Already a subscriber? Make sure to log into your account before viewing this content. You can access your account by hitting the “login” button on the top right corner. Still unable to see the content after signing in? Make sure your card on file is up-to-date.

New details are beginning to emerge about the intelligence and cyber operations that Israel allegedly carried out that ultimately led to the assassination of Iran’s Supreme Leader Ali Khamenei.

Getting into it: According to both Israeli and US-based news outlets citing senior officials, Israeli intelligence agencies spent years infiltrating Tehran’s surveillance infrastructure, quietly gaining access to the city’s extensive traffic camera network. By hacking into the system, Israel was able to stream encrypted video feeds back to servers in Israel, effectively giving analysts a 24/7 view of activity around sensitive government locations. One camera angle near the Ayatollah’s compound allowed intelligence officers to monitor where members of Khamenei’s security team parked their personal vehicles and track the routines of guards entering and leaving the area. Over time, the footage (along with AI) helped analysts build detailed “pattern of life” profiles on the security detail, mapping out their schedules, routes to work, home addresses, and the officials they were assigned to protect.

The surveillance feeds were combined with other streams of intelligence, including intercepted communications and data pulled from infiltrated mobile networks. Israeli analysts reportedly used advanced algorithms and artificial intelligence tools to sift through massive amounts of data and identify patterns that could reveal when senior Iranian officials were gathering in one place. The result was what officials described as an intelligence “target production” system capable of turning raw surveillance, signals intelligence, and human reporting into precise targeting coordinates. By the time the strike occurred, Israeli intelligence sources claimed they had developed such a detailed understanding of activity in the Iranian capital that they could detect subtle changes in routine around the compound.

Other actions taken: In the hours surrounding the opening of the military campaign, cyber operations intensified. Israeli and US operators reportedly disrupted several mobile phone towers near the compound, causing calls to the security detail to return busy signals and potentially preventing warnings from reaching them. At the same time, hackers targeted Iranian information systems and media platforms, including the hacking of websites and a widely used religious calendar app that briefly displayed messages urging members of Iran’s armed forces to abandon the government. Iranian television networks also experienced technical disruptions and brief hacks as the conflict began and reportedly aired footage of the exiled Iranian crown prince Reza Pahlavi calling on citizens and members of the military to oppose the Iranian government. 

Despite all of this, Iran has also attempted to carry out cyber operations abroad (in the lead-up to and aftermath of the strikes). Security researchers say Iranian state-linked hacking groups, particularly the group known as MuddyWater, infiltrated networks belonging to several organizations in North America and elsewhere, including a US bank, an airport, a Canadian nonprofit, and a software company with ties to Israel. Investigators found that the attackers had planted previously unknown backdoor malware known as “Dindoor,” which allowed them to maintain remote access to compromised systems and potentially move laterally through those networks.