{
	"id": "f968fdb5-96ac-4a25-a0b0-ab935029988b",
	"created_at": "2026-04-06T00:17:40.434904Z",
	"updated_at": "2026-04-10T13:13:10.108336Z",
	"deleted_at": null,
	"sha1_hash": "63167f726878ff7323b8af9603df60c4780e2845",
	"title": "Three IRGC Cyber Actors Indicted for ‘Hack-and-Leak’ Operation Designed to Influence the 2024 U.S. Presidential Election",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65362,
	"plain_text": "Three IRGC Cyber Actors Indicted for ‘Hack-and-Leak’\r\nOperation Designed to Influence the 2024 U.S. Presidential\r\nElection\r\nPublished: 2024-09-27 · Archived: 2026-04-05 16:23:47 UTC\r\nNote: View the indictment here and the FBI Wanted Poster here.\r\nThe Justice Department today announced the unsealing of an indictment charging Iranian nationals, and Islamic\r\nRevolutionary Guard Corps (IRGC) employees, Masoud Jalili, 36,  also known as, جلیلی مسعود, Seyyed Ali\r\nAghamiri, 34, also known as, آقامیری علی سید, and Yaser Balaghi, 37, also known as, بالغی یاسر) the Conspirators),\r\nwith a conspiracy with others known and unknown to hack into accounts of current and former U.S. officials,\r\nmembers of the media, nongovernmental organizations, and individuals associated with U.S. political campaigns.\r\nThe activity was part of Iran’s continuing efforts to stoke discord, erode confidence in the U.S. electoral process,\r\nand unlawfully acquire information relating to current and former U.S. officials that could be used to advance the\r\nmalign activities of the IRGC, including ongoing efforts to avenge the death of Qasem Soleimani, the former\r\ncommander of the IRGC – Qods Force (IRGC-QF).\r\nAs alleged, in or around May, after several years of focusing on compromising the accounts of former U.S.\r\ngovernment officials, the conspirators used some of the same hacking infrastructure from earlier in the conspiracy\r\nto begin targeting and successfully gaining unauthorized access to personal accounts belonging to persons\r\nassociated with an identified U.S. Presidential campaign (U.S. Presidential Campaign 1), including campaign\r\nofficials. The conspirators used their access to those accounts to steal, among other information, non-public\r\ncampaign documents and emails (campaign material). The activity broadened in late June, when the conspirators\r\nengaged in a “hack-and-leak” operation, in which they sought to weaponize campaign material stolen from U.S.\r\nPresidential Campaign 1 by leaking such materials to members of the media and individuals associated with what\r\nwas then another identified U.S. Presidential campaign (U.S. Presidential Campaign 2), in a deliberate effort to, as\r\nreflected in the conspirators’ own words and actions, undermine U.S. Presidential Campaign 1 in advance of the\r\n2024 U.S. presidential election.\r\n“The Justice Department is working relentlessly to uncover and counter Iran’s cyberattacks aimed at stoking\r\ndiscord, undermining confidence in our democratic institutions, and influencing our elections,” said Attorney\r\nGeneral Merrick B. Garland. “The American people – not Iran, or any other foreign power – will decide the\r\noutcome of our country’s elections.”\r\n“Today’s charges represent the culmination of a thorough and long-running FBI investigation that has resulted in\r\nthe indictment of three Iranian nationals for their roles in a wide-ranging hacking campaign sponsored by the\r\nGovernment of Iran,” said FBI Director Christopher Wray. “The conduct laid out in the indictment is just the latest\r\nexample of Iran’s brazen behavior. So today the FBI would like to send a message to the Government of Iran –\r\nyou and your hackers can’t hide behind your keyboards.”\r\nhttps://www.justice.gov/opa/pr/three-irgc-cyber-actors-indicted-hack-and-leak-operation-designed-influence-2024-us\r\nPage 1 of 5\n\n“These hack-and-leak efforts by Iran are a direct assault on the integrity of our democratic processes,” said\r\nAssistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “Iranian\r\ngovernment actors have long sought to use cyber-enabled means to harm U.S. interests. This case demonstrates\r\nour commitment to expose attempts by the Iranian regime or any other foreign actor to interfere with our free and\r\nopen society.”\r\n“This indictment alleges a serious and sustained effort by a state-sponsored terrorist organization to gather\r\nintelligence through hacking personal accounts so they can use the hacked materials to harm Americans and\r\ncorruptly influence our election,” said U.S. Attorney Matthew Graves for the District of Columbia. “The detailed\r\nallegations in the indictment should make clear to anyone who might attempt to do the same that the Justice\r\nDepartment has the ability to gather evidence of such crimes from around the globe, will charge those who\r\ncommit such crimes, and will do whatever we can to bring those charged to justice.”