Nariman Gharib's Avatar

Nariman Gharib

@nariman.bsky.social

Britain-based Iranian Activist 🚦 Cyber Espionage Investigator 👁

171 Followers  |  20 Following  |  65 Posts  |  Joined: 30.03.2023  |  1.924

Latest posts by nariman.bsky.social on Bluesky

Sadly, I informed all authorities including DuckDNS in December, but they didn't take it seriously and still haven't shut down either the server or the DuckDNS infrastructure.

22.01.2026 18:18 — 👍 1    🔁 0    💬 0    📌 0
Post image Post image

Salary and wage report for members of the Charming Kitten (#APT35) cyber group in May 2025 based on current exchange rates. This report represents the operational costs of cyber operations against journalists, human rights activists, and political activists in Iran.

10.12.2025 10:26 — 👍 0    🔁 0    💬 0    📌 0
Preview
Charming Kitten Leak Continues: Payroll Data and a Stolen IAEA Document In my previous analyses of the Charming Kitten leak, I examined the organizational structure, target lists, financial infrastructure, and operational capabiliti...

New from the Charming Kitten #APT35 leak: Payroll records exposing 35 IRGC cyber operatives with names, bank accounts, and salaries. Additional footage of the Kashef surveillance platform tracking Iranian citizens. And a classified 2004 document... blog.narimangharib.com/posts/2025%2...

09.12.2025 19:21 — 👍 2    🔁 3    💬 1    📌 0
Preview
a computer screen with a netflix logo on the bottom ALT: a computer screen with a netflix logo on the bottom

wait for it.

09.12.2025 14:45 — 👍 0    🔁 0    💬 0    📌 0
Post image

#CK 194[.]76[.]226[.]226

08.12.2025 11:07 — 👍 0    🔁 0    💬 0    📌 0
Preview
Exclusive: Handala's Thailand Blunder - MOIS Accidentally Exposes Access to Bangkok Airport The cyber group "Banished Kitten," operating under the alias "Handala" and affiliated with the Ministry of Intelligence and Security of Iran (MOIS), has once ag...

The Ministry of Intelligence of the Islamic Republic's cyber group "Banished Kitten", which is operating under the name "Handala", has gained access to Suvarnabhumi Airport (BKK). blog.narimangharib.com/posts/2025%2...

03.12.2025 14:30 — 👍 1    🔁 0    💬 0    📌 0
Preview
European cops shut down crypto mixing website that helped launder 1.3 billion euros | TechCrunch Europol announced the seizure of Cryptomixer’s official website, as well as 25 million euros and 12 terabytes of data from the mixer's service.

NEW: Europol shut down Cryptomixer, a crypto service alleged to have facilitated the laundering of 1.3 billion euros since 2016.

Service was allegedly used by cybercriminals, drug and weapons traffickers, and ransomware gangs.

techcrunch.com/2025/12/01/e...

01.12.2025 18:42 — 👍 10    🔁 7    💬 0    📌 0
Post image Post image Post image

Today I am presenting the call logs from #APT35's IRGC-IO official VoIP services. This exclusive information was previously detailed in episode 4 of the KittenBusters series.
- files.narimangharib.com/other/FanapT...
- files.narimangharib.com/other/Custom...

26.11.2025 15:29 — 👍 1    🔁 0    💬 0    📌 0
Preview
Department 40 Exposed: Inside the IRGC Unit Connecting Cyber Ops to Assassinations A massive leak of internal documents has blown the cover off one of Iran's most active hacking groups. For years, the cybersecurity community tracked them as AP...

new blog post on #APT35 blog.narimangharib.com/posts/2025%2...

24.11.2025 17:00 — 👍 2    🔁 2    💬 0    📌 0
Preview
افشای هویت مدیران «اداره ۴۰» اطلاعات سپاه؛بزرگترین بانک اطلاعاتی جاسوسی تهران

Exposing the identity of "Unit 40" managers of IRGC intelligence;
Tehran's largest espionage intelligence database #APT35 #CharmingKitten
content.iranintl.com/unit40/index...

20.11.2025 14:13 — 👍 2    🔁 1    💬 0    📌 0

Are you ready? Wait for new updates from the kittens. 😆

17.11.2025 09:47 — 👍 0    🔁 0    💬 0    📌 0
Post image

KittenBusters leaked #APT35 infrastructure docs. Using leaked passwords, I accessed their Edis Global accounts & downloaded invoices. They used phone numbers from Russia, Israel & Netherlands with fake addresses, paying via crypto. files.narimangharib.com/other/CK%20-...

29.10.2025 14:17 — 👍 2    🔁 1    💬 0    📌 0
Post image Post image Post image

😀

28.10.2025 10:04 — 👍 0    🔁 0    💬 1    📌 0
Preview
Episode 4: Inside Charming Kitten's Financial Operations and Infrastructure Network The fourth release of leaked documents from Iran's APT35 (Charming Kitten) operation exposes something previous leaks haven't: the complete financial backbone a...

New Charming Kitten APT35 leak shows their entire budget. Bitcoin payments for domains and hosting, ProtonMail accounts (still active, I checked), Iranian shell companies, the whole operation running on maybe $10k.

