Skip to main content

Teen hackers are defacing unsuspecting US websites with pro-Iran messages

Teen hackers are defacing unsuspecting US websites with pro-Iran messages


‘I do not work for the government,’ one hacker told The Verge

Share this story

Iranian President Rouhani visits Qasem Soleimani’s home
Iranian President Hassan Rouhani meets with the family of Qasem Soleimani
Photo by Iranian Presidency / Handout/Anadolu Agency via Getty Images

Phil Openshaw, a retired Californian dentist, hadn’t checked his website in months. So he was unaware that it no longer displayed details for his annual mission trip that provides free dental services in Uganda. Instead, it displayed a photo of recently assassinated Iranian Gen. Qassem Soleimani with the message “Down with America.”

“Hoo boy. Thanks for the good news,” he said when informed that his site,, had been defaced. “I don’t really know how to respond to that. I’ll take a look at it.”

It’s part of an unofficial front in the simmering conflict between the US and Iran, kicked off by the assassination Soleimani on January 3rd. The strike was followed by retaliatory Iranian missile strikes on two Iraqi bases that house US troops as well as the downing of a Ukrainian passenger plane, the implications of which are still unknown. 

”I do not work for the government.”

But while the brief military conflict has settled into an impasse, there’s a smaller skirmish that hasn’t stopped. While leaders weigh their options, pro-Iranian wannabe hackers who claim no government affiliation can deface unpatched websites run by individual Americans and small businesses but little else. It’s a tactic of online posturing and inflated threats — one at home in a conflict where tweets and perceived insults have often dictated the course of events.

The hacker who defaced Openshaw’s site goes by “Mr Behzad” and claims to be a 19-year-old operating out of a sense of patriotism. (It’s impossible to verify his identity with complete certainty, but he left his Telegram handle on the sites he defaced.)

“I do not work for the government. I work for my home country of Iran,” he told The Verge, adding a heart emoji after his country’s name. He said he learned how to deface sites through work programming and coding. “We want to know that if they harm our people or our country, we will not fail.”

One of the defaced sites
One of the defaced sites

“Ebrahim Vaker,” who left his Telegram handle card on the briefly defaced page of the University of Maryland, Baltimore County, said he was 23 and the leader of the “Iranian Anonymous Team,” created last year.

“Most of these attacks are a sign of protest,” Vaker told The Verge. He said the UMBC defacement was the biggest attack yet from his seven-member team, whose members range as young as 18.

these hacktivists are “typically teenagers and young men in their 20s”

Website defacements, especially against small or neglected websites, are broadly considered among the bottom tier of cyberattacks. They frequently rely on simply copying and pasting malicious script that’s easy to find online — the easy work for unskilled “script kiddies.” In the heyday of Anonymous, an unexpectedly altered website seemed to evoke a much more sinister and capable adversary, but defacement now has little effect besides calling a small amount of attention and bringing a minor annoyance to web hosts.

In this case, the defacements are ominous because of the very real possibility of a more militarized cyberattack. The conflict between the US and Iranian governments has been peppered with skirmishes in the cyber domain: the US reportedly interfered with Iranian rocket controls in June and propaganda outlets in September. Iran has historically used devastating “wiper” attacks on a US target at least once before and has used them regionally as recently as last year, prompting fears it could use them again. The US Department of Homeland Security warned last summer that Iran could renew wiper attacks on networks, and it said Monday that Iran’s Islamic Revolutionary Guard Corps may look to leverage their substantial offensive cyber capabilities against American targets, especially critical infrastructure, especially down the road.

So far, the most significant defacement linked to Iran targeted the Federal Library Depository Program, which was hacked by an entity or group calling itself “Iran Cyber Security Group Hackers” that put up a photo of Trump getting punched. (The FLDP site was also defaced by “Turkey Cyber Pirates” in 2012.) 

Adam Meyers, the vice president of intelligence at the cybersecurity company CrowdStrike, which keeps tabs on Iranian hacktivists as part of the general cyber threat landscape, said hacktivists like Behzad and Vaker are “exactly who you think you are.” 

“They’re people with a security awareness who operate in Iran, typically teenagers and young men in their 20s, who are engaged in security and the hacker scene,” Meyers told The Verge. “They largely engage in defacement and tend to be more focused on web-based technology like [web programing language] PHP and Wordpress.”

Many of the victims of defacement didn’t want to speak to the press about what happened, but, resoundingly, they weren’t major hubs of the US military, government, business, or culture. Some of the sites seemed abandoned or were URL redirects to sites that sell clothes. Those who were willing to speak about it shrugged it off.

On Tuesday, a site for CPI Pipe and Steel, an Oklahoma company that makes heavy-duty steel feeding troughs for livestock, instead showed Behzad’s name, alongside the message “Suleimani was not a person/he was a belief/Beliefs never die.”

“We’re not anybody of interest,” laughed CPI Pipe and Steel owner Carolyn Tolle. “If they were really trying to do something they’d try to hack something more protected. I would guess this is like a startup guy, a newbie into the business.”