Apple has recently notified more than a dozen Iranians that their iPhones had been targeted with government spyware, according to security researchers. Miaan Group, a digital rights organization focused on Iran, along with Hamid Kashfi, an Iranian cybersecurity researcher based in Sweden, spoke with several Iranians who received these notifications over the past year. Bloomberg was the first to report on these spyware alerts.
Miaan Group published a report detailing the state of cybersecurity for civil society in Iran. The report mentioned that the organization identified three cases of government spyware attacks against Iranians—two within Iran and one in Europe—who were alerted in April of this year. Amir Rashidi, Miaan Group’s director of digital rights and security, shared that two of the victims in Iran come from a family with a long history of political activism against the Islamic Republic. Many of their family members have been executed, and the victims have no history of traveling abroad. Rashidi believes there have been three waves of attacks so far and that the cases exposed represent only the tip of the iceberg.
Though investigations are ongoing, Rashidi suspects Iran is likely behind the attacks. He stated, “I see no reason for members of civil society to be targeted by anyone other than Iran.” Hamid Kashfi, founder of the security firm DarkCell, assisted two victims with preliminary forensic analysis but was unable to confirm which spyware maker was responsible. Some victims he worked with chose not to pursue the investigation further.
Many victims have reportedly become frightened and disconnected as soon as they learned the severity of the situation. Kashfi noted that one victim received the notification in 2024 and speculated that the victims’ workplaces and the sensitivity of the matters involved contributed to their decision to disengage.
It remains unclear which specific spyware maker is behind these attacks. Over recent years, Apple has sent multiple rounds of notifications to users it believes have been targeted by government spyware, such as NSO Group’s Pegasus or Paragon’s Graphite. This type of malware is often referred to as “mercenary” or “commercial” spyware.
Apple’s threat notifications have aided researchers in documenting spyware abuses in countries including India, El Salvador, and Thailand. According to Apple’s support page, updated in April, the company has notified users in over 150 countries since 2021, highlighting the widespread use of government spyware. However, Apple does not disclose the names of affected countries or the total number of notifications sent.
To support victims, Apple has recommended that those who receive threat notifications contact the digital rights organization Access Now. This nonprofit runs a 24/7 helpline staffed with researchers who specialize in investigating spyware attacks. Access Now has documented numerous cases of spyware abuse worldwide.
Apple did not respond to requests for comment regarding the notifications sent to Iranians.