U.S. cyber operations against Iran’s Islamic Revolutionary Guard Corps have shifted from defending American elections to targeting the IRGC’s internal command structure, according to a trail of federal indictments, Treasury sanctions, and interagency intelligence statements spanning 2020 through 2024. That campaign now intersects with a volatile moment: the February 2026 U.S.-Israeli military strikes on Iran and the killing of Supreme Leader Ali Khamenei on March 1, 2026, which, according to contemporaneous reporting, shattered Iran’s political order and triggered a high-stakes succession struggle inside the security apparatus. As Reuters detailed, the loss of Khamenei left the Guard struggling to stabilize a fractured hierarchy and competing power centers, especially within the security and intelligence wings that had long served as his enforcement arm. The convergence of years of digital pressure with kinetic military action raises a pointed question about whether Washington’s cyber strategy can accelerate the fractures already spreading through the Guard’s ranks.
Years of IRGC Hacking Drew a Coordinated U.S. Response
The scale of IRGC cyber activity against U.S. targets became clear through two parallel federal prosecutions. In one case filed in the District of Columbia, prosecutors charged three Iranian cyber specialists linked to the Guard in a sprawling hack-and-leak operation that began around January 2020 and ran through at least September 2024. The indictment of Masoud Jalili, Seyyed Ali Aghamiri, and Yasar Balaghi described a campaign that used spearphishing and social engineering to compromise email and cloud accounts belonging to political figures, campaign staff, and policy experts. According to the charging documents, the operation shifted in May 2024 to focus on personal accounts associated with U.S. presidential campaigns, and by late June the conspirators were allegedly attempting to weaponize stolen material by leaking it to media outlets and political operatives in an effort to shape public narratives.
Court filings in Washington also revealed how the conspirators organized their work. The government’s detailed description of their tactics, techniques, and procedures, preserved in an accompanying document filed with the indictment, shows the operators building tailored phishing lures, registering look‑alike domains, and using anonymization services to mask their infrastructure. In parallel, a separate prosecution in the Southern District of New York charged four Iranian nationals in a multi‑year hacking campaign targeting U.S. government agencies, critical infrastructure, and defense contractors. One defendant was tied to Iran’s Organization for Electronic Warfare and Cyber Defense, described in the case as part of the Guard’s broader cyber ecosystem. That campaign, which ran from 2016 to 2021 according to a superseding indictment, relied on credential‑harvesting tools, domain mimicry, and compromised administrator accounts to engineer large‑scale breaches. Taken together, these cases document nearly a decade of overlapping IRGC operations against American political and defense targets before Washington began treating them as a systemic threat rather than a series of isolated intrusions.
Election Interference Forced an Offensive Shift
The turning point came when IRGC cyber operations moved beyond espionage into active attempts to manipulate U.S. elections. A joint statement from the Office of the Director of National Intelligence, the FBI, and CISA warned of increasingly aggressive Iranian activity during the 2024 election cycle, including both covert influence campaigns and direct cyber operations targeting presidential campaigns and their staff. The agencies emphasized that Iranian actors had adopted theft‑and‑disclosure tactics, stealing non‑public political data and selectively releasing it, to influence voter perceptions and sow distrust in democratic processes. That assessment built on earlier warnings that foreign adversaries were experimenting with hacks timed to the news cycle, betting that even modest leaks could be magnified by polarized media and social platforms.
