IRAN is recruiting Russian cybercriminals and reviving Pay2Key to act as a punitive arm of the Iranian state, according to KELA's Cyber Intelligence Center report. The operation deploys so‑called pseudo-ransomware and functions as an initial access broker for ransomware groups targeting high‑impact US entities, with encryption used as a mask for data destruction (a wiper-like technique).
Pay2Key affiliates are said to be paid more for attacks against Iran’s designated “enemies,” with the affiliate cut rising from 70% to 80% when attacks target the US and Israel. The strategy also features new destructive smokescreens that combine ransomware‑style encryption with data destruction, as Iran’s APT Agrius uses the Apostle malware retrofitted from a data wiper.
These moves form part of a broader effort to blur the lines between state‑sponsored cyberwarfare and criminal activity, a shift KELA describes as expanding the threat landscape and creating an attribution challenge for organisations. 28 February remains a reference point for the broader conflict cited by KELA, noting the ongoing geopolitical context.