Tehran’s Espionage Network in the U.S. Is Bigger and Bolder Than You Think


That diplomatic alarm was echoed in criminal courts and federal filings in recent months. In Oslo over the summer, prosecutors put a former security guard at the U.S. Embassy on trial after accusing him of offering building floor plans and security routines to both Russian and Iranian operatives in return for euros and cryptocurrency; an example of how even low-level hostile services can monetize perimeter jobs.

In the United States, a more concrete case played out in federal court this spring when a former Federal Aviation Administration contractor, Abouzar Rahmati, pleaded guilty in April to acting as an unregistered agent of the Iranian government after allegedly seeking aviation and solar-energy technology and passing non-public data to Iran. Prosecutors said the activity combined procurement, intelligence collection, and network building — classic gray-zone tradecraft that can be lethal in aggregate even if individual acts appear isolated.

Moreover, the FBI has publicly sought information on an Iranian intelligence officer it says recruited intermediaries for surveillance and for plots intended as retaliation for the 2020 killing of Qassem Soleimani — showing Tehran remains willing to task operatives to target current or former U.S. officials.

Together, these cases illustrate a pattern more than a single conspiratorial plan.

“Iran’s espionage efforts in the U.S. and allied countries are perhaps increasing, in both frequency and sophistication,” Colin Clarke, a senior research fellow at The Soufan Center, tells The Cipher Brief. “But it goes beyond mere espionage and extends to surveillance and active terror plots.”

Three recurrent patterns

Recent public cases and multiple intelligence assessments indicate three recurring lines of operation.

First: access and mapping. Low-level staff, contractors and service providers have proximity to sensitive facilities. The U.S. embassy case underscores how seemingly peripheral access can be valuable to foreign services. Even information that is not classified—floor plans, guard rotations, contractor lists—can be stitched together into operational value.

Second: procurement and sanctions evasion. Tehran has long sought aviation, dual-use and energy components through front companies and covert procurement channels. The Rahmati plea demonstrates how U.S. contractor credibility can be leveraged to facilitate the movement of goods, knowledge, or lists of potential collaborators. “Sanctions evasion and procurement are treated more as a ‘legitimate’ business opportunity in their eyes,” Matthew Levitt of The Washington Institute noted, distinguishing those networks from strictly human intelligence operations.

Third: transnational repression and violent plotting. The FBI’s public notice about Majid Dastjani Farahani made clear that some taskings included surveillance of religious sites and recruitment for attacks framed as revenge for Soleimani’s killing. That is the line where intelligence collection and terrorism blur—a mixing of objectives that, several experts warned, raises the stakes.

How they recruit — the blunt and the subtle

Recruitment, the experts said, follows both old and new playbooks.

“Recruitment inducements are the same as always: family pressure, financial, ego, gradual approaches, honey traps,” a former senior U.S. intelligence official tells The Cipher Brief on the condition of anonymity. “Tehran has enjoyed the cyber world like everyone else.”

The explicit lever — threats to family back home — is a recurring thread in dozens of post-incident reviews. Historical cases such as the 2013 Manssor Arbabsiar plot are helpful reminders of old patterns; Arbabsiar’s prosecution remains a touchstone for the limits and dangers of outsourced plots.

Clarke also noted that Iran’s services have broadened their toolkit in recent years to “outsource activities to a range of criminal entities, including gangs,” reflecting a hybrid strategy that mixes ideological operatives with transactional cut-outs.

Beth Sanner, the former deputy director of national intelligence for mission integration, stressed the diaspora angle: Iran has stepped up harassment and plotting against exiles and communities abroad in countries like Australia and across Europe, since the Soleimani strike and increasingly relies on local criminal networks to carry out deniable tasks, making the work of drawing connections incredibly difficult for investigators.

“We have not seen Iran be as successful with this in the U.S., that we know of,” Sanner tells The Cipher Brief, “but I think it is only a matter of time.”

Matthew Levitt, senior fellow and director of counterterrorism and intelligence at The Washington Institute for Near East Policy, described the human-cyber fusion that makes modern tradecraft effective. Once operators can access email or scheduling systems, they can combine that intrusion with social engineering to track or manipulate targets.

