Welcome to Memetic Warfare.

We’re going to start this week with an interesting event from a while back that I’ve been following: the hack of the Iranian bank, Bank Sepah, by a group named “Codebreakers”. The operation made international headlines and already has a Wikipedia entry.

For context, Bank Sepah is the “financial linchpin”, as per OFAC, that enables the Iranian ballistic missile program and as such has been sanctioned. Wonder who’d be interesting in targeting them!

So, I bring this case up now that we’ve had some time to follow it because this appeared to me at first glance to not just be a regular, financially-motivated compromise.

Firstly, Codebreakers as an organization is “sus”. Their profile picture is the typical low-effort meme of hooded hackers, and they created an Instagram account to amplify the leak - not commonly done by financially-motivated actors, but the kind of thing that someone interested in reaching Persians in Iran would do, as Instagram is incredibly popular there.

The act of amplifying the leak online in of itself is normal, actors often do this to pressure their victim organization into paying a ransom at risk of having their data shared on the channel. What isn’t normal is opening a WhatsApp group.

WhatsApp isn’t commonly used by threat actors as trust in Meta they do not. They also began posting immediately in Persian, which is an interesting choice. Most financial threat actors wouldn’t do this - their main goal isn’t to reach Persians themselves but rather apply pressure on the victim, usually done in English.

Additionally, the chance of this being an actor inside of Iran is low, and even then - English would probably be the go-to language. Same goes for opposition groups, which probably would have a hard time actually compromising Bank Sepah - their main goal would probably be to post in English for maximal coverage.

So we can infer, imperfectly, that the major target audience for this operation is in fact Iranians.

Influence, not financial gain, is probably the main goal of this operation as well. Codebreakers posted two large sample files from the hack, one of 500,000 plus members with over a certain balance alongside a separate list of accounts with a certain debt balance. This is also a bit odd, as these samples are huge. A much smaller sample would have sufficed, further implying that the main goal here was to get out a significant amount of information and not to make money off of keeping that access.

Codebreakers also demanded an insane sum of 42 million USD, which no one would really pay - I assume they did this to look legit while not actually having to entertain serious offers.

Shortly after posting the samples and this announcement, Codebreakers began offering it for sale on Exploit[.]in for a more reasonable price, where it’s presumably been bought many times already.

A few days later, Codebreakers announced that they managed to compromise more Iranian government systems, leading them to new databases that they presumably will begin selling soon.

Codebreakers also exposed individual bank account owners for the full DB.

They called out military personnel with accounts, again the kind of thing an IO threat actor would do.

Fascinatingly, on April 10th Codebreakers announced a video production competition with prizes in crypto for whoever makes the best short video amplifying the hack, its implications and the Codebreakers Telegram channel. Easy money if you ask me, and absolutely the kind of thing a nation-state actor would do to maximize impact.

This is still ongoing so I”ll be sure to keep following them, but the operation has already made waves. Amwaj Media has some solid coverage of the impact of the leaks on Iranian discourse:

So, overall a fascinating case that appears to me to be very much not financially motivated. We’ve had some really, really interesting activity in Iran lately, ranging from ByteSec to LabDookhtegan to this, and I doubt that it’ll stop here.

We’ll continue then with our next topic, a short OSINT tip. That tip is to check out Silent Push. Their tool, which IMO is one of the best out there, hashes Javascript names in the source code of pages, which can be used to apparently deanonymize TOR domains or find otherwise similar domains based on the structure and use of JavaScript. Some really great stuff that you can only do with their database.

The last order of business is the arrest of the CEO of Aeza Group, a group we’ve discussed here in the past. He was interestingly arrested for narcotics, and this could be perhaps related to some Wagner cleanup, so who knows, but perhaps we’ll hear more in the future.

That’s it for this week! Check out Telemetryapp.io and see you next week.