Cosmetic surgery clinics in Istanbul, hacked mobile phones and years of monitoring Israelis on Facebook were part of the operations of “Department 40,” an Iranian cyber unit that worked on behalf of the Iranian Revolutionary Guard Corps to support terror plots against Israelis and Jews.
A new investigation by the opposition outlet Iran International outlines the scale and structure of the unit, painting a troubling picture of long-running espionage, cyberattacks and intelligence gathering.
In recent weeks, details have surfaced about the cyber network known as “Department 40.” The unit operates for the IRGC’s intelligence organization and its “Unit 1500.” According to the investigation published Thursday, the group has carried out operations in recent years against Israelis and Jews in Israel and worldwide, using names such as Charming Kitten, Moses Staff and Abraham’s Axe.
The investigation identifies the Iranian operatives behind the campaigns, led by Abbas Rahroui. Under him worked 60 men and women who carried out sophisticated cyber activities designed to support the IRGC’s terror arm. The unit engaged in espionage, psychological warfare, influence campaigns and terror support across numerous Arab countries, with Israelis a primary target.
In 2022, Ruhollah Bazghandi, a former IRGC counterintelligence chief, oversaw plots targeting Israelis and Jews in Turkey. “Department 40” was tasked with tracking Israelis in real time. Hackers broke into medical clinics in Istanbul frequented by Israelis undergoing procedures such as breast augmentation and hair transplants. They also hacked the mobile phones of Israelis staying in those clinics. According to the report, Mossad operatives rescued Israelis at the last minute, instructing them to barricade themselves in hotel rooms just seconds before Iranian hit teams prepared to kill or abduct them.
Members of the unit infiltrated Facebook groups used by Israelis in Turkey, monitoring posts to learn where they were staying, which clinics they visited and which kosher restaurants they frequented. The cyber unit’s goal was to widen the circle of targets and pass the intelligence to IRGC assassination teams on the ground.
According to the investigation, the unit was also linked to the 2022 Istanbul attack that killed eight people. “Department 40” acted as an intelligence collection arm, pinpointing the locations of Israelis for hit teams. The operatives also hacked foreign airlines to track the arrival times of Israelis and Iranian dissidents.
The report reveals that “Department 40” served as the offensive cyber wing of the IRGC’s counterintelligence unit, effectively functioning as an intelligence-gathering arm for Iranian operational teams. Hackers stole data from government and non-government systems abroad, including Abu Dhabi and Fujairah police databases, FlyDubai and EgyptAir, Ras Al-Khaimah municipality data and similar systems in Turkey and Saudi Arabia.
This is the first time the identity and internal structure of the unit have been exposed. “Department 40” operated as a subsidiary of the IRGC’s “Unit 1500,” building a database called “Kashef” that allowed Iranian agents to map connections between individuals through mobile phone records, travel data and location tracking. Many of the 60 agents reportedly employed family members and hid their activities behind layers of shell companies.
The information needed for IRGC attacks abroad, including “Operation 1401” in Istanbul, was collected by “Department 40.” The unit also spied extensively on foreign embassies in Iran and used Russian digital tools to support its missions. Until recently, its activities were believed to be limited primarily to phishing campaigns.
Intelligence agencies in the region say many cyberattacks on Israel and abroad in recent years were carried out by Charming Kitten, though its leadership was unknown until now. In the past month, the entire Iranian network was breached by a group calling itself Kitten Busters, which posted stolen documents from “Department 40” on GitHub, including cyber tools, internal reports and Persian-language directives.
The leaked documents show that the unit sought to recruit Israelis, sow internal unrest and run influence operations. According to Iran International, “Department 40” also developed explosive suicide drones. The report concludes that the exposure marks a significant blow to the IRGC: a covert cyber network that caused extensive damage has now been fully identified, a price Iranian officials describe as substantial.
