Listen to this Post

A Chilling Revelation of Cyber Warfare Behind Closed Doors
A bombshell data leak has pulled back the curtain on Amnban, a cybersecurity firm in Iran that was thought to be just another private-sector tech company but is now revealed to be a covert operation hub for state-sponsored cyber warfare. The company, backed by Iran’s Ministry of Intelligence and Security (MOIS), is deeply entangled in the world of international cyber-espionage. Gigabytes of leaked internal documents have unveiled Amnban’s secret identity as a front for APT39, a cyber-espionage group notorious for targeting critical infrastructure, international airlines, logistics giants, and even cryptocurrency exchanges.
What makes this leak truly alarming is its depth and scale. It exposes not just plans, but actual attack footage, detailed project structures, internal emails, and reconnaissance dossiers filled with private data of millions. This is not some rogue operation—it is a calculated, systematic campaign of surveillance and cyber aggression.
With ties to sanctioned hackers and MOIS operatives, Amnban represents a new breed of cyber threat—one that uses the cover of legitimate cybersecurity consulting to carry out espionage and sabotage on a global scale. Airlines, logistics companies, and even crypto firms around the world have unknowingly become targets of Iran’s digital warfare machine.
Inside the Global Espionage Network Posing as a Cybersecurity Firm
From Tech Startup to Cyber Spy Syndicate
Founded in 2018 by tech elites from Sharif University, Amnban marketed itself as a defender of Iranian cyberspace. However, a massive breach of internal data—spanning emails, documents, and surveillance footage—reveals that it operates more like a covert wing of the Iranian state. The leak provides undeniable proof of direct cyberattacks against international airlines and logistics providers, with companies such as Royal Jordanian, Emirates, Wizz Air, FedEx, DHL, and USPS all appearing in targeting files.
Not Just Penetration Tests — Actual Espionage
The leaked material includes surveillance-style documentation of hacks, not audits. Amnban’s attack blueprints resemble intelligence gathering rather than security consulting. They compiled recon dossiers with passenger manifests, passport numbers, flight itineraries, addresses, and contact information, suggesting the goal was not to secure networks but to surveil individuals and harvest identities on a mass scale.
Clear Evidence of State Sponsorship
Among the documents are clear signs of Iranian state involvement. APT39, known as Chafer, is already under international sanctions for attacks on critical infrastructure. Amnban employed several APT39 figures, including Behnam Amiri and Ali Kamali, both flagged by Western intelligence agencies. Logs confirm that MOIS agent Hamed Mashayekhi visited Amnban’s office frequently, cementing the firm’s deep state ties.
Multi-Vector Cyber Attacks — Airlines to Crypto Firms
Amnban’s operations extended beyond traditional infrastructure. They infiltrated the cryptocurrency world, targeting companies like Binance, KuCoin, and CoinSwitch. Their methods relied on advanced social engineering, including phishing disguised as support tickets, impersonation via LinkedIn, and attempts to bribe insiders.
Their infrastructure spanned continents, using global virtual private servers and burner email domains to mask attribution and make tracing nearly impossible.
Real-World Consequences — And Global Security Gaps
The leak raises urgent questions: How did Arshia Akhavan, an Amnban employee, enter the U.S. despite known ties to sanctioned cyber groups? How much of the stolen airline data is being used for current espionage or identity-based tracking? Millions of travelers now face exposure not just to hackers, but potentially to physical surveillance and state-level targeting.
Amnban is not a failed cybersecurity experiment—it is a purpose-built arm of digital warfare, masquerading as a tech consultancy to wage a campaign of global cyber-sabotage, surveillance, and intimidation. The leak underscores how critical infrastructure providers worldwide are unprepared for such state-sponsored hybrid threats.
What Undercode Say:
Amnban as a Template for Covert Cyber Militancy
This case exposes a growing and disturbing trend—cybersecurity firms as dual-purpose actors, blending legitimate services with espionage missions. The sophistication of Amnban’s infrastructure reveals not just technical prowess but long-term strategic planning, likely with support from Iranian intelligence agencies.
The methodology was clear and deliberate: penetrate sectors critical to mobility (airlines), commerce (logistics), and digital finance (crypto). Each sphere opens up massive exploitation potential, from economic disruption to intelligence-gathering on dissidents, foreign officials, and business leaders.
The naming conventions in Amnban’s internal folders—labeled “Projects” and “R\&D”—reflect standard organizational structures. Yet the contents reveal operational plans, targets, and completed cyberattacks. This type of “pseudo-normalization” makes detection more difficult and raises alarms about how many other similar entities may be active globally.
Even more concerning is the social engineering sophistication. This is not a teenage hacker running scripts. Amnban operatives developed multi-pronged intrusion vectors, combining technical exploits with human manipulation tactics like fake job offers, bribery, and phishing. This suggests psychological warfare training, likely coordinated with or inspired by Iranian intelligence practices.
The connection to APT39, a known actor in Iranian cyber operations, is more than symbolic. It creates legal and diplomatic complexity, especially for countries like the U.S. that may now need to revisit immigration protocols and review potentially compromised digital infrastructure.
More critically, the leak highlights a massive data sovereignty problem. Airlines and international logistics firms are now the custodians of millions of potentially weaponizable data points. If this data falls into the hands of state actors, it can fuel surveillance, blackmail, and geopolitical disruption.
Crypto firms, too, are now directly in the crosshairs. Amnban’s phishing attacks on platforms like Binance weren’t isolated stunts—they were part of a broader campaign to weaken decentralized finance ecosystems and gather intelligence on users and asset movements.
This development signals a paradigm shift in state cyber capabilities. We’re not just dealing with rogue nation-states sponsoring hackers. We’re entering an era where entire companies are weaponized, operating under legal facades while executing cyber-military operations.
The West must respond with a multi-tiered defense strategy: tighter vetting of overseas consultants, hardened cybersecurity protocols across aviation and logistics sectors, and renewed international cooperation on sanction enforcement and intelligence sharing.
The Amnban leak isn’t just a scandal—it’s a strategic wake-up call for governments, corporations, and civil society alike.
🔍 Fact Checker Results
✅ Amnban is confirmed to have ties with APT39, a group sanctioned by the U.S.
✅ The data leak revealed passenger and logistical data theft from major international airlines.
✅ Known MOIS operatives were involved with Amnban’s leadership and operations.
📊 Prediction
Iran will continue to expand cyber operations using seemingly legitimate tech companies as covert platforms. Expect rising cyber activity targeting aviation, logistics, and decentralized finance sectors in Europe, the Middle East, and North America. Western agencies will likely increase scrutiny of immigrant tech workers with potential ties to sanctioned organizations. ✈️💻🕵️♂️
References:
Reported By: cyberpress.org
Extra Source Hub:
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2




