This year marks the 25th anniversary of UN Security Council Resolution 1325, a milestone recognizing women’s essential roles in peacemaking, conflict prevention, and post-conflict recovery. Yet, as the world celebrates this legacy, new realities challenge its celebration.

Digital technologies, once seen as tools for empowerment, have become instruments of surveillance, disinformation, and harassment, used by patriarchal and authoritarian actors to silence women human rights defenders and peacebuilders. Digital threats such as the hacking of devices, the exposure of private information and online abuse expand the spectrum of violence against women, creating new forms of insecurity. Even in exile, women with ties to authoritarian countries face gender-based digital transnational repression (GDTR) that aims to intimidate and silence them across borders.

This webinar brings together Citizen Lab researchers with policy advisors, Women, Peace and Security (WPS) experts, and human rights defenders to reflect on 25 years of the WPS agenda in the age of digital repression. The discussion will explore how gender, technology, and authoritarianism intersect to shape women’s participation in peace and security, and how targets of gendered digital attacks and feminist movements are building resilience and reimagining women’s digital security for the next 25 years.

Join us for a timely conversation on how digital repression and surveillance are reshaping women’s participation in peacebuilding and the Women, Peace and Security agenda.

RSVP TO ATTEND

Meet the Speakers

KEYNOTE

Lara Scarpitta (she/her) is the OSCE senior Advisor on Gender Issues and Head of the Gender Issues Programme in the Office of the Secretary General; Senior Advisor and former Political Advisor on Peace, Mediation and Gender at the EU Delegation to the United Nations in Geneva.

MODERATOR

Urooj Mian, MSc., LL.M (she/her) is the CEO at Sustainable Human Empowerment (SHE) Associates. She holds a Master in Law (LL.M) in International Crime and Justice from the United Nations Interregional Crime Research Institute (UNICRI) and University of Torino, a Master in Social Science (M.Sc) in Peace and Conflict Research, from Uppsala University in Sweden, and a Bachelor of Public Affairs in Policy Management (B.PAPM) specializing in Human Rights and Law from Carleton University. She is respected as a gender, peace and security expert internationally and regularly works with human rights defenders.  She holds a combination of experience as a life-long activist, a policy-maker, and a founding executive director of a national advocacy-focussed not-for-profit forwarding the Women Peace and Security agenda. Urooj is currently the CEO at Sustainable Human Empowerment (SHE) Associates. A boutique consulting firm headquartered in Canada with a mission to empower sustainable impact and enable transformative change in the areas of gender equality, peace and justice worldwide.

PANELLISTS

Noura Aljizawi (she/her) is a senior researcher at the Citizen Lab. Her research focuses on digital authoritarianism, disinformation, and digital transnational repression, informed by her background in human rights activism during the Syrian uprising. Aljizawi holds a Master’s degree in Global Affairs from the University of Toronto and has been recognized for her work in online safety and digital security.

Marcus Michaelsen (he/him) is a senior researcher at the Citizen Lab focusing on digital threats against exiles and diaspora communities. Previously, he was a senior post-doctoral researcher in the research group on Law, Science, Technology and Society at Vrije Universiteit Brussel. He has also held a senior information controls fellowship with the Open Technology Fund, and has worked as a lecturer and postdoc researcher in the Political Science Department of the University of Amsterdam. He holds a PhD in Media and Communication Studies from the University of Erfurt in Germany.

Siena Anstis (she/her) is a senior legal advisor at the Citizen Lab. Prior to joining Citizen Lab, she worked as a litigation associate at Morrison & Foerster in New York City and clerked for the Hon. Justice Cromwell at the Supreme Court of Canada and at the Court of Appeal for Ontario. Anstis holds a B.A. in Journalism and Anthropology from Concordia University, a Bachelor of Laws/Bachelor of Civil Law from McGill University, and a Master of Laws from the University of Cambridge.

Natalia Arno (she/her) is the president and founder of Free Russia Foundation. She is a prominent fighter for the advancement of democracy, human rights, and freedom. From 2004 to 2014, Ms. Arno worked for the International Republican Institute’s (IRI) Russia office. For her work in support of human rights and civil society in Russia, in 2012, Ms. Arno was given an ultimatum by Putin’s security services— to leave her homeland in 48 hours or face 20 years in prison on treason charges. Ms. Arno resolved to continue her fight and, in 2014, she created Free Russia Foundation (FRF) to serve as a platform for pro-democracy Russians. FRF provides support to civil societies of Russia and Belarus and has programs to assist Ukraine. FRF is a powerful global movement with centers in Washington, DC and Brussels; Kyiv, Ukraine; Berlin, Germany; Vilnius, Lithuania and Paris, France.

Sreshtha Das (they/them) is a queer disabled activist and works as a Gender Advisor/Researcher at Amnesty International. At Amnesty they developed the ‘Make It Safe Online for women, girls and LGBTI people’ project, which looks at technology-facilitated gender-based violence (TfGBV) through an intersectional and decolonial lens in different country contexts. Their work has largely been at the intersection of gender, sexuality, SRHR, militarisation and racial justice with various marginalised groups, using a structural and systemic analysis to holistically address social justice issues. 

xeenarh Mohammed (she/her) is a global leader at the intersection of technology, human rights, and governance, with over a decade of experience advancing equity and accountability in digital spaces. She currently serves as Co-Lead of the Digital Defenders Partnership, where she oversees global strategy and operations supporting human rights defenders across Africa, Asia, Latin America, and Europe.

About UNSCR 1325

The United Nations Security Council (UNSC) adopted resolution (S/RES/1325) on women, peace and security on October 31, 2000. UNSCR 1325 calls for women’s meaningful participation in peace and security processes; however, 25 years later, the world faces new and complex realities that challenge the spirit of this resolution. Digital technologies have introduced new forms of communication and alternative public spaces. They have also become tools of surveillance, control, harassment, and violence in the hands of patriarchal, authoritarian, and militarized powers. 

The widespread use of mercenary spyware, targeted digital surveillance, online harassment, and disinformation campaigns has created an environment in which women journalists, human rights defenders, and peacemakers are systematically targeted. These technologies enable state and non-state actors to extend gender-based violence beyond physical spaces and into the digital sphere. Even when women are in exile, digital technology enables harmful actors to threaten and silence women from afar.

While the international community celebrates the progress made on the WPS agenda, women who engage in peacebuilding and human rights work still face multi-layered forms of violence that are simultaneously gendered, political, and technological.This webinar situates these realities within an intersectional feminist framework, recognizing that women from marginalized communities, including those defined by race, ethnicity, sexuality, class, religion, or migration status, experience compounded forms of exclusion and vulnerability. Understanding how these intersecting systems of power operate in digital environments is essential to advancing an inclusive and transformative WPS agenda for the next 25 years.

• A coordinated network of more than 50 inauthentic X profiles is conducting an AI-enabled influence operation. The network, which we refer to as “PRISONBREAK,” is spreading narratives inciting Iranian audiences to revolt against the Islamic Republic of Iran.
• While the network was created in 2023, almost all of its activity was conducted starting in January 2025, and continues to the present day.
• The profiles’ activity appears to have been synchronized, at least in part, with the military campaign that the Israel Defense Forces conducted against Iranian targets in June 2025.
• While organic engagement with PRISONBREAK’s content appears to be limited, some of the posts achieved tens of thousands of views. The operation seeded such posts to large public communities on X, and possibly also paid for their promotion.
• After systematically reviewing alternative explanations, we assess that the hypothesis most consistent with the available evidence is that an unidentified agency of the Israeli government, or a sub-contractor working under its close supervision, is directly conducting the operation.

