Arrest of Iranian Hacker Spotlights Iran’s Movement into Economic Espionage and IP Theft

Arrest of Iranian Hacker Spotlights Iran’s Movement into Economic Espionage and IP Theft
Turkish-Iranian national, who has been identified by media as Amir Barati, who was arrested last week in Montenegro for allegedly hacking more than 150 US universities on behalf of Iran’s Islamic Revolutionary Guard Corps.

A lot has been written in the last decade about China’s economic espionage through its theft of intellectual property. Former FBI Director Christopher Wray once referred to these thefts as “one of the largest transfers of wealth in human history."

But the arrest last week of an Iranian hacker in Montenegro is shining a light on similar activity conducted by Iranian hackers on behalf of their government over the last decade — activity that has been overshadowed for many year by other Iranian hacking activity. The timing of the activity also suggests Iran may have been inspired by the economic espionage operations conducted by China.

Montenegro police revealed last week that an Iranian-Turkish citizen had been arrested at the request of the US Federal Bureau of Investigation for conducting cyberattacks against US infrastructure — including more than 150 US universities — in order to steal data on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC) and Iranian universities. In addition to its military corps, the IRGC also conducts surveillance inside Iran and collects intelligence against targets outside the country.

According to media reports, the defendant’s hacking operations began in 2013 and caused $3.4 billion in damages, though police statements didn’t reveal the nature of the information he allegedly stole or how authorities arrived at the damages figure.

Montenegro media identified the defendant only as A.B., but Turkish media have identified him as 39-year-old Amir Barati.

The case is interesting not only because it’s rare for the US to arrest Iranian nationals who reside in the Islamic Republic — Iran doesn’t have an extradition agreement with the US so authorities have to wait until suspects travel outside the country to nab them — but it’s also interesting for the nature of the hacking crimes described. 

Iranian hackers have in the past been indicted for conducting distributed denial-of-service campaigns against US banks, hacking a small dam in New York State, unleashing ransomware on 200 victims, launching a misinformation campaign targeting US voters in the 2020 presidential election and hacking members of the Trump presidential campaign.

But the theft of intellectual property — with a focus on academic research and innovation — has not traditionally been a common mark of Iranian hacking operations.

The details around the case are sparse, and there is currently no public indictment or other records related to Barati in the New York court system where he is reportedly being charged. But the few details that have been revealed in Montenegro police statements suggest his case may be related to another case that was filed in 2018 in the US against nine other Iranians. Those defendants - Barati is not named in the indictment – were charged with a widespread and coordinated hacking campaign that was also conducted at the behest of the Iranian government and the IRGC, according to prosecutors, and targeted US universities and others.

The 2018 indictment, filed in the US District Court for the Southern District of New York, says the nine men — between ages 26 and 39 at the time of the indictment — were all connected in some way to the Mabna Institute, an Iran-based company that was created more than a decade ago for the purpose of hacking and stealing academic data and intellectual property from foreign targets, according to prosecutors.

The nine defendants include the founders of the institute, Gholamreza Rafatnejad and Ehsan Mohammadi, as well as contractors, hackers-for-hire and other associates of the company. Prosecutors say the group was responsible for hacking at least 144 universities in the US and an additional 176 universities across nearly two dozen other countries, including Australia, the UK, China, Israel, Germany and Japan. 

They also say the group hacked 30 US companies, as well as five US federal and state government agencies — including the Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, and the State of Indiana — and the United Nations. Most of their activity around the latter victims involved stealing entire email boxes from people who were targeted in the campaign.

The companies from which they stole email boxes included three academic publishers, two media and entertainment companies, a law firm, eleven tech firms, five consulting firms, two banking or investment firms, a healthcare company and a biotech firm. They also created automated forwarding for compromised accounts so that new incoming or outgoing emails would be forwarded to the hackers.

The Justice Department called it “one of the largest state-sponsored hacking campaigns ever prosecuted” by the US.

