Apple notified more than a dozen Iranians in recent months that their iPhones had been targeted with government spyware, according to security researchers.
Miian Group, a digital rights organization that focuses on Iran, and Hamid Kashfi, an Iranian cybersecurity researcher who lives in Sweden, said they spoke with several Iranians who received the notifications in the last year.
Bloomberg first wrote about these spyware notifications.
Miaan Group published a report on Tuesday on the state of cybersecurity of civil society in Iran, which mentioned that the organization’s researchers have identified three cases of government spyware attacks against Iranians, two in Iran and one in Europe, who were alerted in April of this year.
“Two people in Iran come from a family with a long history of political activism against the Islamic Republic. Many members of their family have been executed, and they have no history of traveling abroad,” Amir Rashidi, Miaan Group’s director of digital rights and security, told TechCrunch. “I believe there have been three waves of attacks, and we have only seen the tip of the iceberg.”
Rashidi said that Iran is likely the government behind the attacks, although there needs to be more investigations into these attacks to reach a more conclusive determination. “I see no reason for members of civil society to be targeted by anyone other than Iran,” he said.
Kashfi, who founded the security firm DarkCell, said in an email that he helped two victims go through preliminary forensics steps, but he wasn’t able to confirm which spyware maker was behind the attacks. And, he added, some of the victims he worked with preferred not to continue the investigation.
Contact Us
Have you received a threat notification from Apple? We’d love to hear from you. From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.
”Pretty much all victims spooked out and ghosted us as soon as we explained the seriousness of the case to them. I presume partly because of their place of work and sensitivity of the matters related to that,” said Kashfi, who added that one of the victims received the notification in 2024
It’s unclear which spyware maker is behind these attacks.
Over the last few years, Apple has sent several rounds of notifications to people whom the company believes have been targeted with government spyware, such as NSO Group’s Pegasus, or Paragon’s Graphite. This kind of malware is also known as “mercenary” or “commercial” spyware.
The notifications have helped security researchers who focus on spyware to document abuses in several countries such as India, El Salvador, and Thailand.
On Apple’s support page for what the company calls “threat notifications,” last updated in April, the tech giant said that since 2021 it has notified users in “in over 150 countries,” which shows how widespread the use of government spyware is. Apple does not disclose the names of the countries, nor the total number of people it has notified.
To help victims, since last year, Apple has recommended those who received these threat notifications to reach out to digital rights group AccessNow, which runs an around-the-clock helpline staffed with researchers who can investigate spyware attacks. AccessNow has documented cases of spyware abuse all over the world.
Apple did not respond to a request for comment on the notifications sent to Iranians.
