Details of more than 1,000 people connected to Ravin Academy, an Iranian cyber institute long believed in the West to serve as a recruitment and training arm for the state-backed hacking group APT34 — also known as MuddyWater or OilRig — were exposed in a recent data leak, cybersecurity outlet Dark Reading reported Thursday.
The leak, carried out by an unidentified source and published by British-Iranian activist Nariman Gharib on Oct. 22, has embarrassed Iran’s cyber apparatus and raised questions about the possible involvement of civilians and Western academics in Tehran’s intelligence-linked training programs.
Founded in 2019 by two senior officials from Iran’s Ministry of Intelligence and Security (MOIS), Ravin Academy has been sanctioned by the United States, the United Kingdom and the European Union for its role in training and channeling personnel into government-directed cyber operations. The exposed records reportedly include names, national ID numbers, phone numbers, Telegram usernames and other personal details, many belonging to people from science and engineering backgrounds rather than traditional cybersecurity fields — a sign, experts say, of the scale of Iran’s national cyber mobilization effort.
The timing of the breach is notable, coinciding with Ravin’s Technology Olympiad in Tehran, a state-backed event designed to project Iran’s technological capabilities internationally.
Ravin Academy confirmed the breach in a Telegram post, calling it “an incident aimed at damaging the academy’s reputation, undermining Iran’s security and disrupting the national cybersecurity Olympiad.” Iranian officials framed the incident as an attack by foreign rivals rather than an exposure of intelligence activity.
Activist Gharib, who did not disclose how he obtained the data, said the leak “constitutes a significant intelligence asset” as it "documents the systematic development of personnel for potential recruitment into MOIS cyber operations." His remarks highlight an ethical concern — that many of those listed may have been unaware they were linked to a state-run cyber entity, leaving them personally and professionally exposed.
Using academic or nominally independent institutions as cover for intelligence operations is not unique to Iran; China, Russia, the United States and Israel all maintain cooperation between intelligence agencies and universities. But Ravin’s inclusion on multiple sanctions lists, along with reports from cybersecurity firms such as PwC, portray a direct pipeline for recruiting and training offensive cyber personnel under academic guise.
Evidence cited by researchers includes proof-of-concept exploits published by Ravin related to major vulnerabilities in Microsoft Exchange and Netlogon (CVE-2020-0688 and CVE-2020-1472), which were later exploited by MuddyWater, indicating close operational overlap between the academy and Iran’s cyber command structure.
While Western governments also fund academic cybersecurity initiatives — such as the U.S. National Security Agency’s National Centers of Academic Excellence in Cybersecurity (NCAE-C) — these programs are typically defensive in nature and maintain strict ethical oversight. In contrast, analysts say, Ravin Academy appears to act as a front for offensive state activity, training so-called “red teams” for Iran’s cyber warfare operations.
The exposure has also raised alarms within Western academia: several names on the leaked list reportedly belong to legitimate researchers with institutional ties abroad, prompting fears of potential industrial or academic espionage masked as collaboration.
3 View gallery
Students in Tehran
(Photo: KHAMENEI.IR / AFP, West Asia News Agency)/Handout via REUTERS)
Experts say the breach serves as a warning for global universities and tech firms to reassess partnerships with institutions in states known to sponsor advanced cyber operations. Still, analysts caution that the incident is unlikely to halt Iran’s offensive cyber ambitions. The Islamic Republic has been linked to numerous high-profile cyberattacks, including breaches at Israeli targets such as Shirbit Insurance, Hillel Yaffe Medical Center and Shamir Medical Center, as well as a string of smaller companies across multiple sectors.
“This isn’t just a failure of Iranian cybersecurity,” one analyst said. “It’s a wake-up call for the international academic and tech community about how easily education and espionage can blur."