Recent Iran-aligned activity provides a snapshot of how current operations are being carried out. Rather than relying solely on direct military engagement, Iranian-aligned actors continue to apply pressure through proxy activity, remote coordination, and the use of individuals positioned close to intended targets. This approach reduces exposure, limits attribution, and allows activity to continue without committing uniformed forces or overt infrastructure.
Across recent reporting, the operational value comes from access and proximity. Individuals with the ability to move information, reach locations, or carry out discrete tasks become part of a broader operational chain, even when they are not formal members of a terrorist organization or intelligence service. For insider risk teams, this overlaps with familiar patterns seen in misuse, recruitment, and access-driven activity.
Remote proxy tasking and operational direction
The charges against Mohammad Saad Baqer al-Saadi illustrate how this model works in practice. According to court filings and public reporting, al-Saadi coordinated and directed a series of attempted and completed attacks against Jewish community sites and U.S. interests across Europe, Canada, and the United States while operating remotely. The activity relied on digital coordination, tasking, and follow-through rather than physical presence at the target locations.
Encrypted messaging platforms including Telegram and Snapchat were used to identify individuals, pass instructions, and manage activity. Cryptocurrency was used to move payments, including an initial transfer of approximately $3,000, with additional compensation tied to successful attacks and the delivery of video documentation. The sequence shows how everyday platforms can be stitched together to manage operations end-to-end.
Reporting tied to the same investigation also references broader targeting discussions. Public reporting describes alleged interest in Ivanka Trump, including references to obtaining a layout or blueprint of her Florida residence and threats tied to retaliation narratives following the 2020 killing of Qassem Soleimani.
From an insider risk standpoint, the takeaway is that operational support does not have to look like a corporate login. Local familiarity, proximity, and willingness to act can carry just as much weight when paired with remote direction.
Rahmati and long-term access misuse
The Rahmati case represents a more traditional insider access scenario, but it fits cleanly into this broader pattern. As an FAA contractor, Abouzar Rahmati held legitimate access to sensitive aviation-related information over several years. Reporting indicates that this access was used to collect large volumes of data under the cover of research and professional activity, with files stored on removable media and transported outside the United States.
The activity hinged on time, access, and familiarity with aviation systems and infrastructure. Information of that type retains value long after it leaves an environment, particularly for targeting, vulnerability assessment, and planning in critical infrastructure sectors.
This case highlights two issues that surface repeatedly in contractor-heavy environments. Thorough background checks matter, especially when treated as investigative work rather than administrative steps. Long-term access, when left unexamined, can quietly enable collection that never triggers a technical alert.
Directed sequences, not isolated acts
Across recent Iran-aligned activity, actions tend to occur as directed sequences. Initial contact is followed by tasking, payment, confirmation, and sometimes escalation. Encrypted messaging platforms and social media provide the connective tissue that allows handlers to stay distant while keeping activity moving.
This structure mirrors a pattern recently observed in financially motivated insider cases where cybercriminal groups are recruiting insiders at organizations to carry out malicious acts on the group’s behalf from within. We draw lessons learned from that activity and apply it to this al-Saadi flow of operations in order to increase our overall sight aperture for threat awareness writ large.
Participants are not always ideologically driven. In several instances, individuals involved were motivated by payment and opportunity rather than commitment to a cause, making behavior and access patterns more reliable indicators than stated beliefs.
What this means through an insider risk lens
From an insider threat perspective, recent Iranian activity reinforces that risk often shows up in how access is used. This observation applies specifically to insider-style misuse and proxy activity, not to all cyber operations. Credential theft, malware, and exploitation continue in parallel with the difference being that access already exists.
DTEX reporting shows that in insider-related cases, combinations of behavior tend to matter more than single actions. Messaging platform usage, cryptocurrency access, changes in data handling, removable media use, or shifts in access patterns become meaningful when viewed together and over time. Context comes from whether those actions fit the role, sector, and environment.
This pattern is especially relevant in sectors where access misuse can have broader impact. Aviation, energy, transportation, defense, government-adjacent organizations, finance, and other forms of critical infrastructure remain higher-focus targets because access can support planning, disruption, or future activity beyond immediate data loss.
Closing assessment
Iran-aligned activity in 2026 continues to show how access, proximity, and human intermediaries are being used to create impact. Proxy tasking, remote coordination, and long-term access misuse provide ways to operate without overt escalation. The same mechanics that enable insider data theft or fraud are being applied to reconnaissance, influence, and physical attacks.
Understanding these patterns helps frame risk in concrete terms. When viewed in the broader context of how Iran operates, this activity reflects an approach that avoids direct, conventional confrontation and instead applies pressure through commercial, civilian, and infrastructure‑adjacent targets.
Targeting business interests across the region, suspected activity against tank gauge and fuel systems, and disruptions tied to Iranian‑aligned proxy elements in healthcare environments all point to a form of conflict that sits below traditional military thresholds but still inflicts real cost. When paired with known Iranian‑aligned insider cases and recent reporting on the outsourcing of violence through recruited intermediaries, it reinforces that there is no single playbook or one‑size‑fits‑all response.
The value for organizations comes from leaning forward, not reacting after the fact, and using historical behavior and current indicators to assess where an adversary is most likely to apply pressure next and how access, proximity, and trust may be leveraged to do so.
DTEX i³ helps analysts connect insider risk indicators across behavior, access, and data movement. By correlating signals over time, DTEX i³ helps teams separate routine activity from emerging risk, surface patterns that point to proxy tasking or access misuse and investigate with the context needed to act earlier and with more confidence. Contact us to learn more or to request a threat briefing.
Subscribe today to stay informed and get regular updates from DTEX