IRANIAN MOIS actors are increasingly engaging with the cyber crime ecosystem, using criminal tools, services, and affiliate-style models to pursue state objectives, a shift from simply masking activity to actively leveraging the criminal ecosystem. According to the U.S. Treasury, the network led by narcotics trafficker Naji Ibrahim Sharifi-Zindashti operated at the behest of MOIS and targeted dissidents and opposition activists, with similar patterns noted by the FBI in relation to MOIS-linked operations.
The blog highlights Void Manticore (Handala Hack) and MuddyWater as the best‑documented MOIS‑affiliated groups to crossover into criminal clusters, including the use of commercial infostealers such as Rhadamanthys and the deployment of wipers in phishing lures against Israeli targets.
MuddyWater is described as a MOIS subordinate that has linked operations to cyber crime clusters such as Tsundere/DinDoor and FakeSet/CastleLoader, underscoring the potential for attribution confusion when criminal tooling and infrastructure are co‑opted. In October 2025, Israeli assessments attributed a Qilin ransomware incident to Iranian-affiliated operators working through the cyber criminal ecosystem, using a ransomware as a service model to further strategic objectives.
Overall, the piece argues that cyber crime is now a practical operational resource for MOIS‑linked actors, enhancing capabilities while complicating attribution.