook, Instagram, X, and YouTube have continued to respond to the Iran war by spreading cartoons and videos that depict the U.S. as destabilizing the region. Pro-China accounts also portrayed China as a savior while describing Japan and India as Israel’s accomplices. The Chinese Embassy in the U.S. shared Foreign Minister Wang Yi's statement that "might does not make right," and state outlet Xinhua circulated an AI-generated video mocking Trump's "Shield of the Americas" initiative.
Pro-China accounts also targeted U.S. allies, portraying India and Japan as supporting Israel, while promoting a Chinese operation to return Taiwanese nationals from the Middle East. Chinese state media outlets on X also shared cartoons mocking U.S. claims that Iran posed a nuclear threat and suggesting that the war is an attempt to shift attention from the Epstein files.
March 12, 2026 | Pro-Iran Hacktivist Groups Claim to Launch 'Wave of Attacks' on Banking Infrastructure
Two pro-Iran hacktivist groups claimed on March 12 that they had started a “wave of attacks” against “the banking infrastructure of the Zionist regime,” alleging that the effects would be felt within the upcoming week. The claims came a day after Iranian state media outlets reported that Iran is now "free" to launch retaliatory strikes against U.S. and Israeli banks.
On March 12, Cyber Islamic Resistance began posting regular updates on X about alleged attacks it claimed to have conducted. Alleged targets included the websites of the Bank of Israel, Israel Discount Bank, payments infrastructure company Automatic Bank Services (SHVA), Israel's automated clearing house, Bank Clearing Center (MASAV). On Telegram, Conquerors Electronic Army posted about alleged attacks against the websites of Israeli credit card company CAL and Israel’s Mercantile Bank. Cyber Islamic Resistance also claimed it attacked non-financial services companies in the U.S. and the United Arab Emirates, including a New York-area recruitment company, Purple Search.
Both groups are part of the broader coalition of more than 10 hacktivist groups that mobilized against the U.S. and Israel at the start of the conflict.
March 12, 2026 | On X, Influential Cross-Community Commentators Link Israel-Iran War to Global Economic Uncertainty
Accounts primarily in anti-West communities on X are linking global energy markets instability to the ongoing Israel-Iran war, while portraying China as the primary beneficiary of the conflict. Users are casting the war as economically advantageous for Iran and China while warning of broader global financial fallout. Narratives include rising oil prices as a win for Iran, China claiming “exclusive access” to the Strait of Hormuz and that they are providing the Iranian military with geospatial intelligence advantages, and the U.S. bearing responsibility for broader global energy instability. Unverified claims are also circulating, with significant reach, including allegations that Barron Trump purchased oil futures ahead of the strikes (161K views) and that Gulf Nations are considering canceling billions in U.S. investments (2M views).
March 11, 2026 | Iranian State Media and Inauthentic X Account Warn of Attacks Against US, Israeli Banks
Following an Israeli strike on an Iranian bank on March 11, IRGC-run Tasnim News Agency and Fars News Agency posted identical warnings that Iran is now “free” to target U.S. and Israeli banks, advising people in the region to stay at least one kilometer away, suggesting possible kinetic action. Roughly an hour before the state media warnings, pro-Palestine hacktivist group Moroccan Black Cyber Army, previously aligned with the pro-Iran Cyber Islamic Resistance network, claimed a DDoS attack on Israel Discount Bank. Since the warnings, we have not observed any calls to action.
March 11, 2026 | Pro-Iranian Regime Accounts Hail Leadership Succession, Decry Trump and US-Israel War Efforts
Pro-Iranian regime accounts on X and Instagram coordinated around Mojtaba Khamenei's appointment as Supreme Leader, sharing identical images and copypasta loyalty slogans in what appears to be an effort to reinforce regime legitimacy and project geopolitical strength. Pro-Iranian regime X accounts criticized Trump's remarks about Iranians and promoted claims that Iran is winning the war against the U.S. and Israel. The "Iran is winning" narrative was also picked up by international pro-Russia accounts.
March 11, 2026 | Pro-Russia Hacktivist Groups Continue Targeting Israel and the US Over Iran War
NoName057(16) continued its #OpIsrael campaign, claiming DDoS attacks against Israeli telecom firms, transportation companies, and political parties. The group also claimed on March 4 to have gained access to an engineering equipment control system at an unspecified large industrial facility in Israel, alleging visibility and control over ventilation, pumping, and air-conditioning systems.
Other groups pursued separate targets. Z-Pentest Alliance claimed unauthorized access to the internal management system of an Israeli restaurant, alleging full control over point-of-sale terminals and customer data. Morningstar claimed it accessed CCTV cameras at New York's Columbia University and breached an Israeli retail weighing terminal system. Most significantly, Cardinal claimed on March 8 to have compromised the infrastructure management system of Israel's National Emergency Authority, obtaining administrative access to national power, water, gas, and satellite communications. The group subsequently claimed it could manipulate reactor-monitoring parameters at Israel's Nuclear Research Center in Dimona.
March 10, 2026 |Iran-Linked Hacktivist Group Claims Hacks of US and Israeli Companies, Publishing Allegedly Obtained Documents
Between March 6 and 8, Cyber Isnaad Front alleged on Telegram that it extracted over 5 terabytes of data from Israeli fuel logistics company HLD Fuel Transportation, sharing photos it claimed showed HLD supplying U.S. warships docked in Israeli ports. The same day, it claimed to have hacked Israeli vehicle location services company Ituran, obtaining data on Israeli military fuel deliveries. It also released documents implicating other Israeli energy companies, including Gadot Pi Glilot, Bazen, and Paz Retail and Energy, as military suppliers, though it did not claim to have attacked those firms directly or explicitly threaten them.
