No Ceasefire in Cyberspace: Iran, Israel and the New Logic of Digital Retaliation

From 2024 to mid-2026, the Iran–Israel confrontation has shown that cyber operations are no longer a supporting theatre of conflict. They have become a standing channel of retaliation: cheaper than missiles, easier to deny, politically useful below the threshold of open war, and persistent even when formal ceasefires take hold. The result is a new escalation logic in which espionage, financial disruption, spyware, data wiping, and information operations now sit alongside airstrikes and proxy violence as routine instruments of coercion.

The timeline that matters

The cyber contest did not begin in 2024, but it changed character over the past two years. What had long been a shadow war of espionage and occasional sabotage became a faster, more public, more retaliatory exchange. In 2024, public reporting pointed to IRGC-linked actors using cyber espionage for counterintelligence purposes, including elaborate social-engineering fronts designed to identify people in Iran, Syria, and Lebanon who might be willing to cooperate with Israel or Western services. That mattered strategically because it showed cyber activity being used not simply to steal data but to expose networks, intimidate potential collaborators, and shape the human terrain before and after physical operations.

By June 2025, cyber retaliation had become far more overt. During the June escalation, the group Predatory Sparrow, widely assessed as Israel-linked though not officially acknowledged, claimed attacks on Iran’s Bank Sepah and then on Nobitex, Iran’s largest cryptocurrency exchange. The Bank Sepah incident disrupted customer access and reportedly spilled into adjacent payment dependent systems. The Nobitex breach went further: roughly $90 million in digital assets was effectively destroyed rather than monetised. That was a strategic signal, not a criminal payday. Finance was not merely collateral damage; it was the target.

By early 2026, the battlespace widened again. Iran-linked actors and fronts expanded hack-and leak operations, mobile compromise attempts, and destructive attacks against Israeli-linked and Western targets. U.S. authorities publicly moved against domains tied to Handala, a group Washington linked to Iran’s Ministry of Intelligence. Israel, meanwhile, described a steep rise in hostile cyber incidents through June 2026. At the same time, Iran itself faced renewed attacks on banking rails and communications. The key point is not who “won” a particular exchange. It is that cyber retaliation had become continuous, reciprocal, and only partly bounded by kinetic escalation.

The actors and the capabilities

The most important analytical mistake is to treat this as a simple state-versus-state duel. It is a layered system.

On the Iranian side, the ecosystem includes formal state bodies, especially IRGC- and MOIS-linked groups, plus semi-deniable fronts and hacktivist brands. Their toolkit is broad rather than exquisite: spear-phishing, credential theft, surveillance malware, website defacement, data leaks, wipers, camera compromise, and intimidation campaigns. These operations often seek cumulative pressure rather than dramatic single-shot effects. Civilian organisations, health providers, municipalities, political figures, journalists, and firms connected to Israel all become fair game. The aim is to exhaust defenders, gather intelligence, and create public unease at low cost.

The third category is non-state or quasi-state actors. Some are authentic ideological volunteers. Others are cut-outs, fronts, or opportunists riding the conflict’s media wave. Their significance lies less in technical sophistication than in what they do to attribution. They muddy the signal, create noise, and make escalation management harder. States can benefit even from poorly executed attacks if they force opponents to divert attention and resources.

AI, attribution, and the lowered threshold

AI is beginning to compress the cyber timeline, but not in the most dramatic way popular commentary suggests. Public evidence to date indicates that frontier AI is being used most clearly for influence operations, content generation, translation, reconnaissance support, phishing personalisation, and the scaling of deception. Iranian-linked operations exposed by OpenAI and Microsoft in 2024 showed that generative tools can already support propaganda, fake personas, and synthetic media tied to issues including Gaza and Israel. The point is not that AI has replaced skilled operators. It is that it reduces the cost of producing believable lures, multilingual narratives, and rapid-response information operations during fast-moving crises.

That matters because attribution in this conflict is already difficult. Technical indicators can be spoofed. “Hacktivist” labels can conceal state direction. Political timing frequently matters as much as malware analysis. In this environment, AI widens the gap between what can be done quickly and what can be attributed confidently. That lowers the threshold for action. If a government believes it can harass, leak, wipe, or manipulate with plausible deniability, the temptation to act increases.

The deeper implication is strategic. Traditional ceasefires are designed around territory, troops, and fires. Cyber operations do not sit neatly in those categories. They are continuous, deniable, and often justified by the attacker as defensive, retaliatory, or merely symbolic. Unless cyber activity is explicitly included in any de-escalation framework, it will continue by default.

The cross-domain effects and the policy response

The cross-domain effects are now unmistakable. Cyber operations shape battlefield awareness through compromised cameras and devices. They shape economic resilience through attacks on banks, exchanges, and data-dependent services. They shape domestic control through internet shutdowns, information filtering, and the disruption of civilian communications. They also shape diplomacy by complicating ceasefire enforcement, hardening threat perceptions, and inviting sanctions, takedowns, or covert reply.

For Israel, the policy priority is endurance. That means treating small and medium-sized firms, health systems, legal services, and local authorities as part of national cyber defence, not as peripheral victims. It also means assuming that cyber incidents will synchronise with missile strikes, warning-system overload, and disinformation bursts. Financial and health-sector continuity planning should therefore be treated as deterrence by denial.

For Iran, the most stabilising step would be to recognise that digital retaliation against civilian systems produces strategic backlash faster than leverage. It deepens isolation, invites external countermeasures, and reinforces the case for broader defensive coalitions against Tehran’s cyber apparatus. A second priority is internal: reducing reliance on blunt national internet shutdowns that damage the economy and degrade public trust while only partially impairing hostile operators.

For regional states, especially Gulf economies, neutrality is no shield. Banks, ports, telecoms, desalination-linked utilities, and commercial data centres are obvious spillover targets. The prudent response is to build shared regional alerting, common incident-reporting channels, and sector-specific continuity rehearsals focused on payments, telecoms, and health.

For Western partners, the answer is disciplined attribution and faster operational support. Public naming should distinguish between high-confidence state attribution and lower-confidence proxy claims. At the same time, assistance to regional partners should prioritise managed detection, response surge capacity, and protection of civilian critical services. Cyber diplomacy also needs updating: any future truce architecture involving Iran and Israel should explicitly address cyber activity, proxy operations, and civilian digital infrastructure.