The Iranian Hackers Behind Raavin Academy’s “Cybersecurity” Training

The Raavin Academy, which officially offers cybersecurity training, is in fact recruiting hackers to work for Iran’s Ministry of Intelligence. Iran International has uncovered key figures within this group of government-affiliated hackers from Iran.

Two years ago, when mass protests erupted in Iran, hackers aided the government in identifying and suppressing protest participants. In November 2022, the U.S. Department of State imposed sanctions on the Raavin Academy due to the involvement of its employees in these crackdowns. Later, a report from the UN Human Rights Council named the Academy as a participant in human rights violations in Iran.

New revelations disclose that under the guise of a cybersecurity academy, hackers are being recruited to work for the Ministry of Intelligence. The recruitment process is camouflaged as “technological olympiads” organized by the scientific department of the president’s administration and the technology park. The most promising specialists are selected at these competitions, destined to become “friendly hackers” working in the country’s interests.

The Academy’s story begins in 2019, when two young employees of the Ministry of Intelligence registered the non-profit organization “Avai Houshmand Ravin.” The official purpose of the NGO was cybersecurity education, but in reality, it became a hub for training hackers who support the actions of Iranian intelligence services.

Iran International has obtained data on 16 key Academy employees, who operate under the cover of instructors and board members. These individuals are involved in money laundering and recruiting new members into the hacker groups.

Among the founders of the Academy is its current director, Majid Mostafavi, who previously was part of the leadership at “Abrarovan,” a company that enforced internet censorship in Iran. Under his management, hackers from the Academy carried out cyberattacks on the foreign and defense ministries of Turkey.

Another founder is Farzin Karimi, who previously chaired the Academy’s board of directors and now serves as an instructor. Karimi was also responsible for a series of cyberattacks on Saudi Arabia’s oil facilities.

A further key participant is Parsa Sarrafian, who is in fact Hossein Siahpoush, the leader of the hacker group Darkbit, which in 2023 attacked the Technion — a university in Haifa, and previously claimed responsibility for attacks on Tel Aviv’s municipality and Israeli healthcare systems.

The leaders of the Academy are agents of the Islamic Republic, engaging in cyber piracy and recruitment for the regime. No longer anonymous figures operating under pseudonyms, they are now known individuals connected to the Academy of the Ministry of Intelligence, serving the government’s objectives. Hacker groups affiliated with Raavin Academy have conducted cyberattacks on systems in Italy, Algeria, Jordan, Turkey, Saudi Arabia, Iraq, and Pakistan.