Timeline 

Background

Influence Operations in the Geopolitical Contest Between Israel and Iran

In the geopolitical and ideological competition between the Islamic Republic of Iran and its international and regional adversaries, control over and strategic manipulation of the information environment has always played a key role.

While relatively little is known about influence operations (IOs) run directly by the Israeli government, military, or intelligence services, both independent press and social media platforms’ investigations have previously exposed several highly sophisticated Israeli covert influence operators, and their alleged connections to the country’s government. Two notable examples are Team Jorge and Archimedes Group. Both companies offered their services to a wide array of clients globally, used advanced technologies to build and conduct their covert campaigns, and advertised existing or prior connections to the Israeli intelligence community.

For its part, the Islamic Republic considers media and information technologies as a battleground of regime survival. It has muzzled the press, disrupted satellite reception, and developed one of the most sophisticated systems of internet censorship worldwide. In its attempts to control information and shape narratives beyond borders, the Islamic Republic has also produced IOs targeting both the Iranian diaspora and international audiences, and relied on methods of transnational repression to silence critics abroad. 

Prior Citizen Lab research has uncovered Iranian disinformation efforts. In this investigation, we focus on the “other side” of the geopolitical competition: namely, an IO effort we assess as most likely undertaken by an entity of the Israeli government or a private subcontractor working closely with it.

The “Twelve-Day War”

The central focus of the IO examined in this report is the “Twelve-Day War” which began on June 13, 2025, when Israel launched a major military attack against Iran, striking military sites, nuclear facilities, and infrastructure installations. The war was a culmination of a decade-long tension over Iran’s nuclear program, which Israel views as an existential threat. In highly targeted operations, Israel also killed senior commanders in Iran’s military and security apparatus, as well as scientists associated with the nuclear program. Iran retaliated with ballistic missiles and drones.

While the stated objective of Israel’s attack was to degrade Iranian nuclear and missile capabilities, the airstrikes expanded to other critical infrastructure, including oil industry facilities and the national broadcaster in Tehran. Speculation that Israel was aiming for regime change was further fuelled by Prime Minister Netanyahu’s call to the Iranian people to stand up against their oppressive regime. The United States entered the conflict on June 22, striking three nuclear facilities in Iran. After Iran’s limited retaliation against a U.S. base in Qatar, a ceasefire took hold on June 24, ending the 12-day conflict. 

The day before the ceasefire, on June 23, the Israel Defense Forces (IDF) carried out multiple air strikes on Evin Prison in Tehran. The detention facility is notorious for the mistreatment of political prisoners with frequent reports of solitary confinement and torture. Among the detainees are dual and foreign nationals held for leverage in the regime’s “hostage diplomacy.” The daytime attack caused severe damage and disruption within the facility, raising concern for the safety of inmates, among them high-profile dissidents. According to Iranian authorities 80 people were killed in the strike. A group of prominent Iranian human rights defenders, including Nobel Peace Prize laureate Narges Mohammadi, as well as international human rights organizations condemned the attack as a serious violation of international humanitarian law.

Later that day, the Israeli military confirmed in a press briefing that they had carried out a “targeted strike” on Evin Prison as a “symbol of oppression for the Iranian people.”  Israeli government officials also mentioned the strike in social media posts. Foreign Minister Gideon Saar described the attack as a response to Iran’s targeting of civilians and tied it to a call for liberation.

The IO examined in this report synchronized its activities closely with the airstrikes on Evin Prison to advance a narrative of regime change in Iran. 

A “Kinetic” Influence Operation: the Evin Prison Bombing

The influence operation described in this report was initially identified through the interactions by a number of X accounts with what appeared to be a highly sophisticated deception attempt: an AI-generated video of the Evin Prison bombing. The deepfake video was thought to be real and republished by multiple international news outlets.

What follows is a description of this activity, as well as its timeline:

1. According to public reports, the prison was hit multiple times between 11 a.m. and 12 p.m., Tehran local time. Human Rights Watch “confirmed, based on satellite imagery, thermal anomaly data, accounts of informed sources, and first online reports and videos, that the Israeli strikes on Evin Prison took place on June 23 between 11:17 a.m. and 12:18 p.m.”
2. The first reference to an explosion at Evin Prison that we identified as published by PRISONBREAK was posted at 11:52 a.m., Tehran time. A confirmed PRISONBREAK account – @kavehhhame – posted the following. The hashtags translate to: “#8_o’clock_cry #We_don’t_forget”. We will return to the significance of the first hashtag – #8_o’clock_cry – later in this report.

   

3. At 12:05 p.m. (Tehran time), when the strikes were reportedly still underway, another confirmed PRISONBREAK account – @KarNiloufar, the oldest account in the network – published a post including a video of the alleged moment of the strike on the prison’s entrance.

4. The video was later flagged as “fabricated” by BBC Persian. However, it did initially trick the press into republishing it as real. 

• • • The exact timing of the video’s posting, while the bombing on the Evin Prison was allegedly still happening, points towards the conclusion that it was part of a premeditated and well-synchronized influence operation. 
    • The first organic video we could identify on X as appearing to show the aftermath of the prison’s bombing was posted at 8:36 AM UTC, one minute after the AI-generated video published by PRISONBREAK.

5. In the minutes following the initial posting of the video, other accounts in the PRISONBREAK network added their own contributions, claiming to have heard the sound of the explosions hitting Evin.

“Free Evin” – Inciting an Uprising

It was at this stage – beginning at 12:36 p.m. Tehran time, with the bombings having reportedly ended at 12:18 p.m. – that the network started explicitly calling for the capital city’s population to reach Evin and free the prisoners. The X accounts also posted reassuring statements such as “the attack will end now” and “the area is safe”.

This series of posts by the PRISONBREAK network’s accounts following up to the AI-generated video and calling for people to reach the prison achieved virtually no organic engagement, and a very low amount of views, with one exception: the following post by the original video sharer, @KarNiloufar, which also included a video, managed to accrue 46,000 views and more than 3,500 likes. The PRISONBREAK network reshared the post several times.

This second video about the Evin Prison, which shows the hallmarks of professional editing and was posted within one hour from the end of the bombings further strongly suggests that the PRISONBREAK network’s operators had prior knowledge of the Israeli military action, and were prepared to coordinate with it. 

A Broader Narrative: Overthrowing the Iranian Regime

The Evin Prison deepfake proved to be just one of the many pieces of content produced and amplified by the network in relation to the Twelve-Day War. Upon further analysis of the PRISONBREAK network’s posting timeline and posts content, we assess that their primary narrative was one of regime change in Iran. This appears consistent with other efforts promoting the overthrow of the Islamic Republic observed as happening in the same timeframe, attributed to Israeli government agencies, and exposed in a recent press investigation.¹

In the early morning of June 13, 2025, Israel began its first bombing campaign of Iran. At the same time, we observed the PRISONBREAK network sharing images and videos of alleged civil unrest and instability in Iran. This footage included, for example, alleged Iranian military vehicles exploding. The network shared at least nine similar posts on June 13 in what appeared to be an attempt to force a public perception of instability during the initial Israeli attacks. We cannot verify the authenticity of any of the videos and it is possible that some of them were AI generated. 

Two days later, the network published a series of posts highlighting the alleged economic upheaval in Iran after the first few rounds of bombings. The network told followers to head to ATMs to withdraw money, emphasized that the Islamic Republic was “stealing our money to escape with its officials,” and urged followers to rise up against the regime. 

At least two of the observed posts which depict long lines of people waiting at the bank and beginning to riot show elements of AI generation. More specifically, in the example video shown below, one of the bodies blurs and becomes misshapen, suggesting the footage was AI generated.

