The personal records of thousands of people allegedly linked to athletes and visitors to the Saudi Arabian game are published online by a group of hacktivists in Pruilla called Cyberfatta.
The return of the cybersecurity company said that the violation was announced on Telegram in the form of a SQL database dump on June 22, 2025, and was characterized as an information manipulation “conducted by Iran and its deputies.”
“The actors gained unauthorized access to the phpmyAdmin (backend) and ruled out records,” Resecurity said. “This is an example of Iran using data breaches as part of larger anti-US, anti-Israel, and anti-Saudi propaganda activities in cyberspace, targeting major sports and social events.”
The data is likely to be drawn from the official Saudi Games 2024 website and then shared on Darkforums, a cybercrime forum that has since attracted attention following repeated takedowns of Breachforums. This information was published by a forum user named Zerodayx, a burner profile that is likely created to promote this violation.
The leaked data contains IT staff credentials. Official government email address. Athlete and visitors information. Passport and ID card. Bank statement. Medical form; A copy of a confidential document has been scanned.
“Cyberfatta’s activities are consistent with the broader trends of hacktivism in the Middle East, where groups engage in cyber warfare as a form of behavior,” the response states.
The leak unfolds against the backdrop of a simmering tension between Iran and Israel, claiming that as many as 119 Hattivist groups have carried out cyberattacks or that they have made a declaration of concordance with two countries or acted with two countries per cyber knowledge.
Cyberfatta, known as the “Iranian Cyber Team,” has a history of targeting Israeli and Western web resources and government agencies.
It is also known to work with other threat actors operating in the region, including the 313 team. This argued responsibility for the true denied social distributive (DDO) attacks on social media platforms in retaliation for US airstrikes on Iran’s nuclear facilities.
“This incident with Cyberfatta may represent an interesting shift from malicious Israeli-centric activity to a broad focus on anti-Sudi and anti-Saudi messages,” the response said.
Last week, a pro-Israel group known as predatory sparrows (aka Adalat Ali, Gonjeshke Dalande, Indra, or Metalexpress) allegedly leaked data obtained from the Iranian Ministry of Communications. In particular, it burned over $90 million in cryptocurrency by hacking nobitex, Iran’s largest cryptocurrency exchange, and sending digital assets to an invalid wallet.
Cybersecurity company Outpost24 said it could be “access to internal documents detailing the internal mechanisms of the exchange and authentication credentials” for attackers to pull off the robbery, or a case of fraudulent insiders who worked in the group.
“It was not a financially motivated robbery, it was a strategic, ideological and psychological operation,” said security researcher Lydia Lopez Sants. “The threat actor emphasized its goal by destroying its funds rather than removing them. It dismantles public trust in government-related institutions and demonstrates its technical advantage.”
Then, on June 18, Iran’s state broadcaster Irib (short for Iranian broadcasting in the Islamic Republic) television stream was hijacked to display images of pro-Israel and anti-Iranian governments. Ilib claimed that Israel was behind the incident.
Image source: CyberKnow
Israel has also been targeted by pro-Palestin hacking groups such as the Handala Team, which has listed several Israeli organizations on data leak sites since June 14, 2025.
Another trend observed in the cyberwar between Iran and Israel is a small gathering of hackitivist groups that form the presence of umbrellas such as cyber Islamic resistance and the United Cyber Front of Palestinian and Iran.
“These loosely affiliated ‘Cyber Unions’ share resources, synchronize campaigns and amplify their impact despite limited technical refinement,” Trustwave SpiderLabs said in a report released last week.
The company also picked out another pro-Iranian group named Dienette. This is thought to include connections between Russian-speaking members and other cyber communities in Eastern Europe despite Iran’s pro-Hamas attitudes.
“It is its hybrid identity that distinguishes Deenet from many other pro-Iranian actors.” “Linguistic analysis of Dienet’s messages and timestamps, metadata, and interaction patterns suggests that at least some of the groups communicate internally in Russian or use slab language resources.”
“This points to the broader phenomenon of cross-regional cyber collaboration, where ideological alignment overturns geographical or national boundaries.”
Group-IB in an analysis of Telegram-based Hacktivist activities during the period of V, Voshephing, June 13th. Overall, over 5,800 messages have been recorded across various Hacktivist channels between June 13th and 20th.
The development of cyber capabilities in the context of the Iranian-Israel war, as well as other recent geopolitical events surrounding the Hamas-Russia-Ukrain conflict, demonstrate the increasingly integrated digital operations to complement kinetic actions, influence public perceptions, and destroy critical infrastructure.
Source link
