Cyber Fattah

Cyber Fattah is a pro-Iranian hacktivist group that describes itself as an "Iranian cyber team" and is repeatedly characterized in the reporting as Iranian-backed, Iran-aligned, or affiliated with Iran’s broader proxy cyber ecosystem. The content places it among hacktivist and operational groups activated in support of Iranian objectives during the June 2025 Iran-Israel conflict and after the February 2026 U.S.-Israel strikes on Iran. It is also described in one source as a Palestinian-linked cell. The reporting links Cyber Fattah to Iran’s layered cyber proxy model alongside groups such as Fatimion Cyber Team, Cyber Islamic Resistance, DieNet, and 313 Team, and notes that its branding appears designed to signal ideological allegiance to Tehran’s military-industrial narrative. The group is also noted as collaborating with regional actors such as 313 Team. Reported activity attributed to Cyber Fattah includes reconnaissance, DDoS campaigns, website defacements, data theft, and data dumps. During the June 2025 conflict, it was cited as participating in reconnaissance, DDoS, defacement, and data theft operations coordinated with military developments on the ground. The group has been described as targeting Israeli and Western web resources and government agencies, educational institutions in Israel, and publicly exposed IoT devices by scanning Israeli-based network ranges. It was also cited as claiming responsibility for data dumps including targeting Israel’s Channel 13 News. A specifically reported incident involved the alleged publication of thousands of personal records linked to athletes and visitors of the Saudi Games. According to the content, the breach was announced on Telegram on June 22, 2025 and shared as SQL database dumps. Resecurity assessed the intrusion as unauthorized access to phpMyAdmin tied to the Saudi Games 2024 official website, with leaked material reportedly including IT staff credentials, government email addresses, passports or ID cards, bank statements, medical forms, and other scanned sensitive documents. The reporting frames this incident as part of anti-U.S., anti-Israel, and anti-Saudi propaganda. Cyber Fattah uses Telegram as a key platform for claiming attacks, broadcasting narratives, and rallying participants, including announcing DDoS targets. One report states the group announced planned attacks would follow after it finished "collecting specific resources," and another notes that on March 22 it forwarded a post from APT IRAN claiming a proof of concept for the alleged Lockheed Martin breach. The content also states that at least 60 hacktivist groups, including Cyber Fattah, were activated by Iran after the U.S.-Israel attacks. Known alias in the provided content: Cyber Fattah Team.