Between June 20 and June 22, 2025, PRISONBREAK intensified its rhetoric against the Iranian regime. Under the hashtag “8 o’clock cry”, the accounts urged followers to get on their balconies at 8 p.m. each evening and shout “Death to Khamenei” (مرگ بر خامنه ای), in an attempt to capitalize on a previously established form of protest in Iran. An example of one of the posts shared by the network is shown in the figure below. 

We observed at least nine videos and 23 posts shared by PRISONBREAK between June 20 to 22 of citizens allegedly participating in the “8 o‘clock cry”. The videos relating to the “8 o‘clock cry” have viewership well outside their normal rates, ranging from 20,000 to 60,000 views per post. Almost all of the videos are low quality, and do not include visible images of people shouting. Based on evidence outlined in the next section, we are able to conclude that at least some of the videos were manipulated. As we could not identify them as posted anywhere else, we conclude that the videos were likely created by the account operators.

These posts appeared to be a buildup to the Evin Prison deepfake, again pushing narratives promoting regime change in Iran. The network failed² to drive Iranians to Evin Prison to free the political prisoners, but that did not stop their dissemination of content promoting an uprising against the country’s leadership. On June 24, Israel and Iran agreed to a ceasefire. The PRISONBREAK network then appeared to make another push to trigger unrest by questioning the ceasefire, suggesting that Iranian citizens had not received their salaries. 

The PRISONBREAK operators subsequently pivoted to content related to the country’s ongoing water and energy crisis. Iran has faced a five-year drought and, in July, government officials announced that Tehran’s water supply was likely to run out in a matter of weeks. The water crisis and energy shortage made life increasingly difficult for Iranians following the Twelve-Day War. It appears that the network sought to escalate these tensions by creating and sharing content related to these issues. At the time of writing this report, PRISONBREAK is still consistently posting about both the water crisis and energy shortage, in a likely attempt to continue to escalate tensions between Iranian citizens and their government. We share two examples of this content posted by the network below. 

A Synthetic Network

The Pervasive Use of AI

The Evin Prison deepfake was not an anomaly for the PRISONBREAK network’s use of AI, which appeared to be routinely used in the operation. In one occasion, the network utilized AI to distort the lyrics of a known Iranian protest song, and accompany the manipulated sound with deepfake representations of three Iranian singers.

Starting in August 2025, several confirmed network accounts shared a Youtube video³ impersonating famous Iranian singers Mehdi Yarrahi (مهدی یراحی), Toomaj Salehi (توماج صالحی), and Shervin Hajipour (شروین حاجی پور). All three singers live in Iran and have spent time in prison for their support of the 2022-23 “Woman, Life, Freedom” protest movement. In particular, Rapper Toomaj Salehi was severely tortured during his incarceration and sentenced to death in April 2024, a sentence later overturned. In the video, they allegedly perform a joint interpretation of Hajipour’s song “Baraye” which criticized social and political realities in Iran and became an anthem of the protest movement. The song in the video, however, changes the lyrics of the original, turning it into a direct call for an uprising. The main chorus in the manipulated version of the song roughly translates to “revolution for life, revolution for hope, revolution for freedom” while discussing the ongoing water crisis in Iran and other perceived or real grievances of the Iranian population. 

The video and a short extract from it were the only ones posted on the YouTube channel⁴ “جنگ زندگی” (“The War of Life”) – which was created the same day it uploaded the song (August 13, 2025). The clip features several distinct AI failures – including a person walking backwards (who appears to be a “double” of Hajipour), crowds of people moving as a singular sliding unit, and misplacement of Toomaj Salehi’s tattoos (either duplicated or not present). We provide one example of the AI mistakes below. 

At the time of writing this report, the YouTube account has 287 subscribers and the video has 466 views. We observed the PRISONBREAK network sharing the video on X one day after it was posted on YouTube, August 13, 2025, and seeding the link into Twitter Communities with over 15,000 members. 

This video was just one of the many examples of PRISONBREAK spreading AI-generated imagery emphasizing the water crisis. At times, such content was of a caricatural nature. One post from the confirmed network account @feridounazari shared an AI video depicting Khamenei stealing water from a baby. Another account, @firoz_soltani, shared a video of water bottles attached to a timer meant to resemble a bomb. When the timer explodes, the caption reads “Water is our inalienable right, thirst is the end of our life.” Regardless of the post, the goal seemed to be to create and share content that deepens the political discontent in Iran and pushes the population towards revolting against the regime. 

Impersonation of National and International News Outlets

Along with AI-generated content, the PRISONBREAK network impersonated legitimate news sources. For example, we identified one screenshot and two videos impersonating BBC Persian. In the caption to a screenshot of an alleged article, the original poster @KarNiloufar claimed that BBC Persian deleted it within five minutes of posting it. The headline of the article translates to “Officials flee the country; High-ranking officials leave Iran one after another”. We have verified with the BBC Persian that this article was never published by the broadcaster. 

A few days after sharing the alleged article, the network posted two other videos they claimed to have been published by BBC Persian. The first video summarizes the events of the Twelve-Day War, specifically highlighting heavy traffic, gas shortages, and suggesting that Iran’s government and allies have abandoned the regime. The second video begins with a title that translates to “Special daily summary of the attack on the regime’s repressive forces,” and shares the network’s own Evin Prison deepfake, as well as other alleged explosions in Iran. 

The BBC confirmed to us that they did not create or publish this content.⁵

We provide screenshots of the two news clips fabricated by PRISONBREAK below.

BBC Persian was not the only media outlet impersonated. We observe two other instances of media impersonation with the accounts providing links to articles from Afkar News (پايگاه خبری افکارنيوز) accompanied by a screenshot of the headline. In both instances, the links do not lead to a news article, nor were we able to locate archived versions. 

Recycled or Intentionally Misleading Content

AI-generated videos were just one of the tactics employed by PRISONBREAK. We observed several instances of videos edited and shared to mislead viewers about protest activity occurring in Iran. In three of the videos shared, the accounts imply they have filmed the videos in their neighbourhood. We found that these videos were recycled content – and not authentic as the users claimed – and had been posted by accounts that appear to be unrelated to PRISONBREAK almost a week before. In addition, two of the videos were cropped and edited from the original, possibly to prevent discovery of its reuse. We additionally cannot verify the authenticity of the original videos. 

The operation not only recycled content, but possibly edited videos to fit their narrative. In the example below, the video loops several times, while the audio does not. The lack of continuity suggests that the audio has been added overtop of the video, pointing to its manipulation. The picture is also grainy, and appears to be filmed from another screen. Most notably, the audio appears to be a cut and processed version of the audio in both the VOA Farsi video and the video shared by @nnikafaz43 in the example above, suggesting that the PRISONBREAK operators have intentionally cut audio from different videos and placed it on new content. 

Some edits were even less sophisticated. In the example below the “protest” audio pauses at 9 seconds, while the video continues on. At 10 seconds someone can be heard speaking in the background – presumably the creator of the video – followed by a few seconds of silence before the intended audio begins again at 12 seconds. The pause in audio, and the grainy video quality, signals that the video and audio were combined from two separate sources, and not recorded as the account claims. 

Artificial Amplification

Many of the recently discovered influence operations have relatively low rates of engagement. The PRISONBREAK operators employed several tactics to help increase the rate of engagement and viewership. We outline them below. 

Seeding of Content into X Communities

As described by X, Communities are “a dedicated place to connect, share, and get closer to the discussions they care about most.” They essentially consist of discussion groups that can be created and run independently by an X user.

