A former NSA operative warned that Iran’s cyber retaliation against American companies may not come from a sophisticated state-run operation but from a teenager coordinating attacks in a Telegram chat room. The comment, reported by the Wall Street Journal amid escalating Israeli strikes on Iran, captures a shift in how Tehran wages digital warfare through loosely affiliated young hackers whose actions are difficult to predict and harder to deter. With Iran’s internet infrastructure nearly destroyed and U.S. agencies issuing fresh warnings about Iranian cyber threats, American businesses face a disorganized but real danger.
A Teenager With a Telegram Channel
“It’s in the hands of a 19-year-old hacker in a Telegram room,” the ex-NSA operative told the Journal, describing the threat that Iranian-linked cyber retaliation poses to U.S. firms. The warning reflects a pattern that U.S. prosecutors have already documented. In late December 2019, following the killing of Qasem Soleimani, a then-19-year-old Iranian named Behzad Mohammadzadeh, operating under the alias “Mrb3hz4d,” allegedly defaced multiple U.S.-hosted websites in what authorities described as retaliatory hacking. The Massachusetts U.S. Attorney charged Mohammadzadeh alongside a second defendant for those attacks, accusing them of exploiting vulnerable content management systems to plaster pro-Iranian messages across dozens of pages.
That 2019 case established a clear precedent: when geopolitical tensions spike between the U.S. and Iran, young hackers with nationalist motivations step into the breach. The defacements were relatively unsophisticated, replacing website content with slogans and imagery rather than stealing data or disabling systems. But the speed and breadth of the attacks showed how quickly a single motivated individual could cause disruption across a wide swath of the internet. The current moment, with Israeli military strikes hammering Iranian territory and Tehran’s conventional response options constrained, creates the same conditions that produced the Mohammadzadeh case, only with higher stakes, a larger global attack surface, and a generation of would-be hackers raised on encrypted chat apps and off-the-shelf attack tools.
U.S. Agencies Sound the Alarm
Federal cybersecurity agencies have been building the case for months that Iranian-affiliated actors would escalate digital attacks in response to regional crises. On June 30, 2025, the NSA, CISA, FBI, and DC3 issued a joint warning that Iranian state-sponsored or affiliated threat actors were likely to ramp up denial-of-service activity against vulnerable U.S. networks. That advisory explicitly tied the threat to “recent events,” a diplomatic phrase that encompassed Israeli-Iranian confrontation, attacks on regional energy infrastructure, and the risk that U.S. commercial entities would be targeted as proxies.
Earlier, in October 2024, CISA had published a separate alert describing how Iranian-linked operators were using password-guessing and credential theft to gain footholds in American networks. According to that advisory, the attackers focused on harvesting usernames, passwords, and configuration data that could later be sold or passed to more advanced groups. This model, in which low-skill actors act as “initial access brokers” for others, means that even a teenager running basic scripts from a Telegram channel can enable a far more damaging intrusion. The line between a vandal defacing a website and a serious espionage operation blurs when both are drawing from the same pool of stolen logins and remote-access tools.
Iran’s Internet Blackout Changes the Calculus
The physical destruction of Iran’s infrastructure adds an unpredictable variable to that threat landscape. On Saturday, February 28, 2026, internet monitoring firm NetBlocks reported a near-total internet blackout in Iran, with connectivity dropping to roughly 4 percent of normal levels, according to contemporaneous reporting. That collapse of domestic communications does two things simultaneously: it degrades Tehran’s ability to coordinate state-run cyber operations through its intelligence and military services, and it pushes whatever retaliatory capacity remains toward individuals and small groups who may have access to external networks through VPNs, satellite links, or locations outside Iran’s borders.
This fragmentation is precisely what makes the ex-NSA operative’s warning so pointed. A centralized state cyber program, however aggressive, tends to operate with strategic calculation about targets, timing, and escalation. A scattered network of young hackers acting out of nationalist anger or seeking recognition in Telegram channels does not. For U.S. companies, that means the threat is less likely to arrive as a single, carefully planned intrusion into a defense contractor’s systems and more likely to show up as waves of denial-of-service attacks, opportunistic website defacements, or credential-harvesting campaigns hitting mid-sized businesses with weaker security postures. Any single incident may be modest, but the cumulative disruption across hundreds of organizations—from local governments to regional hospitals—could be significant, particularly if it coincides with broader geopolitical crises.
The Justice Department’s Track Record
U.S. prosecutors have pursued Iranian hackers across both ends of the sophistication spectrum, underscoring that Washington treats even loosely organized actors as part of a broader national security problem. Beyond the Mohammadzadeh case, the Justice Department announced charges against four Iranian nationals for what it described as a multi-year campaign targeting U.S. government departments, defense contractors, and private firms. Prosecutors alleged that the defendants used spear-phishing emails, social engineering, and custom malware to steal data from victims across multiple sectors, including aerospace and satellite technology, and then attempted to conceal their ties to Iranian government entities.
Those indictments, combined with earlier cases, illustrate how Iranian cyber operations span from ad hoc Telegram crews to structured teams that resemble traditional intelligence units. The Department of Justice has repeatedly emphasized that naming and charging individual hackers is meant both to disrupt ongoing operations and to signal that even actors working at the margins of the state apparatus can face long-term consequences. Yet law enforcement tools have limits when the immediate threat may be a teenager in a foreign jurisdiction launching commodity attacks from a rented server. That gap between attribution and deterrence leaves much of the burden on potential victims to harden their systems before they become targets.
Preparing for a Disorganized Threat
For American companies, the practical question is how to prepare for a threat that is both diffuse and emotionally charged. Federal officials have urged organizations to treat Iranian-linked activity as a persistent risk rather than a one-off response to any single incident. CISA and its partners maintain a dedicated overview of Iranian-affiliated cyber actors, urging critical infrastructure operators and other high-value targets to implement multi-factor authentication, patch known vulnerabilities quickly, and monitor for anomalous logins from unexpected locations. Those same measures can frustrate both sophisticated state-backed groups and low-skill attackers relying on leaked password lists and automated scanning tools.
Smaller organizations, however, often lack the dedicated security staff to track evolving advisories or to distinguish between nuisance-level attacks and precursors to something more serious. In an environment where a 19-year-old in a chat room can launch a denial-of-service campaign against a vulnerable website, the baseline for prudent defense shifts. Security experts point to a handful of steps that can meaningfully reduce exposure: using reputable cloud providers with built-in DDoS mitigation, enforcing strong and unique passwords, enabling second-factor authentication wherever possible, and ensuring that remote-access services are not exposed to the open internet without additional safeguards. None of these measures can eliminate the risk posed by a motivated attacker, but they can force even an opportunistic teenager to look for an easier target—and, in a moment of heightened geopolitical tension, that may be the most realistic form of deterrence available.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