Subsequent interagency updates added granular detail about how the IRGC‑linked operators tried to operationalize their access. Investigators found that in late June and early July 2024, Iranian cyber actors sent unsolicited emails to individuals associated with President Biden’s campaign that contained excerpts of stolen, non‑public material from former President Trump’s campaign, along with claims about its significance. The same operators continued efforts to push the material to U.S. media organizations and political intermediaries, hoping to trigger coverage that would echo through partisan and social channels. This was not the first time Iran had tried to meddle in American votes. A 2020 whole‑of‑government statement from seven federal agencies, including the Justice Department, the Pentagon, and the NSA, explicitly named Iran alongside Russia and China as a foreign malicious actor seeking to interfere via disinformation and disruptive cyberattacks, even as officials stressed there was no evidence of vote tampering through compromised election infrastructure. The repeated attempts to disrupt consecutive election cycles pushed U.S. Cyber Command from a largely defensive posture into more assertive action. By late 2022, according to officials cited in public reporting, Cybercom was conducting operations to identify and disrupt both Russian and Iranian hackers in real time during the midterms, treating election protection as an ongoing cyber campaign rather than a one‑off mission.
Sanctions and Indictments as Pressure Tools
Legal and financial pressure reinforced the cyber operations. The U.S. Department of the Treasury designated a network of IRGC‑affiliated cyber actors for their roles in ransomware incidents and other malicious intrusions, identifying individuals and front companies that provided infrastructure, financing, and technical support. The sanctions package was notable for the breadth of its coordination: Treasury worked alongside the Justice Department, the State Department, the FBI, U.S. Cyber Command, the NSA, and CISA to synchronize legal filings, public attributions, and defensive advisories. That level of institutional alignment signaled that Washington viewed IRGC cyber activity not as a narrow law‑enforcement problem but as a national security challenge requiring military, intelligence, and diplomatic tools operating in concert.
The strategy of layering indictments on top of sanctions and offensive cyber disruptions created compounding pressure on IRGC personnel. Named individuals now face travel restrictions, asset freezes, and the likelihood that Western intelligence services have mapped their operational networks in enough detail to build criminal cases. For mid‑level IRGC cyber operators, the message is personal: their identities are known, their infrastructure is vulnerable, and their financial lifelines can be severed with little warning. That raises the cost of participation, especially for technically skilled recruits who might otherwise see cyber work as a relatively low‑risk way to serve the Guard. At the same time, the public nature of the indictments and sanctions helps inoculate potential targets (campaigns, contractors, and infrastructure operators) by exposing tradecraft and forcing the IRGC to burn tools and domains it once relied on.
A Fractured IRGC Faces Simultaneous Kinetic and Cyber Pressure
The 2026 military confrontation with the United States and Israel arrived at a moment when the Guard was already under sustained digital and financial strain. Reuters reporting on Khamenei’s killing describes a leadership vacuum that immediately intensified competition among hard‑line factions, with IRGC commanders and security chiefs maneuvering to shape the succession. In that environment, the same cyber units previously focused on external operations were increasingly drawn into internal security tasks: monitoring elite rivals, tracking dissent within the ranks, and defending regime communications from perceived foreign exploitation. Years of U.S. indictments and sanctions had made it harder for those units to acquire infrastructure abroad or safely move money, complicating their ability to pivot quickly under crisis conditions. The simultaneous shock of airstrikes and leadership decapitation meant that senior officers had to triage between defending critical networks, managing public unrest, and jockeying for political advantage.
For U.S. planners, that convergence created both opportunity and risk. On one hand, a Guard distracted by succession politics and scrambling to re‑secure compromised systems may be more vulnerable to carefully timed cyber operations aimed at degrading command‑and‑control or exposing corruption among rival factions. On the other, aggressive digital strikes during a leadership crisis could strengthen the hand of the most hard‑line elements, who can point to foreign interference as justification for purges and emergency powers. The record of U.S. actions from 2020 through 2024, including indictments that name individual operators, sanctions that freeze the assets of supporting companies, and Cyber Command operations that quietly disable infrastructure, suggests Washington has favored a calibrated approach designed to impose cumulative costs without triggering uncontrolled escalation. As the post‑Khamenei power struggle unfolds, the effectiveness of that strategy will hinge on whether continued cyber pressure deepens existing fractures within the Guard or instead pushes warring factions to close ranks against a common external adversary.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
