3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Cyber Toufan

Cyber Toufan

ID: b2fc44bfdc7ac3aa9ca236d3d5522965
Hacktivist Group Hacktivism
Threat types: Hacktivism, Intrusion, DDoS Attack, Hack-and-Leak, Propaganda, Pro-Palestine, Pro-Iran
Iraq ISR, USA
Updated: 2026-03-15
Created: 2026-01-20
Progress: 85% Completeness: 91% Freshness: 70%
Operation zone: Israel, United States
Aliases Limited alias preview
Cyber ​​Flood of Al-Aqsa Cyber Iraq Cy**************** Cy******************
Cy****************** Cy***************** Cy********************* Cy*********
Cy*************** Hi****************** Th************************************* ال*****************************
سا****************
Showing 2 of 13 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

Cyber Toufan is a pro-Palestinian, anti-Israel hybrid hacktivist/proxy brand active since late 2023. Public reporting links it to data theft, leak operations, destructive claims, valid-account abuse, and Israel-focused campaigns that may benefit from Iran-aligned support or enablement.


Technique Technique name Tactics Evidence
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2025-05-26 — Confirmed intrusions reportedly followed a consistent pattern of initial access via weak or reused credentials without MFA. · ref
T1021.001 Remote Desktop Protocol TA0008
  • 2025-05-26 — INFERENCE (confidence: medium): the reported 'stealthy lateral movement across the network' is consistent with common Windows remote services such as RDP in provider and enterprise environments. · ref
T1213 Data from Information Repositories TA0009
  • 2024-06-14 — The attack affecting Israeli state archives reportedly resulted in theft of personal information from archive users accessed through the website's query/request database. · ref
T1567 Exfiltration Over Web Service TA0010
  • 2025-05-26 — IR reporting describes coordinated data leak campaigns after intrusion, implying exfiltration to actor-controlled publication workflows. · ref
  • 2023-12-29 — Public reporting states the actor promised and published stolen data from dozens of sites during a timed leak campaign. · ref
T1586.002 Email Accounts TA0042
  • 2024-01-03 — Public reporting documented spoofed emails that appeared to come from a Signature-IT domain while using a deceptive lookalike domain context. · ref
T1485 Data Destruction TA0040
  • 2024-06-14 — The November operation was described by Israeli officials as a 'very sophisticated and destructive' assault against archive-related infrastructure. · ref
  • 2025-04-23 — Public reporting associates Cyber Toufan with the proprietary POKYBLIGHT wiper targeting Israel-based users. · ref
T1491.001 Internal Defacement TA0040
  • 2023-12-29 — INFERENCE (confidence: medium): the actor's leak-and-publication behavior is consistent with defacement-style or externally visible impact operations even where pure web defacement is not the main vector. · ref
T1583.001 Domains TA0042
  • 2023-12-19 — Public reporting described a multi-channel social and publication ecosystem including Telegram and X accounts, implying recurring acquisition or maintenance of campaign infrastructure. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-15T13:03:52+00:00

Cyber Toufan / Cyber Toufan Al-Aqsa / Cyber Toufan Operations

Classification: TLP:WHITE — (Cyber / Hybrid Hacktivist Brand / Suspected Iran-aligned Proxy Cluster)

Author: iQBlack Team


Executive Summary

Cyber Toufan is a pro-Palestinian, anti-Israel threat actor brand that emerged in the immediate aftermath of the October 2023 Hamas attack and rapidly evolved into one of the most visible “hack-and-leak” identities operating against Israeli targets. Public reporting from late 2023 through early 2026 consistently describes the group as combining real intrusions, aggressive leak publication, destructive or disruptive claims, and a high-volume propaganda layer delivered through Telegram and related channels.

Open reporting indicates that Cyber Toufan has targeted Israeli public and private entities across government, web hosting, technology, defense-adjacent, retail, e-commerce, and education environments. The actor’s most notable early operational moment was the compromise of Signature-IT, an Israeli hosting and e-commerce service provider, which enabled downstream exposure of multiple customer organizations and set the tone for a campaign built around centralized access, staged leak cadence, and psychological pressure.


Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Cyber Toufan

Classification: TLP:WHITE — Cyber / Hybrid Hacktivist Brand / Suspected Iran-aligned Proxy Cluster

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Cyber Toufan (hybrid hacktivist / leak-ops cluster; identity abuse + provider leverage pattern)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-15T13:09:24+00:00

OSINT Library — Cyber Toufan


2023-11-23 — ICT / International Institute for Counter-Terrorism — “Cyber Toufan al-Aksa Hacker Group Join the Cease Fire”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/17
Address Verification SOCMINT
twitter.com/tou******* Restricted Not integrated
twitter.com/Cyb************ Restricted Not integrated
Address Verification SOCMINT
t.me/aq_*** Restricted Not integrated
t.me/aq_******* Restricted Not integrated
t.me/cyb******** Restricted Not integrated
t.me/Cyb****************** Restricted Not integrated
t.me/Cyb*********** Restricted Not integrated
t.me/Cyb********* Restricted Not integrated
t.me/Cyb********** Restricted Not integrated
t.me/Cyb*********** Restricted Not integrated
t.me/Cyb********** Restricted Not integrated
t.me/Cyb********** Restricted Not integrated
t.me/Cyb************** Restricted Not integrated
t.me/cyb********* Restricted Not integrated
t.me/Cyb************** Restricted Not integrated
t.me/ILD************* Restricted Not integrated
Address Verification SOCMINT
toufanleaks.org Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–4 of 4 images
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda