Middle East Cyberwar Escalates: GPS Spoofing, Fake Alerts, Crypto Hacks, & IP Camera Spying Revealed

As conflict surged across the Middle East in June 2025, so too did the intensity and scope of cyber operations. In a recent report, the Group-IB Threat Intelligence unit revealed a complex picture of hacktivist waves, targeted cyberattacks, and electronic warfare — some of which had tangible impacts on critical infrastructure and civilian safety.

“While hacktivist groups have generated significant noise… the first week of intensified hostilities has also revealed the presence of more sophisticated cyber operations with direct operational impact,” the report states.

Between June 13–20, Group-IB observed over 250 hacktivist attacks. The assaults spanned DDoS strikes, defacements, and recycled data leaks, mostly targeting government, financial, media, energy, education, and telecom sectors.

The report outlines a familiar lifecycle:

“An explosive launch → a brief plateau → a secondary surge in response to geopolitical development → and a rapid decline.”

Notably, message traffic across monitored Telegram channels surged 46% above baseline on June 13, with more than 5,800 messages posted in one week, largely by loosely coordinated networks.

“Approximately 16% of content was forwarded or amplified, while 84% was original, reflecting broad decentralized participation.”

More concerning than digital defacements were credible, high-impact incidents that blurred the lines between cyber and physical warfare.

From June 14–20, widespread GPS spoofing disrupted aviation and maritime navigation across Israel, Iran, Lebanon, and GCC nations. According to Group-IB:

“An average of 972 ships per day experienced GPS jamming between June 15–18, peaking at 1,155 vessels.”

In the air, similar disruptions affected aircraft navigation. IATA reported a 220% rise in GPS loss events from 2021–2024. The EASA issued safety advisories, while some airports in the Gulf warned pilots to prepare for signal interference.

These incidents demonstrate deliberate electronic warfare, capable of confusing pilots, redirecting vessels, and introducing life-threatening uncertainty into already tense regions.

Another tactic emerged on June 16 when fake SMS alerts were sent to Israeli citizens. Disguised as messages from the country’s emergency alert system “OREFAlert,” they falsely warned civilians to exit shelters or flee due to fabricated terror threats and gas leaks.

“The messages appeared to come from ‘OREFAlert’… citing a fabricated ‘possible terror attack within shelters,’” Group-IB notes.

These false alerts could have endangered lives during active missile strikes, turning trusted communication systems into tools for chaos.

Iranian cryptocurrency exchange Nobitex was compromised by the threat actor Predatory Sparrow on June 18. The attackers alleged that the platform was complicit in sanctions evasion and terror financing.

They didn’t just steal data—they “burned” $90 million in cryptocurrency, permanently removing the funds from circulation.

“The group threatened to release the platform’s source code and internal data within 24 hours” — a threat they fulfilled the next day.

The leak included over 5,000 directories and 20,000 source code files, wallet management systems, KYC processes, and integrations with Iranian financial institutions.

“This highly detailed breach effectively provided a complete operational blueprint of the exchange’s operations,” the report emphasizes.

On June 20, Bloomberg and Group-IB reported Iranian-linked cyber actors exploiting unsecured IP cameras in Israel to gather battle damage assessments after missile strikes. Over 30,000 cameras were identified as exposed, and live footage was even streamed on platforms like Twitch and YouTube.

“Open-source analysts and others have used these feeds for real-time conflict monitoring… demonstrating their significant intelligence value to multiple parties.”

The tactic isn’t new—but this is one of the few times a national cyber authority officially acknowledged it at scale.

On June 18, Iran’s state broadcaster IRIB was hijacked to display anti-government content and pro-Israeli messaging. Footage from the 2022 “Woman, Life, Freedom” protests was aired alongside the logo of Operation Rising Lion.

Though Iranian authorities blamed Israel, the hijack mirrored a 2022 incident by the hacktivist group Adalat Ali.

Group-IB researchers also debunked several fabricated or exaggerated claims by hacktivist groups:

• Shadow Unit falsely claimed to leak credentials from Egyptian universities. Analysis showed the data was recycled combolists, not new breaches.
• RuskiNet claimed to leak data on 38,000 SAP Israel employees, which turned out to be from a 2023 breach of an unrelated payments platform.

Group-IB’s report illustrates how hacktivists, APT actors, and state-sponsored groups are merging online operations with real-world chaos. From GPS jamming to SMS spoofing, these tactics reflect a new kind of escalation—one where digital aggression supports physical strategy.

“Activity is likely expected to shift toward short, reactive bursts tied to future geopolitical events rather than sustained campaigns,” Group-IB assesses.

The report ends with a strong call for heightened vigilance, robust defense protocols, and real-time intelligence to combat this new era of cyber-kinetic conflict.

Related Posts:

• Researchers successfully launch GPS spoofing attacks on car navigation systems
• Hundreds of GPS location services exist vulnerability that leak user info to risks
• Secure Email Gateways Fail to Stop Advanced Phishing Campaign Targeting Multiple Industries
• The Cobalt hacker group is still active, although the leader was arrested