An Iran-linked hacker group has launched an online campaign offering cash rewards for information about Israelis it claims are involved in developing Israel’s air defense systems. The campaign includes threats, public exposure of personal details, and intimidating language designed to spread fear. The activity has drawn attention due to its scale, tone, and repeated targeting of civilians linked to defense, media, and academic fields.
The group announced bounties for information on engineers and technicians allegedly connected to the Patriot, Arrow, and David’s Sling air defense systems. These systems are widely known as part of Israel’s missile defense network. The campaign has been shared widely online and is described as part of an ongoing effort rather than a single incident.
Bounties, doxxing, and direct threats
The hackers offered bounties of up to $30,000 for information on more than a dozen Israelis described as air defense developers. Alongside these offers, the group published personal data online. This included photos, professional credentials, email addresses, phone numbers, and general location details. While not all of the information has been independently verified, it has circulated widely on Arab media outlets and Telegram channels, including accounts linked to militant groups.
Each individual profile is paired with threatening and often personal messages. Some messages warn that the listed individuals are being monitored, while others claim that emails and phone numbers are under surveillance. Several messages directly reference family members, including children, using language meant to intimidate and cause fear.
Stanford experiment shows AI hacker ARTEMIS outperforms highly paid human cybersecurity experts
The design of the website adds to the threatening tone. When a cursor is placed over a person’s image, a crosshair appears. Large banners warn that those listed are “marked” and that they cannot move freely at work or at home. The group claims that anonymity is an illusion and that safety can no longer be guaranteed.
These actions are part of what the hackers call the “RedWanted” campaign. According to the group, lists of Israelis have been published almost every Saturday since October 18. Some individuals are labeled as “wanted”, while others are described using more extreme terms. In several cases, bounties of $10,000 were offered for information that could lead to a person’s location or capture.
Expanding lists and psychological pressure
The campaign targeting air defense developers is part of a much larger database released by the hackers. Nearly 200 Israelis have been listed so far. The group claims these individuals are linked to weapons programs, military units, journalism, or academic research.
Each entry includes a unique message, many of them long and hostile. At the top of the website, a banner warns that Israel should expect harsh punishment. Repeated phrases such as “the hunt has begun” are used to signal that the campaign is active and ongoing.
Cyber warfare reaches the high seas as IRGC-linked hackers target Greek shipowner Altomare
The group also released a video connected to the campaign. In the video, some targets are shown alongside what appear to be bomb-making materials and are described as having been “killed”. These claims have not been independently confirmed, but the content adds to the atmosphere of intimidation created by the campaign.
Past cyber activity and international findings
Security analysts have linked the hacker group to Iran’s intelligence services, stating it has been active since late 2023 and has targeted Israeli systems for around two years.
In January 2025, the group carried out a cyberattack on kindergartens in Israel. The attack disrupted public address systems in about 20 locations, causing alarm among staff and families.
On August 22, 2025, the hackers breached multiple Israeli organizations, including research institutes, businesses, media outlets, technology firms, and service providers.
In September 2025, Canada’s Rapid Response Mechanism reported a “hack and leak” operation by the same group targeting journalists working for an Iran-focused media outlet. The leaked material included personal identification documents and private content and was published online in a format similar to the Israeli campaign. Canadian officials also noted that the leaked information was amplified across social media and several AI-powered chat platforms.
These incidents show how cyber operations are being used not only to access systems, but also to intimidate individuals through exposure, threats, and sustained online pressure.