28.10.2025 00:45 — 👍 5    🔁 4    💬 1    📌 0
Preview
حمله سایبری به آکادمی راوین؛ نشت گسترده اطلاعات دانشجویان آموزشگاه وزارت اطلاعات پایگاه داده جامع حاوی اطلاعات شخصی دانشجویان آکادمی راوین، آموزشگاه مخفی وزارت اطلاعات که ایران‌اینترنشنال پیشتر هویت اعضای آن را افشا کرده بود، به صورت گسترده منتشر شده است.

www.iranintl.com/202510230171

23.10.2025 16:19 — 👍 0    🔁 0    💬 0    📌 0
23.10.2025 12:45 — 👍 0    🔁 0    💬 0    📌 0

Ravin Academy confirmed the breach and published a statement.

22.10.2025 19:04 — 👍 0    🔁 0    💬 0    📌 0

Group-IB Threat Intelligence uncovered a sophisticated phishing campaign orchestrated by the Advanced Persistent Threat (APT) MuddyWater, targeting international organizations worldwide to gather foreign intelligence. www.group-ib.com/blog/muddywa... #RavinAcademy

22.10.2025 09:08 — 👍 0    🔁 0    💬 0    📌 0
Preview
Exclusive: Full Student Database of MOIS-Affiliated Ravin Academy Leaked Based on the intelligence assessments from multiple government agencies, Ravin Academy functions as a MOIS-directed recruitment and training front operating und...

A comprehensive database containing complete registration records of Ravin Academy students has been obtained by me, revealing detailed personal information of individuals enrolled in the organization's training programs.

blog.narimangharib.com/posts/2025%2...

22.10.2025 07:43 — 👍 0    🔁 0    💬 1    📌 2
Post image 18.10.2025 05:01 — 👍 0    🔁 0    💬 0    📌 0
Preview
Part two and three of the leaked Charming Kitten files reveal operations across five continents In my previous analysis of the Charming Kitten leak, I examined the unprecedented breach that exposed the inner workings of an Iranian state-sponsored hacking o...

BellaCiao was developed at Tehran's Shuhada base. Moses Staff & Sahyoun24 weren't independent—all run by the same IRGC unit. MORE... blog.narimangharib.com/posts/2025%2... #APT35

16.10.2025 09:44 — 👍 2    🔁 1    💬 0    📌 0
Post image

t.me/narimangharib

01.10.2025 10:55 — 👍 0    🔁 0    💬 0    📌 0
Preview
Massive Leak Exposes Inner Workings of Iranian Hacking Group Charming Kitten In what appears to be one of the most significant breaches of an Iranian state-sponsored hacking operation to date, an anonymous source has published internal d...

Breaking News: Iranian Advanced Persistent Threat Group #APT35 Has Been Compromised, with Internal Documents Leaked Online

blog.narimangharib.com/posts/2025%2...

30.09.2025 21:14 — 👍 1    🔁 1    💬 1    📌 1
Preview
Teenagers charged over Transport for London cyber attack Thalha Jubair, 19, from East London, and Owen Flowers, 18, from Walsall in the West Midlands, were arrested

BREAKING: Two teenagers charged over 'Scattered Spider' Transport for London cyber attack. About to appear in court for first time. I'm here for BBC so follow the story for updates: www.bbc.co.uk/news/article...

18.09.2025 13:29 — 👍 10    🔁 5    💬 1    📌 1
Iran-linked hacker group doxes journalists and amplifies leaked information through AI chatbots Rapid Response Mechanism Canada (RRM Canada) has detected a “hack and leak” operation by Iran-linked hacker group, “Handala Hack Team” (Handala). The operation targeted five Iran International journal...

www.international.gc.ca/transparency...

13.09.2025 13:31 — 👍 0    🔁 0    💬 0    📌 0

It's truly enjoyable to see the efforts of the Islamic Republic's cyber forces as they try to use social engineering on me.

10.09.2025 11:48 — 👍 0    🔁 0    💬 0    📌 0
Post image

Your cyber threat intel is part of the North Korean strategy: DPRK operators are abusing CTI platforms to see if they’ve been seen—and moving faster because of it. 👀

04.09.2025 13:57 — 👍 7    🔁 8    💬 1    📌 0
Preview
Exclusive: How North Korean hackers are using fake job offers to steal cryptocurrency North Korean hackers are saturating the cryptocurrency industry with credible-sounding job offers as part of their campaign to steal digital cash, according to new research, raw data, and interviews.

Granular look here from @ajvicens.bsky.social and I on how job seekers in the crypto currency industry are being bombarded with fake job offers from North Korean hackers. Based on 19 interviews with targets and research from cyber firms @sentinelone.com and Validin

www.reuters.com/world/asia-p...

04.09.2025 16:02 — 👍 7    🔁 4    💬 0    📌 1

There might be some kind of history in my ancestors that I’m not aware of. 😆

03.09.2025 20:12 — 👍 0    🔁 0    💬 0    📌 0
Post image Post image

🤣🤣🤣🤣🤣🤣

03.09.2025 17:57 — 👍 0    🔁 0    💬 1    📌 0

@nariman is following 19 prominent accounts