Data Leak Outs Hacker Students of Iran's MOIS Training Academy - Dark Reading

TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources THREAT INTELLIGENCE CYBERSECURITY OPERATIONS CYBERSECURITY CAREERS CYBERATTACKS & DATA BREACHES NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Data Leak Outs Hacker Students of Iran's MOIS Training Academy Ravin Academy, a school for the Iranian state hackers of tomorrow, has itself, ironically, been hacked. Nate Nelson,Contributing Writer October 30, 2025 4 Min Read SOURCE: KAREN ROACH VIA ALAMY STOCK PHOTO Future members of Iranian state intelligence have been outed in an anonymous data leak. On Oct. 22, British-Iranian activist Nariman Gharib published a list of more than 1,000 people associated with the Ravin Academy to the open Web. Ravin Academy is a sanctioned Iranian cybersecurity school tied to the government's umbrella advanced persistent threat (APT) group APT34 (aka MuddyWater, Helix Kitten, OilRig). Gharib did not disclose any details about the means by which he obtained the data, though from context the attack smells of anti-Iranian hacktivism. The victim suggested as much in a Telegram post obtained and translated by The Register. A statement copping to the breach suggested that "this incident, coupled with the repeated publication of false and misleading content in the past, has the goals of damaging the reputation of this academy, undermining security in Iran, and harming the standing of the National Olympiad in the field of cybersecurity." Related:China-Nexus Hackers Skulk in Southeast Asian Military Orgs for Years That latter clause refers to Ravin Academy's "Tech Olympics" event currently running at Tehran's Pardis Technology Park. According to local media, the event involved more than 12,000 participants from 66 countries, 1,100 of whom traveled to Tehran for the final round. Participants from the Middle East, Asia, and Europe have been competing in skills challenges related to artificial intelligence (AI), Internet of Things (IoT), cybersecurity, and more. The event appears to be significant in legitimizing Iran generally, and Ravin Academy specifically, as major players in the international technology sphere. "Given the media efforts over the past year to achieve the aforementioned goals, it is natural that the opponents and international competitors of this event seek to damage this great national achievement," Ravin wrote. What Is the Ravin Academy? The Ravin Academy was founded in November 2019 by two employees of Iran's Ministry of Intelligence and Security's (MOIS), Seyed Mojtaba Mostafavi and Farzin Karimi. Humorously, they registered their purportedly independent institution to an address just two city blocks from Iran's Ministry of Information and Communication Technology (ICT), the agency primarily responsible for implementing Iran's oppressive Internet censorship. ICT is also critical to national cybersecurity, and plays support to the MOIS cyberattack operations. Ravin Academy claims to be a regular cybersecurity training school. According to a variety of Western government and research organizations, it is in fact an MOIS project designed to train and funnel cybersecurity and hacking talent to the government. Related:INC Ransomware Group Holds Healthcare Hostage in Oceania Multiple countries run or at least collaborate with falsely independent academic institutions. Doing so allows the government agency in the background to more effectively recruit talented young people, and claim plausible deniability when stories like this come out. Before the ties between state and school get outed, representatives of such institutions might enjoy access to international conferences and opportunities to collaborate on research projects. School settings also allow for a variety of activities that would otherwise seem suspicious or offensive in a government context. For example, a school can provide a degree of ethical cover in teaching students how to hack computers. PwC analysts outlined how that works in the case of Ravin Academy, in a report published in 2022. They described how in March 2020, Ravin Academy published a proof-of-concept (PoC) exploit for CVE-2020-0688, a high-severity remote code execution (RCE) bug in Microsoft Exchange, to GitHub. On Sep. 23, 2020, a webinar from Ravin Academy demonstrated a PoC exploit for the critical Netlogon vulnerability, CVE-2020-1472. In a campaign during September and October 2020, MuddyWater was exploiting those two vulnerabilities, using the very same techniques outlined by the school. Related:Chinese Cyber Threat Lurks In Critical Asian Sectors for Years In sanctioning the school, the US Treasury Department wrote that "Ravin Academy assists the MOIS with a variety of cyber services, including information security training, threat hunting, cyber security, red team, digital forensics, malware analysis, security auditing, penetration testing, network defense, incident response, vulnerability analysis, mobile penetration testing, reverse engineering, and security research." Ravin Academy has also earned sanctions from the UK and European Union (EU). The Hackers of Iran (and also Ordinary Citizens) The published Ravin Academy data includes more names, phone numbers, Telegram usernames, and national ID numbers. Gharib also obtained student ID numbers and information about the classes each student attended, but did not include this data in his leak site. Reporters at The Register combed through the data, and discovered a couple of notable patterns. Firstly, a majority of the individuals they were able to identify did not come from cybersecurity backgrounds. Instead they were associated with other STEM fields, including mechanical engineering, electrical engineering, fluid dynamics, and machine learning (ML). If Ravin Academy is pulling talent from across industries, it might indicate the significance with which Iran is treating its national cyber operations. More concerningly, reporters found that a number of named individuals were academics, of whom a "sizable subset" were associated with Western universities. It's also worth noting that because Ravin Academy doesn't advertise its state ties to students, many of those named on Gharib's leak site may not have known they were enrolled in a state-tied institution, and may never be employed by the Iranian government. As Gharib put it, "This operational security failure undermines the company's public credentials while simultaneously exposing individuals who enrolled in what they may have believed were legitimate professional development programs." Read more about: DR Global Middle East & Africa About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use