Iranian State-Backed Threat Actors Blur Lines Between Cybercrime and Espionage
Recent intelligence from KELA reveals a troubling evolution in Iranian state-sponsored cyber operations, where nation-state actors increasingly collaborate with criminal ransomware groups to conduct financially motivated attacks under the guise of extortion. Rather than operating standalone ransomware cartels, these groups now embed themselves within the cybercriminal ecosystem acting as initial access brokers, partnering with ransomware affiliates, and deploying pseudo-ransomware to mask destructive campaigns as profit-driven attacks.
A prime example is Pay2Key, an Iran-linked ransomware operation that has resurfaced as a professionalized Ransomware-as-a-Service (RaaS) platform on the anonymous I2P network. The group now actively recruits affiliates from Russian cybercrime forums, offering an 80% profit share up from the typical 70% for attacks targeting U.S. and Israeli organizations. This model poses significant compliance risks: victims paying ransoms may unknowingly fund OFAC-sanctioned Iranian entities, exposing themselves to severe legal and financial penalties.
A joint advisory from the FBI, CISA, and DoD Cyber Crime Center in August 2024 highlighted groups like Pioneer Kitten (UNC757/Fox Kitten), which specialize in exploiting vulnerabilities in VPNs and firewalls to gain initial access. Instead of deploying their own ransomware, these actors hand off compromised networks to affiliates such as NoEscape, RansomHouse, and ALPHV/BlackCat, taking a cut of ransom payments. This collaboration enables Iranian hackers to generate revenue while providing ransomware groups with streamlined access to high-value targets, including healthcare, education, and financial institutions in the U.S.
Pay2Key’s evolution underscores Iran’s use of ransomware as a geopolitical tool. Initially launched in 2020 by the Fox Kitten group to target Israeli organizations, the operation combined extortion with information warfare, leveraging data leaks to pressure adversaries. By 2025, it had rebranded as Pay2Key.I2P, adopting a more aggressive, scalable RaaS model that blends political objectives with criminal enterprise.
Beyond financial motives, Iranian actors have repeatedly used ransomware-style encryption as a cover for destruction. The Agrius APT group, for instance, repurposed the Apostle malware originally a data wiper into a ransomware variant, disguising sabotage as extortion. A similar tactic was observed in July 2022, when an Iranian state-sponsored actor deployed ROADSWEEP ransomware alongside a destructive wiper against Albanian government networks, framing the attack as a ransom operation despite its true intent being disruption.
Attribution challenges are further complicated by "moonlighting" where Iranian operatives use state-provided tools and access for personal financial gain. In April 2024, the U.S. DOJ and Treasury Department sanctioned individuals linked to Mahak Rayan Afraz, a front company for the IRGC’s Cyber-Electronic Command, after operatives were found running ransomware schemes alongside official state duties.
The convergence of state-sponsored cyber warfare and cybercrime creates serious legal and operational risks for organizations. Paying ransoms to seemingly independent groups may violate OFAC sanctions if those groups have undisclosed ties to Iran, leading to heavy penalties. The shift demands heightened vigilance, as traditional security measures such as patching and backups must now account for hybrid threats that blend espionage, sabotage, and financial crime.
Recorded Future cybersecurity rating report: https://www.rankiteo.com/company/recorded-future
KELA - Cyber Threat Intelligence cybersecurity rating report: https://www.rankiteo.com/company/kela-cyber
"id": "RECKEL1774988711",
"linkid": "recorded-future, kela-cyber",
"type": "Ransomware",
"date": "8/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['healthcare',
'education',
'financial services'],
'location': ['U.S.', 'Israel'],
'type': ['healthcare',
'education',
'financial institutions']},
{'industry': 'government',
'location': 'Albania',
'name': 'Albanian government networks',
'type': 'government'}],
'attack_vector': ['exploiting vulnerabilities in VPNs and firewalls',
'initial access brokerage'],
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'date_publicly_disclosed': '2024-08',
'description': 'Recent intelligence reveals Iranian state-sponsored cyber '
'operations collaborating with criminal ransomware groups to '
'conduct financially motivated attacks under the guise of '
'extortion. Groups like Pay2Key and Pioneer Kitten exploit '
'vulnerabilities in VPNs and firewalls, partnering with '
'ransomware affiliates to target U.S. and Israeli '
'organizations, blending political objectives with criminal '
'enterprise.',
'impact': {'data_compromised': True,
'legal_liabilities': ['OFAC sanctions violations'],
'operational_impact': 'disruption',
'systems_affected': ['healthcare',
'education',
'financial institutions']},
'initial_access_broker': {'entry_point': ['VPN vulnerabilities',
'firewall vulnerabilities'],
'high_value_targets': ['U.S. organizations',
'Israeli organizations']},
'lessons_learned': 'The convergence of state-sponsored cyber warfare and '
'cybercrime creates serious legal and operational risks. '
'Traditional security measures must account for hybrid '
'threats blending espionage, sabotage, and financial '
'crime.',
'motivation': ['financial gain',
'geopolitical objectives',
'sabotage',
'espionage'],
'post_incident_analysis': {'root_causes': ['exploitation of VPN and firewall '
'vulnerabilities',
'collaboration with ransomware '
'affiliates']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': ['Pay2Key', 'Apostle', 'ROADSWEEP']},
'recommendations': 'Organizations must heighten vigilance, ensure compliance '
'with OFAC sanctions, and implement robust patching and '
'backup strategies to mitigate hybrid threats.',
'references': [{'source': 'KELA intelligence'},
{'date_accessed': '2024-08',
'source': 'FBI, CISA, and DoD Cyber Crime Center joint '
'advisory'},
{'date_accessed': '2024-04',
'source': 'U.S. DOJ and Treasury Department sanctions'}],
'regulatory_compliance': {'legal_actions': ['U.S. DOJ and Treasury Department '
'sanctions'],
'regulations_violated': ['OFAC sanctions'],
'regulatory_notifications': ['FBI, CISA, and DoD '
'Cyber Crime Center '
'joint advisory']},
'threat_actor': ['Pay2Key',
'Pioneer Kitten (UNC757/Fox Kitten)',
'Agrius APT',
'IRGC’s Cyber-Electronic Command'],
'title': 'Iranian State-Backed Threat Actors Blur Lines Between Cybercrime '
'and Espionage',
'type': ['ransomware', 'espionage', 'destructive attack'],
'vulnerability_exploited': ['VPN vulnerabilities', 'firewall vulnerabilities']}