What the Israel-Iran conflict revealed about wartime cyber operations

The recent war between Iran and Israel will be remembered for what the world witnessed—from the direct, large-scale military strikes by both countries (and the United States), to a major shift in regional power dynamics, to the substantial damage done to the Iranian nuclear program, with still-unknown consequences. 

But it should also be remembered for what it did not witness: While the conflict featured apparent cyber activities that ranged from low-level hacktivism to attacks on financial institutions, the impact of these activities were markedly limited. This is notable given speculation early in the conflict about how cyber would feature in the fight, and the fact that Iran and Israel both possess considerable prowess in the cyber domain. 

Cyber activities have become a permanent feature of contemporary conflict, though their shape, form, and impact is ill-understood. As the below four examples from the Israel-Iran conflict demonstrate, such activities appear to offer an incremental edge in warfare, rather than a revolutionary one.

Hacktivism

On both sides, the Israel-Iran war produced a clear burst of hacktivism, or cyber attacks by politically motivated actors to further social or political objectives. Estimates range from at least thirty-five distinct pro-Iran groups joining the conflict, to more than one hundred different hacktivist groups declaring themselves involved. Attacks included the hacking of Iranian state television to display footage of anti-regime protests and calls for a public uprising against the Iranian regime. Meanwhile, 40 percent of all distributed denial-of-service attacks conducted during the conflict were directed at Israel. 

But the real-world impact of hacktivism is limited. Its effects reside in the information domain, where they are “cognitive, not coercive,” as per leading scholars in cyber warfare. To borrow a description cybersecurity expert Tom Uren has used, hacktivism amounts to little more than “digital graffiti” in the battle for public or media opinion. 

A second type of cyber activity on display during the war was a spate of targeted, destructive cyber attacks by state-sponsored actors—actors who operate on behalf of or with tacit support from a government. For example, Iran’s Bank Sepah (known to have ties to Iran’s Islamic Revolutionary Guard Corps) was hacked, which resulted in widespread service outages for citizens and organizations. Nobitex, Iran’s largest cryptocurrency exchange, was also attacked, resulting in the theft of around ninety million dollars of crypto assets that were subsequently “burned,” rendering the crypto inaccessible. Both were reportedly hacked by Predatory Sparrow, a group affiliated with the Israeli state, likely with the intention of signaling to Tehran that Israel has the ability to cause chaos within Iran itself.  

Most recently Pay2Key.IP, an Iranian ransomware group with ties to Iranian state-backed hackers, reportedly offered larger profit shares of ransom payments to affiliates willing to conduct attacks against targets in Israel and the United States. In addition, Handala Hack, a group associated with Iran’s intelligence services, published documents accusing a London-based Iranian journalist of spying for Mossad—actions intended to cause targeted disruption. 

Though such activity might appear highly disruptive upon first glance, it lacks lasting impact. These types of cyber attacks offer a means of power projection, by sowing chaos and disorder—while in the process disrupting civilian infrastructure—rather than achieving meaningful military gains.

Information control

In line with Iranian doctrine, which regards information as a domain to be controlled, the Iranian regime imposed a near-total internet blackout across Iran on June 20, resulting in internet traffic dropping by 97 percent. This blackout was imposed under the pretense of cybersecurity, supposedly to stop cyber attacks emanating from Israel. Whereas in Israel, the police force’s legal advisor authorized officers to block foreign media coverage of Iranian missile strikes around certain sites. 

Yet, the impact of such activity was temporary and mainly disruptive to civilians. Its value lay in helping to impose internal regime security by quashing internal criticism and visibility of either state’s actions, rather than advancing military objectives.

Spyware

The fourth—and perhaps murkiest—type of activity observed during this conflict is spyware. Israeli private sector companies, often with suspected ties to the Israeli state, are critical players in the spyware industry (which researchers explored in their 2024 report “Mythical Beasts and where to find them”).

Reports recently came to light documenting the targeting of Iranians with spyware in the months prior to the conflict, both inside Iran and against Iranian nationals living abroad. This took place in parallel to the Iranian state accusing Israel of using WhatsApp to spy on it. Tehran urged Iranian citizens to remove WhatsApp from their smartphones, asserting that the app gathered user information to send to Israel. The Iranian regime offered no evidence for this allegation, and WhatsApp has refuted it. (WhatsApp was also involved in a recent, successful lawsuit against a well-known Israeli spyware vendor.) At the same time, Israeli officials warned that Iranian actors were hacking into home security cameras in Israel, using the footage to assess the impact of Iranian strikes on Israeli targets.

These examples suggest that spyware’s value in conflict is enabling at best, in offering its users an advantage in terms of intelligence and information-gathering, to inform subsequent operational military activity.

No decisive edge

It can be easy to conflate the volume of cyber activity in the Israel-Iran war with decisive impact. But the value of cyber attacks for each state came from them serving as a means of shaping and augmenting the information environment, rather than bringing the conflict to a conclusive end. While these incidents may have caused harm or disruption in the short-term, they failed to provide any decisive military advantage. Instead, the impact was disproportionately felt by ordinary Iranian and Israeli citizens.

Where this finding might not hold is in the case of a rare, singular incident with destructive impact, such as the US and Israeli Stuxnet cyber attack, which was designed to degrade Iran’s nuclear program. But in the short term at least, this type of attack in a conflict between Israel and Iran is unlikely, given that Israel has already weakened Iran significantly through military action and strikes. Such cyber attacks take years to construct, and deploying them would immediately expose such a high-grade capability, lessening its value in cyber terms.

Nonetheless, further cyber operations will likely emerge in the coming months—if not years—of the ongoing battle between these two states. These will likely come in the form of renewed threats to the critical infrastructure of countries supporting either party in the conflict, as well as further low-level hacktivism. Moreover, attacks are most likely to occur where cyber operations have proven their value historically—for intelligence and reconnaissance purposes to inform further military activity. 

Cyber capabilities are a complex—and sometimes contradictory—feature of contemporary conflict. It is important that policymakers and strategists view the cyber activity witnessed during the Israel-Iran conflict for what it was: an incremental, enabling capability, in a much broader conflict between two determined rivals that dates back decades. Inflating the impact of such activity only amplifies its psychological effect—which risks playing into Iran’s hands, by making its capabilities appear much greater than they actually are. 

Nikita Shah, PhD, is a senior resident fellow at the ’s Cyber Statecraft Initiative.

Image: Melted computers are pictured at the headquarters of the Islamic Republic of Iran News Network (IRINN) in Iran’s state television compound, which is destroyed in Israeli strikes during the war with Iran in northern Tehran, Iran, on June 19, 2025. (Photo by Morteza Nikoubazl/NurPhoto)REUTERS