The government says the Iranian group’s activity can be traced back to 2013, around the time the Institute was founded. Notably, this is the year when China’s economic espionage operations were first publicly exposed in a now-famous report published by the computer security firm Mandiant. This so-called APT-1 report exposed for the first time the breadth of China’s theft of trade secrets and other intellectual property from the US aerospace industry, the pharmaceutical industry and a wide swath of other sectors — all to bolster China’s industries and scientific research and development.

Did the Iranian government, or the Mabna Institute, take inspiration from the APT-1 report about China’s economic espionage? It’s hard to say, but given that Rafatnejad and Mohammadi founded the Mabna Institute in “approximately 2013” and began their hacking operations that year to assist the IRGC and Iranian universities and scientific and research organizations in stealing non-Iranian scientific resources, there may be a connection. 

According to US prosecutors, the Mabna Institute, based in Tehran, contracted with Iranian government entities, universities and private clients to hack on their behalf and over time stole more than 31 terabytes of data.

They targeted more than 100,000 accounts belonging to academics around the world and succeeded in compromise nearly 8,000 of these, about half of which belonged to professors in the US. They achieved many of the breaches through spear-phishing — sending malicious emails to professors that appeared to come from colleagues at other universities. The emails praised the targeted professors for papers they had written and included links that, when clicked, would take the recipient to a malicious web page that tricked the professors into entering the credentials for their university account.

Through these hijacked accounts they were able to obtain access to theses, dissertations, research and other intellectual property that prosecutors say cost the universities an estimated $3.4 billion to procure. The indictment doesn’t say how prosecutors arrived at this amount, however. The hackers stole data across multiple disciplines — science and engineering, technology, social sciences, medical and other fields.

They also provided access to the hijacked academic accounts to the IRGC or sold the access to Iranian university clients who used them to gain access to online library resources and data.

If you find this article valuable, you can leave a one-time tip to express appreciation to the author.

The court docket for the 2018 case contains mostly sealed documents so it’s unclear if any of the defendants have been arrested since the indictment was unsealed eight years ago. But the docket does show more recent sealed documents added to the case in 2020, 2022 and December 2025. These may be related to arrests of the nine defendants that haven’t been made public yet, or they could simply describe in more detail the type of research and intellectual property that was stolen and the losses that victims incurred as a result.

Since the 2018 indictment, prosecutors have also brought another unrelated but similar case against Iranian defendants. In 2020, they charged three Iranian nationals with a multi-year campaign to hack satellite companies — also on behalf of the IRGC. The hackers, one of whom prosecutors say was a member of the IRGC working in intelligence related to air, space and cyber operations, were looking to steal “critical information related to U.S. aerospace and satellite technology and resources.” Prosecutors say he fed instructions to the other two hackers, who were associates of his.

The hacking campaign began around July 2015 and continued until February 2019 and involved spear-phishing emails that enticed recipients to click on malicious links from which malware was downloaded to their computers.

The hackers had a list of 1,800 targets victims, though prosecutors don’t say how many accounts they successfully compromised or the overall impact of their operation. Only a few victims are described in the indictment — they include a company involved in real-time satellite tracking, a commercial firm that provides satellite voice and data services to customers and a university professor who had numerous contacts in the satellite and aerospace industries.

All of these cases — the 2018 Magna Institute case, the 2020 satellite case and the recent case involving Barati — suggest that Iran has had ongoing interest and involvement in stealing trade secrets and research. But unlike Chinese operations, which often involve highly skilled hackers, a constellation of shell companies and a well-organized hierarchical structure connected to the People’s Liberation Army or the Ministry of State Security (China’s civilian intelligence agency), Iran’s efforts appear to be less mature and sophisticated than China's.

Barati was scheduled to appear in court for a hearing this week in Montenegro to determine if he will be extradited to the US.

See also:

How the Infamous APT-1 Report Exposing China's PLA Hackers Came to Be

Unmasking China's State Hackers

Intrusion Truth: Five Years of Naming and Shaming China's Spies

Experts Confirm the Fast16 Malware Was Sabotaging Nuclear Weapons Tests, Likely in Iran

Timeline of Iran's Nuclear Program and the Stuxnet and Fast16 Attacks

Iranian Hacktivists Strike Medical Device Maker Stryker in "Severe" Attack that Wiped Systems

Share this post: