Reports/Advanced Persistent Threats

Ravin Academy

The Talent Pipeline Behind Iran’s Cyber Warfare
Ravin Academy
Advanced Persistent ThreatsOctober 28, 2025

A newly exposed data breach reveals how a government-linked cyber training center became the backbone of Iran’s offensive operations.

A massive data leak from Ravin Academy, a Tehran-based cybersecurity institute long suspected of supplying hackers to the Ministry of Intelligence (MOIS) and the Islamic Revolutionary Guard Corps (IRGC), has turned speculation into verifiable evidence. The leaked registration files, listing students, instructors, and technical courses, map the human network behind Iran’s most persistent cyber, espionage campaigns.

Cyber researcher Nariman Gharib first disclosed the breach on October 23 2025, publishing excerpts from a spreadsheet that contained names, phone numbers, and Telegram IDs of more than a thousand trainees. Hours later, Ravin’s managers confirmed an “unauthorized intrusion” in their Telegram channel, conceding that user data had been stolen but insisting that “some names were falsified.” The timing was politically charged: the attack occurred days before Iran’s state-sponsored “Technology Olympiad” in Pardis Tech Park, where Ravin was slated to recruit participants.

What the leak exposed

The Excel archive obtained by Gharib contained registration details for multiple technical cohorts, including course identifiers and instructors’ usernames. While he withheld individual course data for privacy reasons, the sample set offered a first-ever look into the internal structure of Iran’s state-run cyber talent pipeline. For analysts, it confirmed what Western intelligence assessments had claimed since 2020: that Ravin functions not as a civilian school but as an official capacity-building arm of the Islamic Republic’s cyber apparatus.

Origins and structure

Founded in 2019 under the corporate name Avaye Houshmand Ravin LLC, the academy markets itself as a private institute for “ethical hacking and information security.” Its website, social-media campaigns, and registration with Iran’s Ministry of ICT give it an air of legitimacy. Yet declassified U.S. Treasury designations tell another story. In October 2022, the Office of Foreign Assets Control (OFAC) sanctioned Ravin Academy for “providing offensive cyber services to the MOIS and IRGC-IO,” citing courses in red-team operations, malware reverse engineering, digital forensics, and exploit development.

The two co-founders, Seyed Mojtaba Mostafavi and Farzin Karimi Mazlaghan Chay. were themselves MOIS operatives. Treasury records show they registered the company in late 2019 to “organize and direct” government-backed hacker groups under an academic façade. This dual-use model served a strategic purpose: it created a legally registered front that could scout and groom skilled youth while maintaining deniability abroad.

Beyond the classroom

Ravin’s advertised portfolio extends well beyond education. Public statements and leaked contracts describe a full spectrum of services for Iranian agencies:

  • Defensive and offensive training (Blue Team / Red Team).
  • Penetration testing and threat simulation missions resembling live attack drills.
  • Digital forensics and malware analysis used for internal investigations.
  • Vulnerability assessment and continuous threat hunting.
  • Development of custom exploits and mobile attack tools.

The overlap with the MOIS’s operational toolkit is unmistakable. Britain’s 2023 sanctions notice explicitly described Ravin as “acting directly or on behalf of the MOIS in conducting offensive cyber operations.” OFAC likewise linked the academy’s graduates to the disruption of protesters’ communications during Iran’s 2022 uprising, constituting, in the language of human-rights law, direct participation in domestic repression.

Architects of Iran’s APT ecosystem

Both founders have long operational histories within the Islamic Republic’s Advanced Persistent Threat (APT) landscape.

Farzin Karimi, known online as Farzin K. previously led MuddyWater (APT34 / Yellow Nix per Microsoft’s taxonomy), one of Iran’s most prolific espionage units active across the Middle East since 2017. Before establishing Ravin, Karimi reportedly worked with Nooranet, a contractor tied to the IRGC’s cyber division.

His counterpart Mostafavi had earlier ties to OilRig (APT 34), another MOIS-run network specialized in supply-chain intrusions. Leaks by the hacktivist group Lab Dookhtegan in 2019 exposed his affiliation and internal MOIS correspondence.

These biographies explain why Ravin’s managerial staff overlaps with Iran’s operational units: the school was conceived by practitioners, not professors.

The DarkBit connection

The faculty roster further blurs the line between teacher and operator. One senior instructor, known publicly as Parsa S., was identified by Iran International as Hossein Ferd-Siahpoosh, board member of Ravin and ringleader of the DarkBit ransomware group, responsible for the 2023 attack on Israel’s Technion University in Haifa.

Subsequent forensic analyses by multiple CTI firms found DarkBit’s toolchain identical to MuddyWater’s frameworks, suggesting that Ravin staff directly coordinated both. The case demonstrated how the Islamic Republic masks state attacks behind pseudo-independent hacktivist brands.

Linking curriculum to real-world attacks

Technical correlations first emerged in PwC’s 2022 report “A Muddy, Advanced Persistent Teacher.” Researchers compared Ravin’s public training materials with malware samples and exploitation routines observed in live MuddyWater operations. They found that Ravin instructors had published proof-of-concept (PoC) code for vulnerabilities such as CVE-2020-0688 and Zerologon (CVE-2020-1472) weeks before those exploits surfaced in actual attacks.

Microsoft’s threat-intelligence team independently concluded that Yellow Nix operators were “likely trained or mentored through Ravin-affiliated programs.” The parallel timing between classroom demonstrations and field deployments underscored how the academy served as a bridge between theory and state-sponsored espionage.

The recruitment pipeline

Ravin’s talent-acquisition model mirrors that of military academies. Entry-level candidates complete prerequisite certifications (Network+, MCSA, Security+). Only top performers advance to intensive Red-Team and Network Penetration modules, where instructors quietly flag promising students to MOIS liaison officers.

This outsourced screening system allows the government to identify highly skilled yet ideologically moderate youths who might otherwise avoid direct employment in the intelligence bureaucracy. In effect, Ravin converts freelance penetration testers into disciplined state operators.

Gamifying selection: CTFs and the “Lovely Hackers”

Since 2023, Ravin has organized national Capture-the-Flag (CTF) competitions and the so-called Technology Olympiad, public tournaments that test attack-and-defense scenarios. Under the guise of academic outreach, these events serve as recruitment filters.

Iran International reported that Ravin secretly ran the 2024 Olympiad with sponsorship from the Vice Presidency for Science and Technology and Pardis Tech Park, aiming to identify top contestants for government service. Internal slides referred to “Lovely Hackers,” a term coined by Ravin’s marketing team for “patriotic hackers” loyal to the Islamic Republic.

Western analysts view such gamified programs as modern equivalents of Cold-War talent scouting, where competition and ideology converge into a controlled pipeline of cyber cadets.

Academic partnerships and front companies

Ravin also collaborates with ostensibly private firms that are themselves security cut-outs. One joint course on Threat Hunting (125 hours) was co-hosted with Khatam University and a start-up named Sparask. Open-source investigations traced Sparask’s technical director, identified by Lab Dookhtegan as Omid P., an MOIS operative, illustrating how “private” entities form the connective tissue of the state’s cyber ecosystem.

Through such partnerships, Ravin embeds state curricula into university programs, blurring academic autonomy and intelligence training.

Strategic value for the Islamic Republic

In a country isolated by sanctions and brain drain, Ravin solves a structural problem: how to cultivate advanced cyber expertise without access to Western institutions. By importing global frameworks like MITRE ATT&CK and SANS SEC504, then re-contextualizing them for offensive missions, the academy accelerates Iran’s adaptation of world-class tradecraft.

This hybrid capacity-building shortens the technological gap with adversaries and sustains continuous APT operations even under export controls. Ravin effectively localizes Western know-how into the Islamic Republic’s command hierarchy.

Consequences of the 2025 breach

The October 2025 leak delivered two distinct shocks.

Operational security failure. A body that claims to teach cyber defense could not protect its own data, a “dark irony,” as multiple analysts noted. The breach undermined trust among Iranian IT professionals who had registered for legitimate training, revealing their information to journalists and foreign governments.

Exposure of human infrastructure. Cross-referencing leaked phone numbers with LinkedIn and GitHub profiles enables investigators to identify individuals embedded in MOIS and IRGC-affiliated projects. For the first time, Iran’s cyber army can be mapped person-by-person rather than inferred from malware samples.

International repercussions

Following the 2022 OFAC action, both the European Union and United Kingdom added Ravin Academy and its principals to their sanctions lists in 2023 for “serious human-rights violations and censorship support.” The Canadian government adopted parallel measures soon after.

These designations prohibit financial transactions, freeze assets, and criminalize collaboration. For Iranian engineers abroad whose names appear in the leak, association with Ravin may now constitute grounds for investigation under counter-terrorism and export-control statutes.

Human-rights organizations note that Ravin’s graduates were directly involved in disabling protester networks and enforcing digital censorship during the 2022–2023 crackdown, acts falling within the Islamic Republic’s systematic suppression of free expression.

A mirror held up to the regime

Beyond the legal consequences, the breach exposes a paradox at the heart of Iran’s cyber strategy. A regime that prides itself on digital sovereignty failed to secure its own training hub. The event tarnished Ravin’s domestic credibility and ironically, validated years of Western reporting that Iranian “private academies” double as state intelligence fronts.

Dozens of former students have since deleted their online profiles. Recruiters who once courted them now face heightened scrutiny from banks, universities, and potential employers.

The broader pattern: institutionalized denial

Ravin embodies the Islamic Republic’s preferred blueprint for offensive cyber operations: create lawful-looking entities, companies, universities, competition, that conceal military and intelligence objectives. This structure provides plausible deniability while enabling rapid mobilization of skilled labor.

Other sanctioned firms such as AmnBan and Nooranet follow the same script. But Ravin’s exposure demonstrates that the façade is brittle. In cyberspace, where every database can be exfiltrated, secrecy decays faster than doctrine.

Outlook

In the short term, the Islamic Republic will likely rebrand Ravin under a new corporate identity, migrating its instructors and curricula. Yet the global spotlight now ensures that any successor institution will inherit the stigma of being a state recruitment front. For Western defenders, the leaked dataset offers a rare opportunity to track Iranian operators across future campaigns.

For Iranians themselves, it raises deeper questions: How many young specialists believed they were learning cybersecurity only to become instruments of digital repression? And what happens when the walls of secrecy collapse from within?