When missiles were arcing over the region, Iran’s covert financial moves were happening on a different battlefield: the blockchain. Crypto wallets tied to Iran’s Revolutionary Guard emptied in hours, and that war chest flowed to proxies and private hideouts. What followed was a digital campaign against American targets, driven not by exotic code but by stolen passwords and open dark web markets.
Analysts watching the ledgers saw a clear pattern: tens of millions moved fast, then hundreds of millions in the days after the strikes. Those transfers found their way to groups like the Houthis and Hezbollah and into accounts held by regime insiders. That financial pivots tells a simple story — Iran built an ecosystem to protect and then project power, and now it’s using it offensively.
The cyberattacks that followed were disappointingly low-tech. Rather than bespoke zero-day exploits, the regime relied on commodity malware and infostealers to harvest credentials. Those stolen passwords are cheap commodities on underground markets, and Iran has been both a buyer and a user of that trade.
One pro-Iran group publicly celebrated breaching a high-profile American official’s personal email and posted old photos and documents online. The group said the head of that agency was now “among the list of successfully hacked victims.” That line was meant to brag, but it also revealed the blunt, effective mechanics behind the campaign: weak passwords and stolen credentials do the work.
Major private sector damage followed. A leading medical device manufacturer was hit in March, its systems wiped and more than 200,000 devices disabled across dozens of countries. When patients and hospitals are disrupted, the danger is immediate and measurable, not abstract.
Even community news sites fell victim to simple website defacements that used credentials or weak protections to replace homepages with propaganda. Threat actors used the same supply chain to threaten journalists and solicit criminal partners to carry out violence, showing how blended and dangerous these networks are. This is asymmetric warfare that targets civilians, institutions and infrastructure alike.
The heart of the problem is not Tehran’s creativity. It’s the apparent tolerance for a thriving credential economy on the dark web that feeds these operations. Infostealer markets sell millions of stolen logins a month, openly enough to be traced, and they act like a wholesale supplier for nation-state campaigns and criminal gangs alike.
The response so far has been conventional: sanctions, law enforcement takedowns and reward offers for information. Those actions matter, but they treat the symptoms rather than the source. The real leverage lies upstream, where the stolen credentials are bought, sold and swapped for influence and weapons.
We should treat these credential marketplaces the way we treat other hostile cyber infrastructure. Offensive action by Cyber Command against the servers and payment rails that enable infostealer operators is a proportional, practical option. If the Pentagon has used its authorities effectively against ransomware networks, it has the playbook and the legal cover to go after the markets selling the keys to hospitals and ports.
At the same time, domestic policy changes would blunt the harvest-and-hit cycle. Require real-time monitoring of stealer logs across federal agencies, defense contractors and critical infrastructure, so harvested credentials trigger immediate alerts. Pair that with strict crypto sanctions compliance in any deal with Iran, because ignoring the financial pipelines will simply bankroll the next round of attacks.
Some will argue that striking dark market infrastructure is too aggressive, but the alternative is passive surrender as attacks escalate. The operators are visible, their trails are trackable and the window to act is open. Delay only hands Iran and its proxies more chances to turn stolen data into missiles, outages and human harm.