On March 8, Cyber Isnaad Front claimed it had teamed up with the hacktivist group Gaza Children's Group to hack the U.S. biotech company NanoSpun, alleging that it disrupted the company's operations. It also released documents purportedly showing NanoSpun's connections to the U.S. Department of Energy, U.S. firms LanzaTech and BoMax Hydrogen, French cosmetics company L'Oreal, and Israel-based ASSIA Chemical Industries, framing these relationships as further justification for targeting. None of Cyber Isnaad Front's claims have been independently verified.
March 5, 2026 | Chinese State, Pro-China Actors Signal Support for Iran After Airstrikes, Denounce US and Israel
Chinese state media outlets and pro-China accounts on Facebook, X, and YouTube are using government statements, memes, and missile strike visuals to depict the U.S. and Israel as aggressors while defending the Iranian regime.
CGTN, China Daily, and Chinese embassies have posted videos, AI-generated songs and memes, and Ministry of Foreign Affairs statements opposing the airstrikes and calling for de-escalation. Pro-China accounts on X, including Zhao DaShuai (248K followers), have circulated memes suggesting the attack was an attempt to distract from the Epstein files and content praising the late Iranian Supreme Leader Ali Khamenei.
On X, pro-China and Iranian actors attributed China’s continued presence in the Strait of Hormuz to China’s demonstrations of support for Iran. On March 4, China ordered top refineries to halt oil and gas exports.
Notably, Graphika has not observed covert Chinese state-linked actors like Spamouflage engaging in large-scale messaging campaigns — though one Spamouflage-linked account shared a video on March 1, accusing the U.S. and Israel of conducting “terrorist strikes on Iran.”
March 2, 2026 | Copypasta Posts Falsely Claim Trump and Netanyahu Have Been Killed
Accounts across Facebook, Instagram, and X are circulating coordinated Arabic-language posts alongside images of President Trump and Prime Minister Netanyahu, falsely suggesting the two leaders were killed in the conflict. Some posts attribute the claims to Iran without providing any source. Several posts repurpose a photograph of Trump from the July 2024 Pennsylvania assassination attempt, pairing it with claims that the "target has been eliminated."
The first observed post appeared on March 1 at 5:06 p.m. EST. At least 40 additional X accounts posted identical or near-identical content within the following 12 hours. The accounts show no other apparent connections.
March 1, 2026 | Iran-Backed Hacktivist Groups Reactivate, Target Regional Allies
Iranian hacktivist groups with known or suspected ties to the Iranian Revolutionary Guard Corps (IRGC) and Iran's Ministry of Intelligence (MOIS) reactivated on Telegram and X following the February 28 strikes. Al-Toufan, dormant since July 2024, reemerged to claim attacks on the Bahraini-administered bahrainusa.com, the U.S. Navy-run navymwrbahrain.com, and the website of U.K.-based maritime defense company SCA Group — Microsoft has attributed Al-Toufan as a persona operated by an IRGC-linked threat actor. Handala Hack, linked to a MOIS threat actor, claimed to have hacked Jordanian gas stations and teased a coming attack on Saudi Arabia, though the relevant video has since been removed from X. Mr. Soul, a Telegram persona associated by the U.S. Treasury with the IRGC-linked CyberAv3ngers group, announced plans to resume offensive operations. Cyber Isnaad Front and Gaza Children Group voiced support for Iran but have not claimed attacks.
February 28, 2026 | Hacktivist Coalition Mobilizes Within Hours of First Strikes
Within two hours of the initial strikes on Iran, the pro-Hamas, pro-Iran group Cyber Islamic Resistance (CIR) posted on Telegram calling on "cyber warfare experts" to join a new resistance campaign. CIR is cooperating with approximately 15 allied hacktivist groups spanning the Middle East, Iran, Iraq, Malaysia, Morocco, and Kurdish networks, several of which were previously allied in the pro-Palestine Holy League.
Claimed attacks as of publication remained limited and largely unsubstantiated. CIR-allied group FaD TeaM announced a campaign called "The End of the Flood" and claimed attacks on a U.S. Pennsylvania Township website and an intrusion on the routers of an Israeli security company, though screenshots accompanying the router claims were traced to the now-defunct Russian hacktivist group Hunt3rKill3rs, suggesting recycled rather than new material.
The Moroccan Cyber Army claimed a DDoS attack on internet provider TCS Telecom, while RipperSec claimed to have targeted Israeli government websites, news outlets, banks, and drone and commercial companies. Other groups including Keymous+ and JEArmy launched their own campaigns or called for pro-Iran groups to join future attacks.
February 25, 2026 | Pre-Strike Context: Pro-Iran and Pro-Russia Networks Worked to Deter U.S. Action
In the days before the strikes, Graphika observed a coordinated pre-emptive influence push across pro-Iranian regime and pro-Russia networks aimed at discouraging U.S. military action. Iranian state media outlets including IRNA, Mashregh News, and Javan Online framed potential U.S. military action as politically costly for Trump and logistically overextended. Pro-regime X accounts warned of severe Iranian retaliation and claimed Iranian missiles could reach the U.S. East Coast.
Pro-regime users also amplified a claim originating from a Russian account that hundreds of coordinated X accounts had been pre-positioned to spread pro-Israel narratives in the event of war. Russian State Influence accounts echoed the anti-war messaging, framing Israel as the true regional threat.
About this coverage
Graphika is tracking the online information environment related to the Iran war in real time. This includes influence operations, hacktivist activity, false or misleading information, and coordinated inauthentic behavior across platforms.
Updates will be published as new findings emerge. For full access to these reports and underlying data, or to learn how Graphika can help your organization monitor and respond to emerging threats, book a demo.