U.S. sanctions two Iranian cyber operatives over crackdowns on Mahsa Amini protests

The pair started a cyber training academy that supports Iranian intelligence in the brutal response to protests, the U.S. government said.
Demonstrators hold placards with the faces of Iranian women Nika Shahkarami and Masha Amini and the words "Woman Life Freedom" written during a rally in support of Iranian protests, in Paris on October 9, 2022, following the death of Iranian woman Mahsa Amini in Iran. (Photo by JULIEN DE ROSA/AFP via Getty Images)

The U.S. Treasury Department on Wednesday sanctioned a pair of Iranian intelligence officials and a school they founded as part of the U.S. government response to the “brutal ongoing crackdown on nationwide protests in Iran,” the agency said.

Seyed Mojtaba Mostafavi and Farzin Karimi, both members of Iran’s Ministry of Intelligence and Security were sanctioned for their connections to Ravin Academy, the cybersecurity training organization they co-founded, according to Treasury. Ravin was sanctioned for “having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, [Iran’s Ministry of Intelligence and Security].”

The sanctions are part of an overall package that included eight other Iranians and another company, Saman Gostar Sahab Pardaz Private Limited Company, which the U.S. government says is one of the main operators of social media filtering services in Iran.

Treasury announced the sanctions on the 40th day after Iran’s morality police arrested 22-year-old Mahsa Amini, who later died in custody. Her death sparked protests throughout Iran that have been met with a brutal response from Iranian authorities. At least 234 people, including 29 children, have been killed in the ongoing protests, according to Iran Human Rights.

In a message posted both to its Telegram channel and Twitter, Ravin Academy denied the allegations.


“We are in shock and disbelief that the name of a small educational complex, completely private and independent of any government or military institution, is included in the US sanctions list,” the message posted to Twitter said, according to a Google translation. “Ravin Academy strongly rejects all the false and unfair accusations made against it in this document.”

The U.S. government and independent security analysts have for years pointed to ostensibly private entities like Ravin Academy serving as contractors and extensions of the MOIS and the Islamic Revolutionary Guard Corps. In September, the U.S. government announced wide-ranging punitive actions against 10 Iranians and two Iranian companies including sanctions, indictments and multiple $10 million rewards related to a spree of breaches and ransomware attacks.

The companies in that case were Afkar System and Najee Technology.

That announcement came less than a week after the U.S. government sanctioned the Ministry of Intelligence and Security and Minister of Intelligence Esmail Khatib over Iranian cyberattacks on Albania through a phony hacktivist front called “Homeland Justice.”

On Sept. 6, 2019, the anti-Iranian regime whistleblower persona Lab Dookhtegan posted a photo and other personal details to Telegram of Mojtaba Mostafavi, one of Ravin co-founders sanctioned Wednesday. At the time, the group identified Mostafavi as part of the MOIS and associated with APT34, an long-running Iranian-linked hacking group also known as OilRig and Helix Kitten.


“As you can see, in the past we exposed the MOIS officer bastard Mojtaba Mostafavi (APT34),” Lab Dookhtegan said in a message posted to Telegram Thursday. “We Thanks to the American government that issued sanctions against this mercenary. Soon we will publish more revelations about the terrorists who mentioned in this US statement.”

AJ Vicens

Written by AJ Vicens

AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal/WhatsApp: (810-206-9411).

Latest Podcasts