“Once they had an interest in people like Ambassador Bolton or Secretary Pompeo, they’d want to know where Bolton would be next Tuesday,” he tells The Cipher Brief.

Levitt recounted being spoofed in a recent European operation — emails and ProtonMail contacts posed as him, and an operator even used an American-accented voice on WhatsApp to reinforce the ruse.

The tactic is simple, low-cost and scalable.

The murky middle — law, attribution and the limits of remedies

Part of the problem is structural: Western legal systems punish the actors who are caught, but they often struggle to hold accountable the shadowy operators who task them.

“We punish those involved in operations, not those behind operations,” the anonymous official said. “We handle Iran’s work as a legal issue, not as a state warfare issue.”

That legal framing shapes the available responses — criminal prosecutions, sanctions, diplomatic expulsions — while stopping short of kinetic or overt state-level countermeasures.

That framework, such experts caution, often leaves gaps in deterrence, creating space for Iran to continue experimenting with plots that may appear clumsy but still carry real risk.

Clarke warned that Tehran may have been “amateurish” in some plots. Still, it learns from failure and retains motive: revenge for Soleimani, pressure over nuclear setbacks, and the strategic aim of deterring dissidents.

“It would be a mistake to dismiss the severity of their intent,” he said.

What’s being done — and what should change

Governments are moving earlier in the threat lifecycle. In late June and July, U.S. authorities announced targeted immigration and enforcement actions against Iranian nationals in operations that officials said were designed to disrupt suspected networks and procurement channels. Those arrests, often filed as immigration or export-control violations, signal a preference for prevention over public prosecutions alone.

Experts recommended layered, practical reforms: universities and research centers should bolster insider-risk training and clear reporting pathways; contracting agencies need tighter vetting and monitoring of supply-chain access; allied services must share watchlists and technical indicators more rapidly; and communities vulnerable to transnational repression deserve coordinated consular and protective measures.

Clarke urged more realistic briefings for students and visiting scholars about the risks of coercion and family leverage, while Levitt emphasized the importance of basic cyber hygiene and multi-factor authentication checks that can mitigate social-engineering campaigns.

The longer arc

Iranian intelligence, however, is not a mirror of Russia or China: its budgets, technological reach and bureaucratic sophistication differ.

“The Iranians aren’t as advanced as the Chinese or the Russians,” Clarke noted. “Tehran’s plots have been a bit more amateurish and cumbersome.”

But intent matters. Levitt put it starkly: “Just because some of their operations look like Keystone Cops doesn’t mean they won’t succeed eventually. We have to get it right every time; they only need to succeed once.”

And Sanner warned that a shift toward criminal proxies makes attribution harder and response slower — fueling a permissive environment.

Historically, Tehran has combined state actors and proxies — most infamously through Hezbollah in the 1990s in Latin America — and the pattern of outsourcing persists. The task for U.S. policy is not only to prosecute and sanction when possible, but to harden the soft targets: campuses, contracting pipelines, and diaspora communities that Iran can pressure or co-opt.

Bottom line

Iran’s external operations are diverse and adaptive. They mix old tools — family coercion, diasporic leverage — with modern techniques, including cyber intrusion, online social engineering, and the purchase of deniable cut-outs.

The July 31 allied statement signaled an unusual diplomatic consensus; the public cases in Oslo, Washington and beyond show why that consensus has teeth. However, experts caution that the work to blunt Tehran’s pressure must be sustained, technical and community-level as much as legal and diplomatic.

As the one former U.S. intelligence official put it: Iran’s intelligence activity remains “the only threat that is simultaneously urgent, lethal, and strategic.”

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.


Source link

Check Also

Modest hopes for Xi-Trump summit as China and US count down to South Korea talks

Modest hopes for Xi-Trump summit as China and US count down to South Korea talks

As the presidents of China and the United States prepare to meet in South Korea …

Leave a Reply

Your email address will not be published. Required fields are marked *