Relative to this influence operation, Communities allowed for the network to spread their message of discontent to people who are already interested in similar topics. We observe PRISONBREAK sharing posts into communities specifically targeted at anti-Iranian regime groups including: 

• Constitutionalist Association Twitter (انجمن مشروطه خواهان توییتر) with 2,900 members 
• Iranian Youth Union (اتحاد جوانان ایران) with 6,700 members
• Jina Mahsa | Iran’s Revolution (ژینا مهسا | انقلاب ایران) with 5,400 members. 

The network also frequently shared posts into a Persian-language “Follow Back” community with 17,600 members. This type of Community typically offers a rapid (and artificial) way for an X user to achieve a follower base by promising mutual “follows” for all its members.

By using X Communities to spread their content, PRISONBREAK artificially inflated the viewership on several posts, increasing their chances of influencing their target audience through the community members’ resharing. 

Mutual Resharing

In addition to posting in X Communities, PRISONBREAK frequently reshared the network’s own posts – especially their likely AI-generated content. This appears to be an attempt at self-amplification by the network.

At least seven different PRISONBREAK accounts reposted this video – originally posted by @Sepideh7895 – which we assess above to have been edited with repurposed audio. At least nine PRISONBREAK accounts reposted, quoted, or replied to other posts with the AI-generated photos of Khamenei in an ambulance – originally posted by @azad_leylaas, another PRISONBREAK account. This technique can be observed on nearly all of the network’s accounts, in an attempt to spread their content to as many users as possible and increase the effectiveness of their covert influence campaign.  

Tagging Mainstream Media

While PRISONBREAK focused on amplifying their posts to audiences on X, they also tried to gain the attention of mainstream media. We observe several instances of PRISONBREAK accounts tagging popular news outlets like BBC Persian, VOA Farsi, and Iran International in videos shared by the network. Given the success of the Evin Prison deepfake in tricking mainstream media, tagging news accounts on other videos allegedly produced by the network demonstrates a persistent attempt to deceive the media with inauthentic Twelve-Day War content in line with the network’s narratives. We provide two examples of these efforts below.

Inauthentic Accounts and Personas 

We assess with high confidence that the PRISONBREAK network is both coordinated and inauthentic. It does not represent existing individuals, and was almost certainly orchestrated  by a professional team, following a specific playbook.

We reach this conclusion through the analysis of a series of strong indicators that we summarize below.

Registration Email Domains

Summary: The network’s frequent use of a possibly obscure and/or proprietary email domain for account registration points strongly towards the conclusion that the accounts are closely coordinated.

Using open-source intelligence (OSINT) methods, we observed that approximately half of the X accounts in the network registered using the email domain @b********.***. Among them was also @KarNiloufar, the account who posted the AI-generated video of the Evin Prison bombing.

We were not able to conclusively identify the email domain used for the accounts. We note that it does not appear to be one of the most commonly used webmail services – i.e. Gmail, Outlook, Hotmail, or Office – and the character count does not match other popular services starting with “b”, such as for example btinternet.com.

Lifespan vs. Period of Activity 

Summary: While the accounts were all created in 2023, 99.5% of their posting happened after January 2025. This strongly signals both their coordination and inauthenticity.

All confirmed accounts in this network were created between February and December 2023. However, only a handful of posts were made before the network ramped up its activity in January 2025 and in the following months.

Specifically:

• The network published only approximately 0.5% of the estimated total number of posts before 2025.
• Such posts exclusively consisted of reposts. There was no originally created content being posted.

The network came to life – in terms of its posting activity – beginning in January 2025, possibly responding to a specific directive, and in coincidence with the escalation of geopolitical tensions that eventually led to the Twelve-Day War in June 2025.

Posting Time Patterns

Summary: Posting time patterns are consistent with those of a professional, dedicated team of operators producing posts as part of a regular work day.

A review of the posting time patterns for the network – i.e. the number of posts published in total by the accounts in each hour of the day – shows that the network:

• Typically begins ramping up activity at 6 a.m. UTC (9:30 a.m. Tehran time) each day.
• Significantly escalates the volume of posts starting at 7 a.m. UTC (10:30 a.m. Tehran time).
• Begins winding down posting activity after 3 p.m. UTC (6:30 p.m. Tehran time).
• Has minimal average posting activity between 9 p.m. UTC (12:30 a.m. Tehran time) and 6 a.m. UTC (9:30 a.m. Tehran time).

This behaviour approximately coincides with a regular work day in the Iranian timezone (Iranian Standard Time or IRST, equivalent to UTC+3:30), and even more so in UTC+3, the time zone applying to most of the Middle East (as well as Eastern Europe and parts of Eastern Africa), including Israel.

It is, however, inconsistent with an organic community of users spontaneously posting at random times of the day.

Application Version

Summary:The network’s consistent and prevalent use of X’s desktop application to post its content is more consistent with the work of a professional team than with the activity of an organic community.

We estimate that at least 75% of the posts produced by the network were posted through X’s desktop interface (formerly known as Twitter Web App). This information is visible in the network response provided when loading a given post in a web browser, using the browser’s Developer Tools or equivalent name.

Like the posting timing patterns, the almost exclusive use of the web version of X – a mobile-first platform like other social media – is consistent with a professionally run network of digital assets, where a team is assigned to operating one or more of the accounts through dedicated workstations. Similar behaviour has been previously used as a signal to identify IOs.

Profile Photos

Summary: The network’s profile pictures are often faceless, sourced from stock images, or appear to be lifted from popular blog sites like Pinterest, a strong signal of inauthentic persona development.

We reviewed the profile photos of all accounts associated with the network and found that 30 out of 53 have profile photos where their face is partially or completely obscured. Two of the profile photos were found on various stock photo websites. A reverse image search also showed that a large majority can be found on Pinterest, a popular photo sharing site. The use of stolen or anonymous photos is a common tactic used by IOs to protect the anonymity of the actors behind the operation, and in combination with other elements that we outline here, is a strong signal of inauthenticity.

The Deepfake Account: @TelAviv_Tehran

We identified one X profile that appears to be external from PRISONBREAK, but displays several signals of likely coordination with it. It is an account promoting closeness between the Israeli and Iranian populations, and explicitly using AI to manufacture and disseminate calls to revolt against the Iranian regime and its leaders. This tactic aligns it with PRISONBREAK’s modus operandi and objectives.

@TelAviv_Tehran is an X account (also active on Instagram⁶ with the same username) explicitly⁷ using a deepfake persona – a purported female reporter from Iran, whose appearance and speeches are fully AI generated – to post videos deriding the Islamic Republic’s leadership.

As hinted in the username, @TelAviv_Tehran promotes closeness between the Israeli and Iranian populations, where the latter is depicted purely as an oppressed victim of the Islamic regime. Like PRISONBREAK, @TelAviv_Tehran openly appeals for the Iranian people to rise against the Islamic regime. 

@TelAviv_Tehran appears to connect with PRISONBREAK in a few different ways:

• It is amplified by suspected purchased engagement⁸ accounts that also amplify PRISONBREAK. For example, one post shared by @TelAviv_Tehran had 163 reposts at the time of writing this report. Due to limitations on viewing engagements, we were able to analyze 83 of the accounts which reshared the post. 70 of those accounts fit the criteria of purchase engagement accounts and all 70 of the accounts shared at least one PRISONBREAK post, showing 100% overlap between the engagement accounts’ promotion of @TelAviv_Tehran and PRISONBREAK.

• It posted an original AI-generated video purportedly representing the burning of the Evin Prison following the IDF strikes. The post was made only four minutes after @KarNiloufar’s publication of the AI video supposed to show the actual bombing and while the strikes – according to the publicly available calculations discussed earlier in this report – were still happening.

