IRGC hackers
Image: A State Department notice offering $10 million for information leading to the arrest of three Iranian hackers.

US charges three Iranians allegedly behind Trump campaign hack

Three Iranian nationals have been indicted in the U.S. for their alleged role in the hack of former President Donald Trump’s campaign

The Justice Department on Friday unsealed indictments of Seyyed Ali Aghamiri, Yasar Balaghi and Masoud Jalili — three alleged hackers believed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC).

The indictment covers their activities from 2020 to September 2024, alleging that in addition to hacking and stealing documents from Trump’s campaign, they targeted current and former U.S. officials and members of the U.S. media “all in an attempt … to undermine our democracy,” FBI Director Christopher Wray said. 

“So let’s be clear what we’re talking about — attempts by a hostile foreign government to steal campaign information from one presidential candidate, and shop it around to that candidate’s opponent and the media,” he added. 

“And while there’s no indication any of the recipients of the stolen campaign information replied, Iran’s intent was clear — to sow discord and shape the outcome of our elections.”

Attorney General Merrick Garland held a press conference on Friday warning that Iran has continued to target Trump's campaign with both physical threats and hacking attempts. 

The three men, who according to Garland are all based in Iran, are being charged with material support for terrorism, computer fraud, wire fraud and identity theft for their role in the years-long hacking campaign.

The State Department is also offering a $10 million reward for information on their whereabouts. 

Basij Resistance Force and Soleimani

The 37-page indictment says the three men impersonated government officials and created fake personas to carry out spearphishing attacks designed to trick people into responding or into downloading malicious content. They then used their access to email accounts to steal information and launch further attacks. 

Alongside more long-term geopolitical goals, the hackers wanted to help "avenge the death of Qasem Soleimani" — a senior Iranian official killed in a military strike in January 2020 — the indictment claims.

Jalili, 36, is allegedly a member of the Basij Resistance Force, a paramilitary volunteer militia within the IRGC, and has been involved in hacking operations since 2005.

The indictment contains detailed information about the IP addresses Jalili used to launch the attacks and even contains a photo of the front door of the physical address where he may have operated. 

Like Jalili, both Aghamiri, 34, and Balaghi, 37, are believed to be based in Tehran and work for the Basij Resistance Force. 

Throughout the four years before the incident involving Trump’s campaign, the hackers allegedly targeted and attempted to compromise officials within the Justice Department, Defense Department, State Department, United States Agency for International Development, the National Security Agency, the CIA, the White House, National Security Council, Senate and House of Representatives. 

Prosecutors added that they found evidence of the three targeting accounts of officials at the United Nations, a major U.S. newspaper, several think tanks and human rights organizations. 

In at least one instance, they created email accounts impersonating the wife of an unnamed Supreme Court justice. 

The indictment lists at least one former senior government official at the State Department whose account was successfully breached. The official was responsible for Middle East policy and was integral to the Abraham Accords

A former Homeland Security adviser to Trump also had a personal account compromised, as was an account belonging to a former U.S. ambassador to Israel and a former deputy director at the CIA. 

Trump campaign attacks

According to the DOJ,  the hackers had shifted their focus to hacking Trump’s presidential re-election team by April, and successfully breached five formal and informal advisers to the campaign.

The hackers used their access to some accounts to send messages to others, leveraging the identity of an unnamed person to get people to click malicious links or download documents with malware.

On June 27 — the day of the debate between President Joe Biden and Trump — the hackers used a fake email address to send documents stolen from Trump’s campaign to two officials within the Biden campaign. 

The indictment includes a copy of the email, which claimed to contain the final preparation documents Trump used ahead of the first debate. 

"You must know that the first debate is [Biden's] 'last chance', and if he loses the debate, you will have to replace [Biden] with another candidates [sic]," the hackers said in the email. 

The Biden official never responded to the email. One of the two emails did not go through so the hackers tried another email address connected to the second Biden official, who also did not answer. 

On July 3, the hacker sent the stolen documents to a third person connected to the Biden campaign, writing that he sent the material to the first two people but “it seems nobody cared and nobody contacted me for more materials.” 

“I have a lot in my pocket and can be one of your best chances in this rally,” the hacker said.

The third Biden official also did not respond. U.S. agencies last week confirmed that Iranian actors offered the stolen documents to Biden’s campaign but never got a response. 

From there, the hackers tried to take some of the materials — the vetting documents of vice presidential candidate JD Vance — to several newspapers. They attempted to goad reporters into covering the stolen documents by claiming other rival outlets were planning articles on the information.

At least one reporter exchanged several emails with the hackers. On Thursday, a reporter published the vetting documents of Vance and was suspended from X for attempting to publicize them. 

The FBI told reporters on Friday that it cannot be sure that the hackers no longer have access to the affected email accounts and the agency is still in contact with the victims.

Sanctions and alerts

The indictments were issued alongside sanctions and alerts from the U.S. and U.K. Cybersecurity agencies within both countries issued a joint 14-page advisory outlining the recent cyber activity of IRGC actors. 

The agencies warned of the tactics described in the indictment and listed several other tools the IRGC has used to target both presidential campaigns as well as “current or former senior government officials, senior think tank personnel, journalists, activists, and lobbyists.”

The Treasury Department also sanctioned seven Iranian officials, including Jalili, who allegedly sought to influence or interfere in the 2024 and 2020 presidential elections. 

The sanctions included people employed by Emennet Pasargad, an Iranian cybersecurity company that has previously been implicated in hacking attempts targeting Israel and the 2020 presidential election.  

Google Threat Intelligence Group’s John Hultquist told Recorded Future News that Iran’s government controls “multiple contractors who have carried out many of the most audacious cyber incidents we have seen in the Middle East, Europe, and the U.S.”

Attorney General Garland said the indictments and actions taken by the U.S. government in recent weeks against operations by Russia, China and Iran should serve as a warning shot to countries attempting to influence the 2024 presidential election. 

“We know that Iran is continuing its brazen efforts to stoke discord, erode confidence in the U.S. electoral process and advance its malign activities,” he said.

“These authoritarian regimes which violate the human rights of their own citizens do not get a say in our country's democratic process. The American people and the American people alone will decide the outcome of our country's elections.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.