Miaan Group said the victims included two Iranian dissidents inside the country and a technology worker who is an Iranian citizen living in Europe, who were targeted with spyware on their iPhones. (Kurt Kaiser/Wikimedia Commons)
(Bloomberg) -- More than a dozen Iranians’ mobile phones were targeted with spyware in the months prior to the country’s war with Israel, according to new research.
Miaan Group, a digital human rights organization based in Austin, Texas, found a number of Iranians who received threat notifications from Apple Inc. in the first half of 2025, and researchers believe they only identified a fraction of the total targets. Another round of Iranian spyware targets was discovered by Hamid Kashfi, a Sweden-based cybersecurity researcher and founder of the firm DarkCell.
The attacks mark the first known example of such highly advanced cyber-espionage tools being used both inside Iran and against Iranians living abroad. It’s not clear who was behind the attacks.
Miaan Group said the victims included two Iranian dissidents inside the country and a technology worker who is an Iranian citizen living in Europe, who were targeted with spyware on their iPhones. They were first notified of the incident via text message by Apple, which typically sends a threat notification message to victims when a hack is detected.
Kashfi said he found 12 victims, all inside Iran and working either in the country’s technology sector or for the government. Both Kashfi and the Miaan Group declined to name the victims in order to protect their safety.
The threat notifications, which were seen by Bloomberg, describe the attacks as “exceptionally rare” and costing “millions of dollars.” The Apple notification, which is careful to note that the company doesn’t attribute the attacks, compared the sophistication and cost of the recent attacks to Pegasus spyware from NSO Group.
“The extreme cost, sophistication and worldwide nature makes mercenary spyware attacks some of the most advanced digital threads in existence today,” Apple told the Iranian targets. “This attack is likely targeting you specifically because of who you are or what you do.”
Apple didn’t respond to a Bloomberg request for comment. The notification added that “Apple has high confidence in this warning.”
Kashfi said his investigation concluded that “zero-day zero-click” attacks were likely used. That approach exploits hidden vulnerabilities and require no interaction from the victim.
“Zero-click chains are more sophisticated, more expensive, one stage higher than typical hacking campaigns,” Kashfi said. “But they weren’t shy about using it and burning it.”
Neither Kashfi nor the Miaan Group were able to do full forensic examinations of the targeted iPhones. In several cases, being inside Iran made examinations impossible. In others, victims only came forward months after the notification. Finally, other targets chose to take their targeted iPhones to be examined by the Iranian government security services rather than independent experts living abroad, Kashfi said.
More stories like this are available on bloomberg.com
©2025 Bloomberg L.P.