  

• It posted several of the videos posted by PRISONBREAK, and also multiple ones that match closely the network’s modus operandi (i.e. likely AI-generated videos of military attacks on Iran, or of unrest in the country). We provide a list of examples in the Appendix.
• It also posted media that are less overtly AI-generated and rather seem to follow the modus operandi seen with PRISONBREAK. For example, a video of a supposed aerial attack on Tehran by unidentified military forces on June 13, 2025 – the day the IDF struck Iranian locations for the first time, starting the “Twelve-Day War.”

• While some of the registration metadata (for example, the email domain, which seems to be Gmail here) as well as of the behavioural signatures by @TelAviv_Tehran differ from those of PRISONBREAK, the overlaps described above lead us to conclude with medium confidence that the network and this X account operate in, at least partial, coordination with each other.

Attribution

At present, we cannot conclusively attribute PRISONBREAK. The unavailability  of critical identifiers – such as profiles’ metadata – to the research community impedes us from confirming the identity of the network’s operators.

However, the evidence we collected during the course of our research allows us to conclude that the most likely scenario is that of an involvement by the Israeli government, either an agency working alone or with the participation of an outside contractor. 

We also considered two other scenarios: that of a U.S. government’s involvement, and that of a third-party government responsibility. We judge these two hypotheses as having medium-high and low likelihood, respectively.

The table below illustrates our analytical conclusions:

We outline our analytical process through an established analytical technique – Analysis of Competing Hypotheses (ACH) – in the table below.

Analysis of Competing Hypotheses (ACH)

Legend
✅ consistent with [hypothesis]
❌ inconsistent with [hypothesis]
= could be consistent or inconsistent with [hypothesis]

Conclusions

Covert influence operations have been a feature of armed conflict dating back centuries, their characteristics evolving as new technologies open up opportunities for experimentation. Today, we are witnessing a new generation of covert influence operations mounted principally on and through social media and featuring the use of artificial intelligence and related digital tools and techniques. These operations benefit from the distributed nature of social media, their built-in algorithmic engagement properties (which help propel sensational content by design), as well as recent measures taken by many tech platforms to reduce the capacity of, or eliminate altogether, internal teams responsible for removing coordinated, inauthentic content. The growing sophistication and ease-of-use of AI tools has also helped power these campaigns, providing actors with an unprecedented ability to produce increasingly realistic-looking videos and images with far fewer resources than what would have been required in previous eras.

In this investigation, we have identified a coordinated network of inauthentic X profiles that, since 2023, has conducted an influence operation targeting Iranian audiences. The objective of PRISONBREAK appears to be to foster a revolt against the Iranian regime among the Iranian population. One striking feature of this campaign is its synchronization with events on the ground: the content generated by PRISONBREAK appears to have been prepared in advance of and co-timed with military strikes undertaken by the IDF in June 2025. 

Although we cannot attribute this to a particular entity, the advanced preparation required and the timing of the coordinated, inauthentic posts suggests some kind of connection to the Israeli state. We believe that while it is technically possible, it is highly unlikely that any third party without advance knowledge of the IDF’s plans would have been able to prepare this content and post it in such a short window of time. Based on the data reviewed in preparing this report, the campaign we have documented was mostly likely undertaken either by an Israeli agency in-house or a private entity contracted by the Israeli government. However, without additional information we are unable to conclusively attribute the responsible parties.

While attribution around any covert operation is inherently challenging because of the steps taken by perpetrators to conceal their tracks, attribution is also made especially difficult today because social media platforms restrict access to their platforms to outside researchers, and thus to the artifacts and other details that are critical to make conclusive attribution possible. In spite of these restrictions, we were able to use a combination of qualitative and quantitative methods to conclusively determine what we were observing was not spontaneous and organic, as the perpetrators were hoping to be perceived, but rather highly coordinated and inauthentic. 

However, these methods are not readily available to the general public and/or to specific target populations and typically require considerable analytical effort, time and access to special resources and data sources. Additionally, it is now generally accepted that in today’s social media environment, sensational falsehoods spread quickly and are shared widely because they feed off of human emotions and are amplified by the engagement-driven algorithms of the platforms, all of which works to the advantage of those mounting covert influence operation campaigns. These dynamics and their potentially harmful effects are exacerbated in times of political crisis and conflict, such as the military confrontation between Israel and Iran. 

Notification to X

On September 30, 2025, we contacted X and provided them with the list of confirmed PRISONBREAK user accounts. At the time of publication, we had not yet received a response.

Acknowledgements

Special thanks to Alyson Bruce for editorial and graphics support, and to Siena Anstis, Rebekah Brown, and Adam Senft for review. We thank our anonymous reviewers, illustrator, and translators for their contributions.

Appendix

X Accounts

PRISONBREAK

Other Suspected Accounts

Other Social Media

Shared X Posts Between @TelAviv_Tehran and PRISONBREAK

 ממצאי הדו״ח

• רשת מתואמת של יותר מ 50 פרופילי משתמשים בדויים  ב X מבצעים באמצעות בינה מלאכותית קמפיין השפעה. הקמפיין שמשתמש ברשת שאנו קוראים לה ״Prisonbreak“, מסית את הקהל האיראני להתקומם נגד שלטון הרפובליקה האיראנית.
• הרשת נבנתה בשנת 2023 אך כמעט כל פעילותה  התחילה ב 2025 וממשיכה את פעילותה עד היום.
• נראה כי פעילות הפרופילים תואמה, לפחות באופן חלקי, עם  המבצע הצבאי שצה״ל ביצע נגד מטרות איראניות ביוני 2025.
• למרות שנראה כי פעילות אמיתית של משתמשים עם “PRISONBREAK” היא מוגבלת, חלק מהפוסטים הגיעו לאלפי צפיות.המבצע הטמיע פוסטים עם מסרים בסגנון זה בקהילות רבות ב X, ויתכן כי גם שילם על הפצתם.
• אחרי ניסיון למצוא הסברים אחרים, אנו מעריכים כי ההשערה הסבירה ביותר, בהתחשב בעובדות הקיימות, היא שיחידה לא מזוהה בממשלת ישראל, או קבלן משנה שנשכר לעבוד עבורם, ביצע את המבצע.

הערה לגבי התרגום:

זהו תרגום לא רשמי של ממצאי הדו״ח לעברית. תרגום לא רשמי זה יכול להיות לא מדויק. הוא מיועד רק לתת הבנה בסיסית של מחקרנו. במקרה של אי דיוקים או דו-משמעות,  יש להסתמך על הדו״ח באנגלית.

یافته‌های کلیدی

• شبکه‌ای هماهنگ متشکل از بیش از ۵۰ پروفایل غیرواقعی در ایکس (X)، که ما از آن به عنوان «پریزِن‌بریک» (PRISONBREAK)  یاد می‌کنیم، در حال انجام عملیاتی با استفاده از هوش مصنوعی برای برانگیختن مخاطب ایرانی به انقلاب علیه جمهوری اسلامی است. 
• در حالی که این شبکه در سال ۲۰۲۳ ایجاد شده است، تقریبا تمامی فعالیتش از ژانویه ۲۰۲۵ آغاز شده است و تا به امروز ادامه دارد.
• به نظر می‌رسد فعالیت‌های این شبکه‌، یا دست‌کم بخشی از آن، با کمپین نیروهای دفاعی اسرائیل علیه مواضع ایران در ماه ژوئن ۲۰۲۵  هماهنگ شده‌ بودند. 
• در حالی که تعامل واقعی با محتوای تولید شده توسط شبکه PRISONBREAK محدود به نظر می‌رسد،  برخی از «پست‌های» این شبکه ده‌ها هزار بار دیده شده‌اند. چنین پست‌هایی در «جوامع» عمومی بزرگِ ایکس (Communities) منتشر شدند و احتمالاً برای تبلیغا ت آن‌ها نیز هزینه پرداخت شده است.
• پس از بررسی نظام‌مندِ توضیحات جایگزین، ما ارزیابی می‌کنیم که فرضیه‌ای که بیش‌ترین سازگاری را با شواهد موجود دارد این است که یک نهاد مشخص‌نشده در دولت اسرائیل یا یک پیمانکار فرعی که زیر نظر مستقیم آن فعالیت می‌کند، به طور مستقیم انجام عملیات را برعهده دارد. 
• در رقابت ژئوپلیتیک بین جمهوری اسلامی ایران و مخالفان بین‌المللی آن، کنترل و دستکاریِ استراتژیک محیط اطلاعاتی نقش کلیدی ایفا می‌کند. رژیم ایران یک سیستم جامع سانسور اینترنت ایجاد کرده است و هم‌زمان عملیات‌های نفوذ را با هدف قرار دادن مخاطبان خارج از کشور انجام می‌دهد. در این تحقیق تمرکز ما بر کمپین «پریزِن‌بریک» است که علیه جمهوری اسلامی طراحی شده است.

