Apple alerted Iranians to iPhone spyware attacks, say researchers

Lorenzo Franceschi-Bicchierai

Tue, Jul 22, 2025, 3:57 PM 3 min read

Apple notified more than a dozen Iranians in recent months that their iPhones had been targeted with government spyware, according to security researchers.

Miian Group, a digital rights organization that focuses on Iran, and Hamid Kashfi, an Iranian cybersecurity researcher who lives in Sweden, said they spoke with several Iranians who received the notifications in the last year.

Bloomberg first wrote about these spyware notifications.

Miaan Group published a report on Tuesday on the state of cybersecurity of civil society in Iran, which mentioned that the organization’s researchers have identified three cases of government spyware attacks against Iranians, two in Iran and one in Europe, who were alerted in April of this year.

“Two people in Iran come from a family with a long history of political activism against the Islamic Republic. Many members of their family have been executed, and they have no history of traveling abroad,” Amir Rashidi, Miaan Group’s director of digital rights and security, told TechCrunch. “I believe there have been three waves of attacks, and we have only seen the tip of the iceberg.”

Rashidi said that Iran is likely the government behind the attacks, although there needs to be more investigations into these attacks to reach a more conclusive determination. “I see no reason for members of civil society to be targeted by anyone other than Iran,” he said.

Kashfi, who founded the security firm DarkCell, said in an email that he helped two victims go through preliminary forensics steps, but he wasn’t able to confirm which spyware maker was behind the attacks. And, he added, some of the victims he worked with preferred not to continue the investigation.

Have you received a threat notification from Apple? We’d love to hear from you. From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.

”Pretty much all victims spooked out and ghosted us as soon as we explained the seriousness of the case to them. I presume partly because of their place of work and sensitivity of the matters related to that,” said Kashfi, who added that one of the victims received the notification in 2024

It’s unclear which spyware maker is behind these attacks.

Over the last few years, Apple has sent several rounds of notifications to people whom the company believes have been targeted with government spyware, such as NSO Group’s Pegasus, or Paragon’s Graphite. This kind of malware is also known as “mercenary” or “commercial” spyware.