Cybercrime isn't just a cover for Iran's government goons - it's a key part of their operations

Iranian state-sponsored cyber actors are fundamentally integrating cybercrime tools and infrastructure into their operational strategies, moving beyond mere disguise as criminal entities. Security researchers indicate these groups, particularly those associated with the Ministry of Intelligence and Security (MOIS), are actively leveraging commercially available cybercriminal offerings such as ransomware, malware-as-a-service, and infostealers directly within their campaigns¹. This approach signifies a strategic shift from merely attributing attacks to criminal groups to actively incorporating their methods and ecosystems for both destructive and espionage purposes. Rather than solely concealing nation-state activity behind a criminal facade, Iranian operatives are increasingly building their capabilities upon established illicit cyber marketplaces and toolsets. This integration not only allows for scalable operations but also diversifies attack vectors and significantly complicates attribution efforts by blending statecraft with financially motivated techniques. The evolving landscape demands that cybersecurity practitioners adjust their threat models, prioritizing comprehensive operational resilience planning against a wider spectrum of hybrid threats.