توضیح دربارهٔ ترجمه: متن حاضر ترجمه‌ای غیررسمی از نسخهٔ اصلی انگلیسی گزارش است و ممکن است از دقت کافی برخوردار نباشد. هدف این ترجمه صرفاً کمک به ایجاد درک کلی از پژوهش ماست. در صورت وجود هرگونه اختلاف یا ابهام، نسخهٔ انگلیسی معتبر خواهد بود.

Over the past decade, the Citizen Lab has published numerous reports examining transnational repression (TNR) across the globe, focusing specifically on its digital forms. 

In response to increasing accounts of foreign governments reaching across borders to harass and silence people in the United Kingdom, the UK’s Joint Committee on Human Rights launched an inquiry into transnational repression.

The Citizen Lab submitted written evidence to the inquiry that draws over ten years of research documenting and examining the methods, impacts, and geo-political landscape of TNR. 

Our submission describes TNR’s impact on victims, identifies the biggest perpetrators of TNR in the UK, urges the British government to adopt a legal definition of TNR, and provides policy suggestions to better protect overseas dissidents from TNR.

Read the report from the UK Joint Committee on Human Rights.

Read more in the Georgetown Journal of International Affairs.

Read the interview.

In the piece, Deibert focuses on the Leaders’ Statement on countering transnational repression that was put forward after the G7 summit last month in Alberta. 

Transnational repression occurs when authoritarian governments reach across borders to silence and harass political dissidents. Citizen Lab researchers have been investigating and writing about transnational repression and the abuse of spyware for more than a decade.

“As the host of the G7, Canada should be applauded for helping organize this joint statement. But it’s also important to be frank in acknowledging just how far Canada has to go to meet its own commitments – or, to put it less mildly, how much its own practices are currently at odds with those commitments,” says Deibert.

Read the op-ed here.

• Keir Giles, a prominent expert on Russian information operations, was targeted with a sophisticated and personalized novel social engineering attack.
• The attacker took extensive measures to avoid raising Mr. Giles’ suspicions, and deceived him into creating and sending them App-Specific Passwords for his accounts, bypassing Multi-Factor Authentication (MFA).
• Google later spotted and blocked the attacker. Their Google Threat Intelligence Group (GTIG) labels the operator Russian state-backed UNC6293, which they link with low confidence to APT29, which is attributed to Russia’s Foreign Intelligence Service (SVR).
• We expect more social engineering attacks leveraging App-Specific Passwords in the future.

Click here to read Google’s blog post on this campaign.

Introduction: New Pressures on Attackers

In recent years, users’ familiarity with common phishing tactics, increasingly advanced detection and blocking by platforms, and the rise in use of Multi-Factor Authentication (MFA), have all contributed to changes in the ways that attackers phish accounts. The introduction of more secure forms of MFA, such as hardware security keys, has also closed off certain avenues of social engineering.   

These pressures, among others, are driving attackers towards more complex social-engineering tactics, and more technically sophisticated attack frameworks, including targeting MFA. For example, a recent analysis by Cisco’s Talos reported that nearly half of all recent incidents that their team responded to involved attackers trying to bypass MFA. 

As past reporting highlights, attackers need to improve their technical methods, and adapt their social engineering approaches to bypass both platform detections, as well as avoid the subtle cues associated with phishing attempts that many users have now been trained to spot.

Looking for a Side Door

While many state-backed attackers still focus on phishing a target’s passwords and MFA codes, others are constantly experimenting with novel ways to access accounts. Often, these efforts involve blending social engineering and targeting alternate account access flows, such as access tokens. Attackers have also gravitated towards cross-platform attacks, where initial outreach may happen on one messaging platform (e.g. Signal or WhatsApp), and later move to another channel, such as email. These attacks split attack elements between different ecosystems, making it more challenging for platforms and defenders to put the pieces together.

Volexity recently reported on several such efforts, and the Citizen Lab has also tracked similar attacks against civil society groups in the course of our investigations of Russian state-sponsored groups. 

The attack described in this research note is yet another effort to gain account access through a novel method: convincing the target user to create and share a screenshot of an App-Specific Password (ASP).

Enter the App-Specific Password Attack

Keir Giles is a well-known and outspoken academic expert on countering Russian information and influence operations and the Russian military. He is a senior associate of the Russia programme at Chatham House, a UK-based policy institute, and his work has uncovered covert Russian campaigns. He has also written extensively on Russia’s actions following their invasion of Ukraine. Mr. Giles contacted the Citizen Lab for assistance with the attack, and we are publishing this note with his consent.

The Attack Begins

On May 22, 2025, a sender purporting to be U.S. State Department official “Claudie S. Weber” sent an email to Mr. Giles. The message purports to be an invitation for a consultation, something that would be common for him to receive.

We could find no evidence that “Claudie S. Weber” exists or is a U.S. State Department employee. The attacker used a Gmail account for the entire interaction:

However, four emails at @state.gov are also included on the CC line, including a “Claudie S. Weber” @state.gov email address. This lends to the perceived credibility and safety of the email exchange.

A target might reason “if this isn’t legitimate, surely one of these State Department employees would say something, especially if I reply and keep them on the CC line.”

In fact, the attacker has likely created fictitious personas and @state.gov email addresses purely as a credibility signal. We believe that the attacker is aware that the State Department’s email server is apparently configured to accept all messages and does not emit a ‘bounce’ response even when the address does not exist. 

The message’s English is grammatical and fluent, but somewhat generic in tone, raising the possibility that the attacker used a large language model (LLM) or similar tools to help craft the outreach. The message was also received within Washington D.C. working hours, adding an additional element of credibility.

Setting the Stage

The message content, timing, and inclusion of official .gov email addresses in the CC field combined to create the appearance of a safe and credible approach. Mr. Giles described these techniques to us as establishing “pillars of plausibility.”  

Mr. Giles responded to the message indicating interest, but noted that the date might not work for him. The attacker responded, introducing the core deception: inviting him to join the State Department’s “MS DoS Guest Tenant” platform. 

As the conversation unfolded (ultimately involving at least 10 exchanges), the attacker sent a PDF file with instructions to register for an “MS DoS Guest Tenant” account. 

The PDF appears to be an official document with markings and revision history. It walks the target through the creation of an App-Specific Password on a Google email account. 

The document does not appear to have any of the telltale errors of language, grammar issues or other mistakes that characterize many previous generations of lure documents used by state-backed attackers.

Getting the Target to Create and Share an App-Specific Password

This attack hinged on deceiving Mr. Giles into believing that, by creating and sharing an App-Specific Password (ASP), he would gain access to a secure government resource enabling him to participate in the consultation.

