While the Israel-Hamas conflict has engulfed the headlines since Hamas’s terror attack on 7 October 2023 and hostage-taking, and Israel’s subsequent “Operation Swords of Iron” response, a shadow war has raged in the hacking underworld, with the frontlines becoming the likes of “BreachForums” and Telegram channels. While this hidden war has been documented in Webz.io (October 2023), Bloomberg (November 2023), TheRecord.Media (January 2024), and a webinar hosted by analytic firm Bluestone Analytics (January 2024), the ever-looming question remains: Are these hacktivist groups a collective of sympathizers, or is it state-sponsored cyber warfare?
1. Hacktivist vs Hacktivist: Cyber_Av3ngers vs. WeRedDevils
In a significant development on the Telegram hacktivist channel front, the well known Pro-Palestine channel “Cyber_Av3ngers” (https://t.me/cyberaveng3rs), a channel has over 6.7 thousand subscribers, was purportedly taken-over by the Pro-Israel hacktivist group WeRedDevils (https://t.me/weredevils || https://t.me/weredevilsOG) on 20 April.
Subsequently, the “WeRedDevils || WeRedDevilsOG” posted the alleged.
The ”CyberAveng3rs” channel became active on Telegram in September 2023, a few weeks before 7 October 2023. It boasted about its dedication to attacking Israel infrastructure.
While most of the channels activity is visible between October 2023 and January 2024, posts became sporadic and more spaced out, with a significant lapse up until mid March 2024. The last post before the purported take over by “WeRedDevilsOG || WeRedDevils” was 13 April, with lead up “hype” posts about again attacking Israeli infrastructure, specifically saying “Lights Out Tel-Aviv” and “Prepare for more wide spread power outages”
When “WeRedDevilsOG || WeRedDevils” announced their control of the Telegram channel on 20 April, they then doxx’ed who they claim was behind the Telegram channel, Mahdi Lashgarian. Lashgarian is a purported link to the IRGC – Cyber-Electronic Command, which was posted on both the “Cyber_Aveng3rs” and the “WeRedDevilsOG” Telegram channels
1.1 Hactivism exposing… India?
Of interest, the phone numbers associated with the subject do not appear to have an Iranian country code. Presumed with the +98 Iran country code, the phone numbers would reflect +989104762098 and +982177394846. There were no further identifiers provided in the doxx’ing.
OSINT research on revealed the email possibly being mahdi@lashgarian.com which is of interest. An entity registered the domain lashgarian.com in 2018
Domain Name: lashgarian.com
Registry Domain ID: 2282726043_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: https://www.godaddy.com
Updated Date: 2018-07-05T15:21:45Z
Creation Date: 2018-07-05T15:21:45Z
Registrar Registration Expiration Date: 2028-07-05T15:21:45Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Further digging revealed a nexus to the username “renegade-r” associated with the email mahdi@lashgarian.com
A set of data sourced from a database breach in 2023 also revealed something interesting:
mahdi@lashgarian.com
Leak Base
tasocial_pap
Data
(‘6718VIMa’, ”, ‘idham979000’, ‘Mahdi’, ‘Lashgarian’, ‘84519751fe35e5cb4f1e986b29519d5b’, ”, ‘92.50.15.4’),
The IP address 92.50.15.4 attributes to an IPXO customer geolocating India
While “WeRedDevils || WeRedDevilsOG” channels are active with multiple doxxings, this one is particularly interesting. The intelligence gaps that exist is how “WeRedDevils” were able to assume control of the “Cyber_Aveng3rs” Telegram channel in the first place. How were they able to obtain so much information about Mahdi Lashgarian if they were behind the channel? If true, and the Lashgarian was affiliated with IRGC – Cyber Electronic Command, the question would linger are the other “hacktivist” Palestine sympathetic channels also being run by members of the IRGC? Is this state sponsored hacking with a “hacktivist” masquerade?