In a significant cybersecurity incident, the pro-Iranian hacktivist group known as Cyber Fattah has publicly released thousands of personal records associated with athletes and visitors of the 2024 Saudi Games. The breach was disclosed on June 22, 2025, via the group’s Telegram channel, where they shared SQL database dumps containing the compromised information.
Cybersecurity firm Resecurity has analyzed the breach, characterizing it as an information operation orchestrated by Iran and its proxies. According to Resecurity, the attackers gained unauthorized access to the phpMyAdmin backend of the Saudi Games’ official website, enabling them to exfiltrate stored records. This incident exemplifies Iran’s use of data breaches as part of a broader anti-U.S., anti-Israel, and anti-Saudi propaganda campaign in cyberspace, targeting major sports and social events.
The leaked data encompasses a wide range of sensitive information, including:
– IT staff credentials
– Government officials’ email addresses
– Athletes’ and visitors’ personal information
– Copies of passports and ID cards
– Bank statements
– Medical forms
– Scanned copies of other sensitive documents
The data was subsequently shared on DarkForums, a cybercrime forum that has gained prominence following the repeated takedowns of BreachForums. A forum user named ZeroDayX, likely a burner profile created specifically for this purpose, posted the information to promote the breach.
Cyber Fattah, self-identified as an Iranian cyber team, has a history of targeting Israeli and Western web resources and government agencies. The group’s activities align with a broader trend of hacktivism in the Middle East, where cyber warfare is frequently employed as a form of activism. Notably, Cyber Fattah has collaborated with other regional threat actors, such as the 313 Team, which claimed responsibility for a distributed denial-of-service (DDoS) attack against the social media platform Truth Social. This attack was purportedly in retaliation for U.S. airstrikes on Iran’s nuclear facilities.
The leak occurs amid escalating tensions between Iran and Israel, with numerous hacktivist groups claiming to have conducted cyber attacks or declared alignments with or against the two nations. According to Cyberknow, as many as 119 hacktivist groups have been involved in such activities.
This incident by Cyber Fattah may indicate a strategic shift from Israel-centric malicious activities toward a broader focus on anti-U.S. and anti-Saudi messaging. The group’s actions underscore the evolving landscape of cyber warfare, where state-affiliated actors leverage data breaches to further geopolitical objectives and disseminate propaganda.
In a related development, a pro-Israel group known as Predatory Sparrow (also referred to as Adalat Ali, Gonjeshke Darande, Indra, or MeteorExpress) recently claimed to have leaked data obtained from the Iranian Ministry of Communications. The group also hacked Iran’s largest cryptocurrency exchange, Nobitex, destroying over $90 million in cryptocurrency by transferring digital assets to invalid wallets. Security researcher Lidia López Sanz noted that this was not a financially motivated heist but a strategic, ideological, and psychological operation aimed at dismantling public trust in regime-linked institutions and signaling technical superiority.
Furthermore, on June 18, Iran’s state broadcaster IRIB’s television stream was hijacked to display pro-Israeli and anti-Iranian government imagery. IRIB has attributed the incident to Israeli involvement.
These events highlight the intensifying cyber conflict in the Middle East, where hacktivist groups are increasingly becoming instruments of statecraft, conducting operations that blur the lines between activism and cyber warfare.
