Iran’s hackers are coordinating more closely, Israel’s top cyberdefense official says

Tehran’s hackers have grown more organized, more coordinated and more willing to use artificial intelligence for influence operations in recent months — and they have demonstrated many of those capabilities since the war with Iran began, according to Israel’s top cyberdefense official.

In a Tuesday interview, the director-general of Israel’s National Cyber Directorate, Yossi Karadi, said Iranian state-aligned groups are further sharing cyber tools among each other and using AI to polish disinformation and recruitment messages.

At the same time, Karadi said he is pressing major AI labs for controlled access to powerful models like Anthropic’s Mythos, arguing that governments need the same tools attackers are seeking to adopt.

In the last year, Iran’s state-backed hacking units have increasingly “begun to talk to each other, and then collaborate with each other, and then even sometimes exchange information” among themselves, he said. “Of course, when they work together, they can work more efficiently and better.”

During the recent war, Iran has sent hundreds of thousands of text messages to Israelis as part of a deception and influence campaign, he said. 

“In some cases, they’d send messages like, ‘don’t go to the bomb shelters because they are closed,’” Karadi said, adding that other messages sought to recruit Israelis for intelligence-sharing.

For a while, those messaging campaigns were in “very bad Hebrew, so you understand, ‘okay, it’s nonsense,’” Karadi said. But more recently, AI has helped Tehran improve message quality. 

In March, Israel said it bombed a key Iranian cyberwarfare operation center. Asked about how that attack and similar efforts affected Tehran’s hacking prowess, Karadi said only that the nation’s cyberactivity largely fluctuated, depending on the intensity of the conflict.

When bombing campaigns against Iran intensified, hacking activity tended to decrease because it was harder for state operatives to access physical assets like computers and other equipment needed for cyberattacks, he said. Conversely, when strikes slowed, state hacking groups would have more room to reorganize and collaborate again.

As the U.S. and Iran work to implement a peace agreement to end the war, Karadi said there is little expectation that cyber activity from either side will stop, arguing that any party can deny involvement in a cyberattack, compared to a physical strike using missiles or bombs. 

“There is no ceasefire in cyber,” he said. “You cannot force any agreement on cyber.” 

Over the last few months, Iran has compromised a swath of smaller Israeli organizations and a handful of American targets. Pro-Iran hackers have targeted various U.S. industrial control systems, federal officials said early last month. One group, likely state-affiliated, also claimed to have compromised medical technology giant Stryker. And just last week, researchers said Iran-linked hackers deployed a slew of cyberespionage techniques that targeted the U.S., Israel, the UAE and other Middle Eastern nations.

Asked if the cybersecurity community underestimated the strength of Iran’s hacking ecosystem, Karadi said he would only speak for Israel, and asserted they “obviously did not underestimate” Tehran. Since the 12-Day War last year, “we were in an 100% alert situation, and we have been preparing ourselves for high-scale cyber war,” he said. 

The remarks provide a window into how Israeli officials believe Iran’s cyber apparatus has adapted under wartime pressure and amid negotiations now underway between the U.S. and Tehran that could end the war, which began in late February.

Karadi conducted the interview as part of a visit to Washington this week, where he said he has planned meetings with the FBI, the Cybersecurity and Infrastructure Security Agency, U.S. Cyber Command and representatives from industry.

In those meetings, he said officials have been discussing advanced cyber-focused AI models like Anthropic’s Mythos, which have quickly become central to global cyber policy talks. Asked whether Israeli institutions have been given access to those systems, he said the effort is a work in progress.

“I haven’t succeeded in it now, but hopefully I will,” he said, adding that he is trying to access such models to scan Israeli government organizations for vulnerabilities. He declined to name specific AI companies he is engaging with.

In early April, Anthropic launched Project Glasswing, an initiative with major companies designed to secure critical software across the globe using its Mythos model. It’s been withheld from public release amid concerns over its highly skilled hacking capabilities. About a month later, OpenAI unveiled GPT-5.5-Cyber, a similarly advanced model that was also reserved for verified organizations to prevent the acceleration of offensive cyber tools.

The White House and the federal government swiftly responded and worked to craft an executive order focused on AI and cybersecurity, but its signing was postponed last week amid overregulation concerns from industry.

Representing a government cyberdefense organization, Karadi said such models worry him.

 “When you give [an attacker] a new tool, he needs to only use it at one time and one place. But I need to implement this tool at all the places and all the time,” he said. 

He expects more of these models to proliferate in the coming months, and he considers them to now be the “main threat” in the cybersecurity world.

“I think that our world is getting more and more digital, AI-based and cloud-based,” he said. “It will take us to a permanent state of cyber warfare, some of the time against enemies that you know. But most of the time — against ghosts.”