\r\nAs alleged in the indictment, beginning in or around January 2020, Jalili, Aghamiri, and Balaghi, working on\r\nbehalf of the IRGC, commenced a wide-ranging hacking campaign that used spearphishing and social engineering\r\ntechniques to target and compromise victims computers and accounts. Among the conspirators’ techniques were:\r\nusing virtual private networks and virtual private servers to obscure their true location; creating fraudulent email\r\naccounts in the names of prominent U.S. persons and international institutions; creating spoofed login pages to\r\nharvest account credentials; sending spearphishing emails using compromised victim accounts; and using social\r\nengineering to obtain victims’ login information and multi-factor recovery/authentication codes. Some of the\r\nconspirators’ efforts were successful, while others were not.\r\nIn April 2019, the Department of State designated the IRGC as a foreign terrorist organization. Among the\r\npurposes of the conspiracy were for the conspirators to: (i) steal victims’ data, such as information related to U.S.\r\ngovernment and foreign policy information concerning the Middle East; (ii) steal information relating to current\r\nand former U.S. officials that could be used to advance the IRGC’s malign activities; (iii) disrupt U.S. foreign\r\npolicy in the Middle East; (iv) stoke discord and erode confidence in the U.S. electoral process; (v) steal personal\r\nand private information from persons who had access to information relating to U.S. Presidential Campaign 1,\r\nincluding non-public campaign material and information; and (vi) undermine U.S. Presidential Campaign 1 in\r\nadvance of the 2024 U.S. presidential election by leaking stolen campaign material and information.\r\nAs reflected in the Sept. 18 joint statement released by the Office of the Director of National Intelligence, FBI,\r\nand Cybersecurity and Infrastructure Security Agency: “Iranian malicious cyber actors in late June and early July\r\nsent unsolicited emails to individuals then associated with President Biden’s campaign that contained an excerpt\r\ntaken from stolen, non-public material from former Trump’s campaign as text in the emails. There is currently no\r\ninformation indicating those recipients replied. Furthermore, Iranian malicious cyber actors have continued their\r\nefforts since June to send stolen, non-public material associated with former President Trump’s campaign to U.S.\r\nmedia organizations.”\r\nAs alleged in further detail in the indictment, the conspirators’ hack-and-leak efforts involved the conspirators\r\nemailing stolen campaign material to individuals that the conspirators believed were associated with what was\r\nthen U.S. Presidential Campaign 2 and members of the media.\r\nhttps://www.justice.gov/opa/pr/three-irgc-cyber-actors-indicted-hack-and-leak-operation-designed-influence-2024-us\r\nPage 2 of 5\n\nFirst, between on or about June 27 and July 3, the conspirators sent or forwarded an unsolicited email message to\r\npersonal accounts of three persons that the conspirators believed were associated with U.S. Presidential Campaign\r\n2. The June 27 email was sent to two recipients, and then forwarded the same day to another account for one of\r\nthose recipients (due to the earlier email being sent to an invalid account for that recipient). This email chain\r\ncontained campaign material stolen from an official for U.S. Presidential Campaign 1 (U.S. Victim 11). Neither of\r\nthe recipients replied to the conspirators’ email. In addition, the conspirators sent a follow up email on July 3rd to\r\na third recipient’s account, and the recipient similarly did not reply to the Conspirators.\r\nSecond, between on or about July 22 and on or about Aug. 31, the conspirators distributed other campaign\r\nmaterial stolen from U.S. Victim 11 regarding U.S. Presidential Campaign 1’s potential vice-presidential\r\ncandidates to multiple members of the news media, in an attempt to induce the news media to publish the material.\r\nIn one instance, for example, the conspirators’ message stated “I think this information is worth a good [U.S. news\r\npublication] piece with your narration. Let me know your thoughts.”\r\nAs alleged, these defendants also sought to promote the IRGC’s goals and mission by compromising and\r\nmaintaining unauthorized access to the email accounts of a number of former government officials, including U.S.