A pro-Iranian hacktivist group, Cyber Fattah, has allegedly published thousands of personal records online believed to be linked to athletes and visitors of the Saudi Games. The breach, announced on Telegram on June 22, 2025, reportedly involved the unauthorized access and exfiltration of sensitive data, including IT staff credentials, government official emails, athlete and visitor information, passports, ID cards, bank statements, medical forms, and scanned sensitive documents. Cybersecurity firm Resecurity characterized this as an information operation orchestrated by Iran and its proxies, aimed at leveraging propaganda against the U.S., Israel, and Saudi Arabia through major sporting and social events.
The leaked data is thought to have originated from the official Saudi Games 2024 website. The information was then disseminated on DarkForums, a cybercrime forum, by a user identified as ZeroDayX. This incident underscores the growing trend of hacktivism in the Middle East, where cyber warfare is frequently employed as a tool for activism. Resecurity noted that Cyber Fattah’s actions align with this broader trend, suggesting a potential shift in focus from exclusively Israel-centric malicious activities towards a more expansive anti-U.S. and anti-Saudi messaging.
Cyber Fattah and the Escalating Hacktivist Landscape
Cyber Fattah, self-described as an “Iranian cyber team,” has a documented history of targeting Israeli and Western web resources, as well as government agencies. The group is also known to collaborate with other regional threat actors. For instance, it has been linked with the 313 Team, which previously claimed responsibility for a distributed denial-of-service (DDoS) attack against Truth Social as retaliation for U.S. airstrikes on Iranian nuclear facilities.
The leak from Cyber Fattah surfaces amidst heightened tensions between Iran and Israel. Reports indicate that approximately 119 hacktivist groups have declared cyber attacks or aligned themselves with or against these two nations. This escalating cyber warfare includes accusations by Iran against Israel for hijacking its state broadcaster’s television stream to display pro-Israeli and anti-Iranian government imagery on June 18. In response, pro-Palestinian groups, such as the Handala team, have listed several Israeli organizations on their data leak sites starting mid-June, including Delek Group and Y.G. New Idan.
Similar attacks targeting U.S. Air Force domains, major aerospace and defense companies, and financial institutions have been observed following alleged Iranian nuclear site bombings on June 21. These attacks are attributed to hacktivist crews like Mr Hamza, 313 Team, Cyber Jihad, and Keymous+.
Furthermore, the conflict has seen the formation of larger, umbrella entities like the Cyber Islamic Resistance or the United Cyber Front for Palestine and Iran. These loosely affiliated groups reportedly share resources and synchronize their campaigns, amplifying their impact. This trend highlights the evolving nature of cyber operations in geopolitical conflicts.
Another notable group, DieNet, identified as pro-Iranian and pro-Hamas, is believed to have Russian-speaking members and connections to Eastern European cyber communities. Its “hybrid identity,” characterized by linguistic analysis and interaction patterns of its internal communications, points to cross-regional cyber collaboration where ideological alignment supersedes national boundaries. According to Group-IB analysis of activity between June 13 and 20, DieNet was the most referenced channel among hacktivist communications on Telegram.
The deployment of cyber capabilities in the context of the Iran-Israel war, alongside other geopolitical events such as the Hamas-Israel and Russia-Ukraine conflicts, demonstrates how digital operations are increasingly integrated to supplement kinetic actions, influence public perception, and disrupt critical infrastructure.
Recent Developments and Broader Implications
In a related incident last week, Predatory Sparrow, a pro-Israel group, claimed to have leaked data from the Iranian Ministry of Communications and also conducted a significant cryptocurrency heist, burning over $90 million by sending digital assets to invalid wallets. Cybersecurity firm Outpost24 suggested this operation may have involved access to internal exchange documentation or the collaboration of a rogue insider. Security researcher Lidia López Sanz described this act not as financially motivated but as a strategic, ideological, and psychological operation aimed at dismantling public trust.
The cyber activity surrounding the Iran-Israel conflict continues to expand. The Bangladesh Cyber Squad has recently joined the fray, bringing the total number of pro-Iranian entities to 95, with an estimated 120 hacktivist groups actively involved. This includes nine pro-Russian groups supporting Iran.
The ongoing digital confrontations suggest a persistent and evolving threat landscape. Future developments will likely involve further data leaks, disruption attempts against critical infrastructure, and continued use of cyberspace for propaganda and psychological operations by state-sponsored and independent hacktivist groups. Observers will be watching for any shifts in targeting or tactics employed by these actors, as well as any official responses from the targeted nations.