To establish the deception, the attacker sought to persuade Mr. Giles that he was following in a process of  “adding your work account… to our MS DoS Guest Tenant platform.” The document and emails outlined the procedure: creating an ASP to “enable secure communications between internal employees and external partners.”  

Logic of the Deception

The attackers skillfully reframed creating and sending them an ASP as creating and sharing a code to obtain access to an application maintained by the State Department. In reality, of course, the ASP would provide them complete and persistent access to his accounts.

The workflow has many aspects designed to enhance plausibility, especially for a user unfamiliar with how App-Specific passwords work. For example, the attacker instructed Mr. Giles to enter “ms.state.gov” into the “App name” field of Gmail’s App passwords page. In the context of the deception, the goal was to deceive him into believing that he was adding an official state.gov application. In fact, the “ms.state.gov” text is meaningless beyond furthering the ruse. Adding the text merely creates a label for the ASP that was viewable only to him in a field that accepts arbitrary text.

Flexible Attackers: Ensuring the Compromise

One factor that Mr. Giles cites as helping to preserve the credibility of the deception is what he describes as its “unhurried pacing.” Indeed, the interaction unfolded over more than 10 exchanges across several weeks, indicating substantial patience on the part of the attacker. 

The attackers were also ready with answers and prepared to adapt in response to Mr. Giles’ replies. For example, after Mr. Giles stated that the initially proposed time would not work, the attackers chose to not explicitly add pressure or urgency, instead suggesting that they set up the platform for the future. 

Meanwhile, when Mr. Giles managed to follow the procedure with a separate account that he had access to, the attackers then nudged him towards performing the same procedure on the accounts that they were presumably targeting.

Similarly, when Mr. Giles initially experienced some difficulties in creating ASPs, the attackers worked with him to ensure that he was able to successfully create them, as shown in the excerpted exchange in Figure 6. 

Attack Impact

This was a highly sophisticated attack, requiring the preparation of a range of fake identities, accounts, materials and elements of deception. The attacker was clearly meticulous, to the extent that  even a vigilant user would be unlikely to spot out-of-place elements or details.

Ultimately, Mr. Giles’ was successfully socially engineered into creating and providing the attacker with several ASPs on multiple accounts. Google later identified the attack, locked down the impacted accounts, and disabled the attacker email.

Mr. Giles, upon recovering his accounts and inspecting his account activity logs, found a notification indicating a suspicious login attempt on one of his accounts on June 4, 2025, associated with the following Digital Ocean IP:

Mr. Giles has publicly shared his suspicion that the material exfiltrated from his accounts is likely to be manipulated and selectively released as part of a future information operation. This seems likely based on the identity of the attacker, and their long track record of similar operations. Such information operations often bury falsehoods in forests of facts, adding credibility to misleading narratives.

Google’s Response

The Google Threat Intelligence Group (GTIG) published a blog post that identifies this attacker as the Russian state-sponsored actor UNC6293, and they make a low-confidence association to APT29 / ICECAP (historically known as “Cozy Bear”). 

Beyond the attack on Mr. Giles, GTIG has identified a second campaign by UNC6293 leveraging the same tactics, including Ukrainian themes.

We note that GTIG’s blog post contains additional indicators associated with a residential proxy used by the attackers.

Protecting Yourself and Your Organization

App-Specific Passwords can provide value to users, but as UNC6293 has figured out, they can also be leveraged for account compromises like the case described here. While certain security risks of ASPs are known, we have not previously investigated a social-engineering attack targeting them. However, many services similar to Gmail also support ASPs (including Apple ID accounts), and we expect that future attacks are likely to attempt similar ruses.

Use Google’s Advanced Protection Program

Everyone should use Multi-Factor Authentication (MFA) on every account where it is available. However, some people are at greater risk of being targeted. This especially applies to individuals and organizations in civil society, particularly those working on or around conflicts, litigation, advocacy, and other high-profile topics. For these individuals, who are at greater risk because of who they are or what they do, we recommend enrolling in Google’s Advanced Protection Program. We think this program would help block similar attacks to what we described here.

Be Mindful of Changing Social-Engineering Tactics

Attackers are constantly adjusting their tactics. In this attack, for example, the unhurried pace of the conversation, the responsive back and forth communications, and the presence of other .gov emails on the CC line all deviated from what many users typically expect from phishing emails. This illustrates the lengths a sophisticated attacker may go to compromise a high-value target.

We urge everyone to exercise caution when reading an unsolicited email or message. Whenever you find yourself in an exchange that asks you to share information from your account, or modify settings, make sure you know who you are communicating with. One of the best ways to do this is to verify the communication ‘out-of-band’ (e.g. with a phone call to a person’s workplace) before moving forward. 

Security Teams: Watch Out for ASPs

For organizations, we recommend ensuring that you are aware of the services where users may enable ASPs, and ensure that they are disabled unless needed for specific users or use cases. Adding education about ASPs to user security programs, including the implications for personal accounts, will likely be helpful.

For organizations that use Google Workspaces, progress is being made to improve user security. Google is clearly aware of the risks from ASPs and LSAs, and in Google Workspaces has implemented a plan to phase them out in a process that was first announced in 2019. 

Google’s choice to phase out ASPs for Less Secure Apps (LSAs) on Google Workspaces is a sensible measure. We recognize that for regular Gmail users, Google may still be seeking to balance security with the diversity of LSAs on which their global userbase still depends. Thus, the risk continues for regular Gmail users who may be tricked by similar campaigns.

Recommendations for Providers

Attackers constantly learn from each other, and while this is the first case of ASP-social engineering we have seen, it is unlikely to be the last.

Google caught this attack and locked down Mr. Giles’ accounts, notifying him that they had identified suspicious activity. We believe that adding additional warning text or an explanatory interstitial on the “App passwords” page alerting users of the possibility that attackers may target ASPs would be helpful. We suggest that other providers that offer ASPs consider taking similar steps.

We also think it would be useful for users to be regularly nudged about whether their accounts have any ASPs enabled, as well as potentially adding a visible approval step once the first connection is made using a new ASP. 

Acknowledgements

We thank Mr. Giles for his extraordinarily gracious willingness to share the material of this attack and describe how he experienced it. When targets elect to speak out and share their experiences, it helps make us all safer.

Special thanks to Alyson Bruce for editorial and graphics support, and Ksenia Ermoshina, Alberto Fittarelli, Micah Lee, Cooper Quintin, M Scott, and Adam Senft for review.

Special thanks to the Google Threat Intelligence Group.

Research for this project was supervised by Professor Ronald J. Deibert.

On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware. Among the group were two journalists that consented for the technical analysis of their cases. The key findings from our forensic analysis of their devices are summarized below:

• Our analysis finds forensic evidence confirming with high confidence that both a prominent European journalist (who requests anonymity), and Italian journalist Ciro Pellegrino, were targeted with Paragon’s Graphite mercenary spyware.
  
• We identify an indicator linking both cases to the same Paragon operator.
  
• Apple confirms to us that the zero-click attack deployed in these cases was mitigated as of iOS 18.3.1 and has assigned the vulnerability CVE-2025-43200.

Our analysis is ongoing.

Case 1: Prominent European Journalist

We analyzed Apple devices belonging to a prominent European journalist who has requested to remain anonymous. On April 29, 2025, this journalist received an Apple notification and sought technical assistance. 

Our forensic analysis concluded that one of the journalist’s devices was compromised with Paragon’s Graphite spyware in January and early February 2025 while running iOS 18.2.1. We attribute the compromise to Graphite with high confidence because logs on the device indicated that it made a series of requests to a server that, during the same time period, matched our published Fingerprint P1. We linked this fingerprint to Paragon’s Graphite spyware with high confidence.