\r\nVictim 1, who had served in a position with responsibility over U.S. Middle East policy at the time of Qasam\r\nSoleimani’s death. Using this access, the defendants obtained information to assist the IRGC’s efforts to target\r\nU.S. Victim 1 and others, including their means of identification, correspondence, travel information, lodging\r\ninformation and other information regarding their whereabouts and policy positions.   \r\nJalili, Aghamiri, and Balaghi are charged with: conspiracy to commit identity theft, aggravated identity theft,\r\naccess device fraud, unauthorized access to computers to obtain information from a protected computer,\r\nunauthorized access to computers to defraud and obtain a thing of value, and wire fraud, all while knowingly\r\nfalsely registering domain names, which carries a maximum penalty of 12 years in prison; conspiracy to provide\r\nmaterial support to a designated foreign terrorist organization, which carries a maximum penalty of 20 years in\r\nprison; eight counts of wire fraud while falsely registering domain names, each of which carries a maximum\r\npenalty of 27 years in prison; and eight counts of aggravated identity theft, each of which carries a mandatory\r\nminimum penalty of two years in prison. If convicted, a federal district court judge will determine any sentence\r\nafter considering the U.S. Sentencing Guidelines and other statutory factors.\r\nConcurrent with today’s announcement, the Department of State, through the Rewards for Justice Program, issued\r\na reward\r\nhttps://www.justice.gov/opa/pr/three-irgc-cyber-actors-indicted-hack-and-leak-operation-designed-influence-2024-us\r\nPage 3 of 5\n\nof up to $10 million for information on Jalili, Aghamiri, and Balaghi, the IRGC’s interference in U.S. elections, or\r\nassociated individuals and entities. Also, concurrent with today’s announcement, the Department of the Treasury,\r\nOffice of Foreign Asset Control (OFAC), pursuant to Executive Order (E.O.) 13694, as amended, and E.O. 13848\r\ndesignated\r\nJalili for being responsible for or complicit in, or having engaged in, directly or indirectly, a cyber-enabled activity\r\noriginating from, or directed by persons located, in whole or in substantial part, outside the United States that is\r\nreasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign\r\npolicy, or economic health or financial stability of the United States and that has the purpose or effect of causing a\r\nsignificant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial\r\ninformation for commercial or competitive advantage or private financial gain.\r\nThe FBI Washington Field Office is investigating this case. The FBI Cyber Division and Springfield and\r\nMinneapolis Field Offices provided substantial assistance in this matter. For more information on threat activity as\r\nhttps://www.justice.gov/opa/pr/three-irgc-cyber-actors-indicted-hack-and-leak-operation-designed-influence-2024-us\r\nPage 4 of 5\n\nwell as mitigation guidance, the FBI has released a Joint Cyber Security Advisory titled “Iranian Cyber Actors\r\nTargeting Personal Accounts to Support Operations.”\r\nThe Justice Department would like to thank the following private sector partners for their assistance with this\r\ncase: Google, Microsoft, Yahoo, and Meta.\r\nAssistant U.S. Attorneys Tejpal Chawla and Christopher Tortorice for the District of Columbia and Trial Attorney\r\nGreg Nicosia of the National Security Division’s National Security Cyber Section are prosecuting the case, with\r\nsignificant assistance from Paralegal Specialists Mariela Andrade and Kate Abrey. Joshua Champagne of the\r\nNational Security Division’s Counterterrorism Section also provided valuable assistance.\r\nAn indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a\r\nreasonable doubt in a court of law.\r\nSource: https://www.justice.gov/opa/pr/three-irgc-cyber-actors-indicted-hack-and-leak-operation-designed-influence-2024-us\r\nhttps://www.justice.gov/opa/pr/three-irgc-cyber-actors-indicted-hack-and-leak-operation-designed-influence-2024-us\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.justice.gov/opa/pr/three-irgc-cyber-actors-indicted-hack-and-leak-operation-designed-influence-2024-us"
	],
	"report_names": [
		"three-irgc-cyber-actors-indicted-hack-and-leak-operation-designed-influence-2024-us"
	],
	"threat_actors": [],
	"ts_created_at": 1775434660,
	"ts_updated_at": 1775826790,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/63167f726878ff7323b8af9603df60c4780e2845.pdf",
		"text": "https://archive.orkl.eu/63167f726878ff7323b8af9603df60c4780e2845.txt",
		"img": "https://archive.orkl.eu/63167f726878ff7323b8af9603df60c4780e2845.jpg"
	}
}