Israel Says Iranian Cyberattacks Have Tripled — And the Numbers Only Tell Half the Story
A ceasefire ended the missiles. In cyberspace, both sides say the war never really stopped.
Israel's National Cyber Directorate says it is now fending off nearly triple the volume of hostile cyber activity it saw a year ago, and the shift isn't just about scale — it's about how much more organized Iran's hacking apparatus has become. In comments to the German newspaper Die Welt, National Cyber Directorate director general Yossi Karadi said Israeli authorities logged around 4,800 hostile cyber incidents in June, compared with roughly 1,600 in the same month last year. He described the increase as driven less by simple volume and more by coordination: Iran's traditionally fragmented network of state, proxy, and hacktivist hacking groups is now sharing intelligence, infrastructure, and techniques in ways it wasn't previously, and Tehran has reportedly drawn ransomware operators and hackers outside Iran into its broader campaign.
Karadi framed the current moment bluntly — there is, in his words, no ceasefire in cyberspace — and said Israel's most sensitive networks and critical infrastructure have so far stayed operational, even as other organizations have had systems wiped by destructive attacks.
A Cyber Front That Never Actually Paused
Karadi's comments land against the backdrop of a year that fundamentally reshaped the Israel-Iran cyber relationship from a long-running shadow conflict into something closer to open digital warfare. When Israel and the United States launched coordinated airstrikes on Iranian military, nuclear, and leadership targets at the end of February 2026, the opening hours of that campaign were reportedly accompanied by cyber and space operations that disrupted Iranian communications and sensor networks ahead of the kinetic strikes. What followed was described by some Israeli sources as the largest cyberattack in history against Iran: internet connectivity inside the country collapsed to a small fraction of normal levels for more than two days, government services and state media were disrupted, and Israeli-linked operators reportedly compromised a popular Iranian prayer app with millions of installs to push messages urging soldiers to defect.
Iran's response, hampered in the war's early days by that same connectivity collapse, still produced a wave of hacktivist activity — more than 60 groups claimed some form of retaliatory action within days, ranging from DDoS attacks and website defacements to more serious infrastructure-focused claims.
A formal U.S.-Iran memorandum of understanding eventually paused the overt military exchange. But the cyber dimension of the conflict didn't wind down with it. In the days immediately following that agreement, Iranian banks were hit by two separate waves of disruptive cyberattacks in June, forcing a temporary nationwide suspension of card-based services at three major institutions. Analysts pointed to Predatory Sparrow — a group widely believed to be linked to Israeli intelligence, with a history of attacks on Iran's steel industry, fuel distribution network, and state-owned Bank Sepah dating back to 2021 — as the likely author, reading the timing as a signal that covert cyber operations were filling the space the ceasefire had closed off for conventional strikes.
Iran's Side of the Ledger
The coordination Karadi described isn't limited to defense-oriented sharing — it reflects a hacking ecosystem that has grown considerably more complex over the past year. Groups publicly tracked as Iran-aligned or IRGC-affiliated, including Handala (also linked to Iran's Ministry of Intelligence and Security), MuddyWater, and various IRGC-adjacent hacktivist fronts, have claimed operations spanning espionage, destructive wiper attacks, and infrastructure-focused intrusions well beyond Israel's borders — including against water utilities and energy systems in the United States. Security researchers have also documented cases of MuddyWater backdoors planted inside U.S. and allied financial and defense-adjacent networks months before the February strikes even began, suggesting a degree of pre-positioning that predates the current spike in reported incident volume.
Karadi's claim that Tehran has enlisted ransomware gangs and hackers based outside Iran fits a broader pattern researchers have tracked throughout the conflict: dozens of pro-Iranian hacktivist collectives, some with no prior ideological alignment to Tehran, mobilizing around the conflict on platforms like Telegram, blurring the line between state-directed operations and opportunistic, loosely affiliated activity claimed in Iran's name.
The AI Factor
Karadi also pointed to artificial intelligence as an accelerant reshaping the pace of the conflict on both sides — lowering the technical bar for launching attacks while simultaneously giving defenders faster detection and response capability. His framing — that organizations should prepare for what an adversary is capable of rather than trying to predict what it intends to do — reflects a defensive posture increasingly common among cyber officials dealing with adversaries whose stated intentions (retaliation, deterrence, "warning shots") don't reliably predict what tools or targets they'll actually deploy.
A Number Worth Treating Carefully
It's worth being clear-eyed about what Karadi's figures actually represent. Neither Die Welt nor the National Cyber Directorate has published a methodology for how these incidents were counted, what threshold qualifies as a "hostile cyber incident," or how the count separates genuine intrusions from attempted, low-effort, or unsuccessful activity — a distinction that matters enormously given how much of the pro-Iranian hacktivist ecosystem specializes in high-volume, low-sophistication claims (DDoS attacks and website defacements) that inflate incident counts without reflecting meaningful operational impact. Israel's cyber directorate did not respond to requests for additional detail on the figures. That doesn't make the trend Karadi describes implausible — independent researchers have separately tracked a sharp rise in claimed incidents against Israel since the February strikes — but the specific tripling figure should be read as an official's characterization rather than an independently verified statistic.
Two Sides, One Undeclared War
What's notable about the current moment isn't just the scale on either side — it's that both Israel and Iran now treat cyberspace as a persistent, ongoing front rather than a tool reserved for moments of active kinetic conflict. Iran continues to publicly deny conducting offensive cyber operations against other states while accusing Israel and its allies of targeting Iranian networks; Israel, in turn, has never officially acknowledged operations attributed to groups like Predatory Sparrow, even as independent analysts consistently link them to Israeli military intelligence. That mutual deniability hasn't stopped either side from treating the domain as an active battlespace: banks disrupted, water and energy systems probed, government networks targeted, months after the missiles stopped. However the specific numbers are counted, the underlying claim from Karadi's interview is hard to dispute — for Israel and Iran, the ceasefire was never going to include the internet.
Drawing on reporting from Die Welt, Resilience Media, The Record, Amwaj Media, CloudSEK, SOCRadar, ZENDATA Cybersecurity, and Picus Security, current as of early July 2026.
Member discussion