Graphite spyware server contacted by the journalist’s device:

The server appears to have been rented from VPS provider EDIS Global. The server remained online and continued to match Fingerprint P1 until at least April 12, 2025.

We identified an iMessage account present in the device logs around the same time as the phone was communicating with the Paragon server 46.183.184[.]91. We redact the account and refer to it as ATTACKER1. Based on our forensic analysis, we conclude that this account was used to deploy Paragon’s Graphite spyware using a sophisticated iMessage zero-click attack. We believe that this infection would not have been visible to the target. Apple confirms to us that the zero-click attack deployed here was mitigated as of iOS 18.3.1 and has assigned CVE-2025-43200 to this zero-day vulnerability.

Case 2: Ciro Pellegrino

Ciro Pellegrino is a journalist and head of the Naples newsroom at Fanpage.it, where he has reported on numerous high-profile cases. On April 29, 2025, Mr. Pellegrino received an Apple notification and sought our technical assistance. 

We analyzed artifacts from Mr. Pellegrino’s iPhone and determined with high confidence that it was targeted with Paragon’s Graphite spyware. Our analysis of the device’s logs revealed the presence of the same ATTACKER1 iMessage account used to target the journalist from Case 1, which we associate with a Graphite zero-click infection attempt.

It is standard for each customer of a mercenary spyware company to have its own dedicated infrastructure. Thus, we believe that the ATTACKER1 account would be used exclusively by a single Graphite customer / operator, and we conclude that this customer targeted both individuals.

Our forensic analyses of these attacks, and Paragon’s iOS capabilities, are ongoing.

The Fanpage.it Paragon Cluster

Mr. Pellegrino’s close colleague and Fanpage.it editor, Francesco Cancellato, was notified in January 2025 by WhatsApp that he was targeted with Paragon’s Graphite spyware.

The Citizen Lab has been conducting forensic analysis of Mr. Cancellato’s Android device. However, as of our initial report, we were unable to obtain forensic confirmation of a successful infection of Mr. Cancellato’s Android. As we explained at the time: “Given the sporadic nature of Android logs, the absence of a finding of BIGPRETZEL on a particular device does not mean that the phone wasn’t successfully hacked, simply that relevant logs may not have been captured or may have been overwritten.”

Following Mr. Cancellato’s case, the identification of a second journalist at Fanpage.it targeted with Paragon suggests an effort to target this news organization This appears to be a distinct cluster of cases that warrants further scrutiny.

Statements by Paragon and the Italian Government

On June 5, 2025, the Italian government’s parliamentary committee overseeing Italy’s intelligence services (COPASIR: Comitato Parlamentare per la Sicurezza della Repubblica) published the report of their inquiry into the Paragon affair in Italy.

The report acknowledged that the Italian government had used Paragon’s Graphite spyware against Luca Casarini and Dr. Giuseppe “Beppe” Caccia, the two individuals where we found forensic evidence of Graphite present (via the BIGPRETZEL Android indicator). However, the report stated that they were unable to determine who might have targeted Mr. Cancellato with Graphite.

On June 9, 2025, Haaretz reported that Paragon had offered to assist the Italian government in investigating the case of Mr. Cancellato, an offer that they say was rejected by the Italian government. Paragon also suggested that they had unilaterally terminated Italy’s contracts.

In response later that day, the Italian Department of Security Intelligence (DIS: Dipartimento delle Informazioni per la Sicurezza), which coordinates Italy’s intelligence services, stated that it had rejected Paragon’s offer because of national security concerns with exposing their activities to Paragon. They stated that providing Paragon such access would impact the reputation of Italy’s security services among peer services around the world. They denied that the contract termination was unilateral. Later the same day, the COPASIR committee stated that they had chosen not to proceed with Paragon’s offer, but instead elected to directly query the Paragon databases, having deemed the approaches to be equivalent.¹ The committee also stated a willingness to declassify Paragon’s testimony to the committee.

Response from Paragon Solutions

On June 10, 2025, we sent a summary of our latest findings to Paragon Solutions and offered them the opportunity to reply, which we undertook to publish in full. As of the time of publication we have not received a response. 

Europe’s Continuing Spyware Crisis: Journalists at Risk

At the time of publishing, three European journalists have been confirmed as targets of Paragon’s graphite mercenary spyware. Two of these confirmations are now forensically based, and the third follows from a notification by Meta. Yet to date, there has been no explanation as to who is responsible for spying on these journalists. 

Furthermore, the confirmation of a second case linked to a specific Italian news outlet (Fanpage.it) adds urgency to the question of which Paragon customer is responsible for this targeting, and pursuant to what legal authority (if any) this targeting took place.

The lack of accountability available to these spyware targets highlights the extent to which journalists in Europe continue to be subjected to this highly invasive digital threat, and underlines the dangers of spyware proliferation and abuse.

Our analysis of Paragon targeting on iOS and Android is ongoing. We thank Access Now for their support.

Have You Received a Warning?

If you are a journalist, human rights defender, or other member of civil society and received a spyware warning from Apple, Meta, WhatsApp, Google or others, take it seriously and seek expert assistance. 

Here is an example of one such notification:

Organizations like Access Now and their Digital Security Helpline can assist you in understanding the attack, and quickly taking the next steps to increase your device security. We work with Access Now to ensure that cases get expert support. Similarly, the Security Lab at Amnesty International also maintains a resource and investigative contact point for notification recipients.

Appendix: Confirmed Paragon Targeting in Italy, Current Knowledge

As there are now multiple cases and reports of Paragon targeting and infection, we are providing a table with an overview of each case, along with the associated evidentiary basis. Importantly, we use the term “Targeted” describing an individual being selected for infection by a Paragon operator and reserve “Infected” to describe a forensic confirmation of a successful infection. In many cases, full forensic findings may not be available even in cases where an infection has likely happened, due to limitations in logs and efforts by Paragon to delete traces of the infection.

For example, Mr. Caccia is doubly confirmed as a Paragon target from both WhatsApp’s notification and Citizen Lab’s previously published forensic analysis. Additionally, we were able to identify specific dates that BIGPRETZEL was on his device, helping to illuminate the timeframe of the Paragon infection.

Meanwhile, Mr. Cancellato is confirmed as a Paragon target via a notification from WhatsApp, but our Citizen Lab analysis has yet to identify forensic evidence on the device providing additional information about Paragon targeting or infection. This is not necessarily surprising given forensic limitations when conducting research on Android devices.The following table summarizes these cases:

In addition to the cases listed above, two individuals have been described in our prior reporting: David Yambio and Father Mattia Ferrari. At the time of writing this report neither individual has been confirmed as a Paragon mercenary spyware target, although both are connected to the cases listed above.

Note on Research Ethics

All research involving human subjects conducted at the Citizen Lab is governed under research ethics protocols reviewed and approved by the University of Toronto’s Research Ethics Board.

The Citizen Lab does not take general or unsolicited inquiries related to individual concerns regarding information security and cannot provide individual assistance with security concerns.

Acknowledgements 

We wish to acknowledge the victims that chose to work with us and graciously consented to have their cases discussed. Without them, such research would not be possible. Their participation contributes to our collective digital security. 

We thank our Citizen Lab colleagues, especially Bahr AbdulRazzak for technical investigative support, and Siena Anstis, Rebekah Brown, M. Scott and Adam Senft for review, editing and feedback and Alyson Bruce for editing and communications support.

Research for this project was supervised by Professor Ronald J. Deibert.

Special thanks to TNG.

We thank Access Now for their support.