Thousands of personal records allegedly linked to athletes and visitors of the Saudi Games have been published online by a pro-Iranian hacktivist group called Cyber Fattah.
Cybersecurity company Resecurity said the breach was announced on Telegram on June 22, 2025, in the form of SQL database dumps, characterizing it as an information operation “carried out by Iran and its proxies.”
“The actors gained unauthorized access to phpMyAdmin (backend) and exfiltrated stored records,” Resecurity said. “This is an example of Iran using data breaches as part of a larger anti-U.S., anti-Israel, and anti-Saudi propaganda activity in cyberspace, targeting major sports and social events.”
It’s believed that the data is likely pulled from the Saudi Games 2024 official website and then shared on DarkForums, a cybercrime forum that has gained attention in the wake of BreachForums’ repeated takedowns. The information was published by a forum user named ZeroDayX, a burner profile that was likely created to promote this breach.
The leaked data includes IT staff credentials; government official email addresses; athletes’ and visitors’ information; passports and ID cards; bank statements; medical forms; and scanned copies of sensitive documents.
“The activities of Cyber Fattah align with a broader trend of hacktivism in the Middle East, where groups frequently engage in cyber warfare as a form of activism,” Resecurity said.
The leak unfolds against the backdrop of simmering tensions between Iran and Israel, with as many as 119 hacktivist groups claiming to have conducted cyber attacks or have made declarations to align with or act against the two nations, per Cyberknow.
Cyber Fattah, which calls itself an “Iranian cyber team,” has a history of targeting Israeli and Western web resources and government agencies.
It’s also known to collaborate with other threat actors active in the region, such as 313 Team, which claimed responsibility for a distributed denial-of-service (DDoS) attack against social media platform Truth Social in retaliation for U.S. airstrikes on Iran’s nuclear facilities.
“This incident by Cyber Fattah may indicate an interesting shift from Israel-centric malicious activity toward a broader focus on anti-U.S. and anti-Saudi messaging,” Resecurity said.
Last week, a pro-Israel group known as Predatory Sparrow (aka Adalat Ali, Gonjeshke Darande, Indra, or MeteorExpress) claimed to have leaked data obtained from the Iranian Ministry of Communications. Notably, it also hacked Iran’s largest cryptocurrency exchange, Nobitex, and burned over $90 million in cryptocurrency by sending digital assets to invalid wallets.
Cybersecurity company Outpost24 said the attackers possibly had “access to internal documentation that detailed the inner workings of the exchange and possibly even authentication credentials” to pull off the heist, or that it was a case of a rogue insider who worked with the group.
“This was not a financially motivated heist but a strategic, ideological, and psychological operation,” security researcher Lidia López Sanz said. “By destroying rather than exfiltrating funds, the threat actor emphasized its goals: dismantling public trust in regime-linked institutions and signaling its technical superiority.”
Subsequently, on June 18, Iran’s state broadcaster IRIB’s (short for Islamic Republic of Iran Broadcasting) television stream was hijacked to display pro-Israeli and anti-Iranian government imagery. IRIB claimed Israel was behind the incident.
| Image Source: Cyberknow |
Israel, for its part, has also become a target of pro-Palestine hacking groups like the Handala team, which has listed several Israeli organizations on its data leak site starting June 14, 2025. These included Delek Group, Y.G. New Idan, and AeroDreams.
Another trend observed in the cyber warfare between Iran and Israel is the coming together of smaller hacktivist groups to form umbrella entities like the Cyber Islamic Resistance or United Cyber Front for Palestine and Iran.
“These loosely affiliated ‘cyber unions’ share resources and synchronize campaigns, amplifying their impact despite limited technical sophistication,” Trustwave SpiderLabs said in a report published last week.
The company also singled out another pro-Iranian group named DieNet that, despite its pro-Iranian and pro-Hamas stance, is believed to include Russian-speaking members and connections to other cyber communities in Eastern Europe.
“What distinguishes DieNet from many other pro-Iranian actors is its hybrid identity,” it noted. “Linguistic analysis of DieNet’s messages, as well as timestamps, metadata, and interaction pattern, suggests that at least part of the group communicates internally in Russian or uses Slavic-language resources.”
“This points to the broader phenomenon of cross-regional cyber collaboration, where ideological alignment overrides geographic or national boundaries.”
Group-IB, in an analysis of Telegram-based hacktivist activity following June 13, said DieNet was the most referenced channel, quoted 79 times during the time period. In all, more than 5,800 messages have been recorded across various hacktivist channels between June 13 and 20.
The deployment of cyber capabilities in the context of the Iran-Israel war, as well as other recent geopolitical events surrounding Hamas–Israel and Russia-Ukraine conflicts, demonstrates how digital operations are increasingly being integrated to supplement kinetic actions, influence public perception, and disrupt critical infrastructure, Trustwave added.
