Iranian National Arrested for $3.4 Billion University Cybercrime Spree
Montenegrin authorities, with FBI assistance, arrested an Iranian national accused of orchestrating cyberattacks against over 150 U.S. universities, causing billions in damages that allegedly benefited Iranian state entities.

Montenegrin law enforcement, in collaboration with the FBI, has apprehended a 39-year-old dual Iranian and Turkish citizen wanted by the U.S. government for a string of cybercrime offenses. The suspect, arrested in Kotor, faces charges in the Southern District Court of New York for conspiracy to commit computer fraud, hacking, and identity theft. Since 2013, this individual is alleged to have orchestrated mass cyberattacks against more than 150 American universities, inflicting damages estimated at over $3.4 billion. Investigators assert that the stolen data and compromised academic credentials directly benefited the Islamic Revolutionary Guard Corps and various Iranian state entities. The case is now proceeding to a High Court judge for formal extradition hearings, following recent warnings from U.S. cybersecurity agencies regarding escalating Iranian state-sponsored operations targeting critical domestic infrastructure.
In a separate but related development, a 19-year-old dual United States and Estonian citizen, Peter Stokes, has been extradited to the U.S. to face federal charges. Stokes is identified as a core member of the UNC3944 cybercrime syndicate, also known as Scattered Spider or oktapus. Finnish authorities initially apprehended Stokes at Helsinki airport as he attempted to board a flight to Japan. Prosecutors accuse him of orchestrating multiple high-profile corporate breaches by employing intense social engineering tactics against IT helpdesks to bypass multi-factor authentication controls.
UNC3944 has been linked to significant cyber incidents, including a notable May 2025 compromise of a multibillion-dollar retailer. In that instance, the syndicate demanded an $8 million ransom while causing over $2 million in operational disruption and remediation costs. The group's activities extend globally, with responsibility for more than 100 network intrusions that have collectively yielded upwards of $100 million in illicit extortion payments. Stokes remains in federal custody in Chicago, facing charges of fraud, conspiracy, and computer intrusion.
Meanwhile, CISA and the FBI have issued a joint warning concerning the evolution of phishing campaigns by Russian state-sponsored threat actors. These campaigns are now specifically designed to steal Signal backup recovery keys from high-value individuals, including government officials, military personnel, journalists, and policy analysts. This represents a significant advancement from previous tactics that focused on harvesting standard verification codes or tricking users into linking unauthorized devices.
The new modus operandi involves attackers masquerading as official Signal support personnel. They send direct messages falsely claiming the platform requires mandatory two-factor verification due to alleged international cyberattacks. The operators then systematically guide victims through the process of enabling Signal's Secure Backups feature, instructing them to paste their newly generated recovery key directly into the chat interface. Once adversaries obtain this critical key, they can seamlessly download and decrypt the victim’s entire historical message archive onto their own controlled devices.
The U.S. Department of State has announced a substantial reward of up to $10 million for information leading to the identification or location of these operatives. Through the Rewards for Justice program, federal authorities are actively seeking actionable intelligence regarding the syndicates' operational infrastructure, illicit funding mechanisms, and direct affiliations with Russian intelligence services. It is crucial to note that simply registering a new account under the same phone number does not invalidate a compromised key; users must actively generate a new backup key within their application settings to secure future communications.
In a separate incident, the Department of Homeland Security (DHS) is investigating a cyberattack that compromised its Homeland Security Information Network (HSIN). This platform is used for sharing sensitive but unclassified data among federal, state, local, and private-sector partners, as well as international entities. The intrusion, attributed to an unidentified threat actor, occurred between late May and early June and targeted HSIN's core servers and a SharePoint environment used for interagency collaboration.
While the full extent of data exposure remains unclear and no specific foreign government or syndicate has been officially attributed, concerns are heightened due to the platform's role in supporting real-time incident management and intelligence exchange. Given that the U.S. is overseeing security for upcoming World Cup matches, experts worry the breach could have exposed critical security planning, response procedures, and communication protocols. A departmental spokesperson confirmed the incident, stating that it involved an unclassified legacy system, which has since been isolated and mitigated. Officials emphasized that classified networks were not impacted and the primary system remains operational.