Data Leak Outs Students of Iran's MOIS Training Academy TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityMalicious NPM Packages Disguised With 'Invisible' DependenciesMalicious NPM Packages Disguised With 'Invisible' DependenciesbyRob WrightOct 29, 20254 Min ReadApplication SecurityAI-Generated Code Poses Security, Bloat ChallengesAI-Generated Code Poses Security, Bloat ChallengesbyRobert Lemos, Contributing WriterOct 29, 20256 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLThreat IntelligenceCybersecurity OperationsCybersecurity CareersCyberattacks & Data BreachesNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificData Leak Outs Students of Iran's MOIS Training AcademyData Leak Outs Students of Iran's MOIS Training AcademyData Leak Outs Students of Iran's MOIS Training AcademyA school for the Iranian state hackers of tomorrow has itself, ironically, been hacked.Nate Nelson, Contributing WriterOctober 30, 20254 Min ReadSource: Karen Roach via Alamy Stock PhotoFuture members of Iranian state intelligence have been outed in an anonymous data leak.On Oct. 22, British-Iranian activist Nariman Gharib published a list of more than 1,000 people associated with the Ravin Academy to the open Web. Ravin Academy is a sanctioned Iranian cybersecurity school tied to the government's umbrella advanced persistent threat (APT) group APT34 (aka MuddyWater, Helix Kitten, OilRig).Gharib did not disclose any details about the means by which he obtained the data, though from context the attack smells of anti-Iranian hacktivism.The victim suggested as much in a Telegram post obtained and translated by The Register. A statement copping to the breach suggested that "this incident, coupled with the repeated publication of false and misleading content in the past, has the goals of damaging the reputation of this academy, undermining security in Iran, and harming the standing of the National Olympiad in the field of cybersecurity."That latter clause refers to Ravin Academy's "Tech Olympics" event currently running at Tehran's Pardis Technology Park. According to local media, the event involved more than 12,000 participants from 66 countries, 1,100 of whom traveled to Tehran for the final round. Participants from the Middle East, Asia, and Europe have been competing in skills challenges related to artificial intelligence (AI), Internet of Things (IoT), cybersecurity, and more. The event appears to be significant in legitimizing Iran generally, and Ravin Academy specifically, as major players in the international technology sphere. "Given the media efforts over the past year to achieve the aforementioned goals, it is natural that the opponents and international competitors of this event seek to damage this great national achievement," Ravin wrote.Related:China Hackers Test AI-Optimized Attack Chains in TaiwanWhat Is the Ravin Academy?The Ravin Academy was founded in November 2019 by two employees of Iran's Ministry of Intelligence and Security's (MOIS), Seyed Mojtaba Mostafavi and Farzin Karimi. Humorously, they registered their purportedly independent institution to an address just two city blocks from Iran's Ministry of Information and Communication Technology (ICT), the agency primarily responsible for implementing Iran's oppressive Internet censorship. ICT is also critical to national cybersecurity, and plays support to the MOIS cyberattack operations.Ravin Academy claims to be a regular cybersecurity training school. According to a variety of Western government and research organizations, it is in fact an MOIS project designed to train and funnel cybersecurity and hacking talent to the government.Related:'Confucius' Cyberspy Evolves From Stealers to Backdoors in PakistanMultiple countries run or at least collaborate with falsely independent academic institutions. Doing so allows the government agency in the background to more effectively recruit talented young people, and claim plausible deniability when stories like this come out. Before the ties between state and school get outed, representatives of such institutions might enjoy access to international conferences and opportunities to collaborate on research projects.School settings also allow for a variety of activities that would otherwise seem suspicious or offensive in a government context. For example, a school can provide a degree of ethical cover in teaching students how to hack computers.PwC analysts outlined how that works in the case of Ravin Academy, in a report published in 2022. They described how in March 2020, Ravin Academy published a proof-of-concept (PoC) exploit for CVE-2020-0688, a high-severity remote code execution (RCE) bug in Microsoft Exchange, to GitHub. On Sep. 23, 2020, a webinar from Ravin Academy demonstrated a PoC exploit for the critical Netlogon vulnerability, CVE-2020-1472. In a campaign during September and October 2020, MuddyWater was exploiting those two vulnerabilities, using the very same techniques outlined by the school.Related:Chinese APT Leans on Researcher PoCs to Spy on Other CountriesIn sanctioning the school, the US Treasury Department wrote that "Ravin Academy assists the MOIS with a variety of cyber services, including information security training, threat hunting, cyber security, red team, digital forensics, malware analysis, security auditing, penetration testing, network defense, incident response, vulnerability analysis, mobile penetration testing, reverse engineering, and security research." Ravin Academy has also earned sanctions from the UK and European Union (EU).The Hackers of Iran (and also Ordinary Citizens)The published Ravin Academy data includes more names, phone numbers, Telegram usernames, and national ID numbers. Gharib also obtained student ID numbers and information about the classes each student attended, but did not include this data in his leak site.Reporters at The Register combed through the data, and discovered a couple of notable patterns. Firstly, a majority of the individuals they were able to identify did not come from cybersecurity backgrounds. Instead they were associated with other STEM fields, including mechanical engineering, electrical engineering, fluid dynamics, and machine learning (ML). If Ravin Academy is pulling talent from across industries, it might indicate the significance with which Iran is treating its national cyber operations.More concerningly, reporters found that a number of named individuals were academics, of whom a "sizable subset" were associated with Western universities.It's also worth noting that because Ravin Academy doesn't advertise its state ties to students, many of those named on Gharib's leak site may not have known they were enrolled in a state-tied institution, and may never be employed by the Iranian government.As Gharib put it, "This operational security failure undermines the company's public credentials while simultaneously exposing individuals who enrolled in what they may have believed were legitimate professional development programs."Read more about:DR Global Middle East & AfricaAbout the AuthorNate Nelson, Contributing WriterNate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."See more from Nate Nelson, Contributing WriterMore InsightsIndustry ReportsMiercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOThe Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsHow Enterprises Are Harnessing Emerging Technologies in CybersecurityWorldwide Security Information and Event Management Forecast, 2025--2029: Continued Payment for One's SIEMsAccess More ResearchWebinarsThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedThu, Oct 23, 2025 at 11am ESTMore WebinarsWhite PapersThe NHI Buyers GuideThe AI Security GuideTop 10 Identity-Centric Security Risks of Autonomous AI AgentsModern DevSecOps: 6 Best Practices for AI-Accelerated SecurityThriving in the Age of AI: 6 Best Practices for Secure InnovationExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

A recent data leak exposed sensitive information of over 1,000 individuals associated with the Ravin Academy, a cybersecurity training institution in Iran linked to the country’s Ministry of Intelligence and Security (MOIS). The leak, orchestrated by British-Iranian activist Nariman Gharib, revealed personal details such as names, phone numbers, Telegram usernames, national ID numbers, and student IDs. The data was published on the open web on October 22, 2025, and appears to be part of an anti-Iranian hacktivist operation. The Ravin Academy, which the U.S. Treasury and other international bodies have sanctioned for its role in training state-sponsored hackers, is tied to APT34 (also known as MuddyWater), an advanced persistent threat group linked to cyberespionage and hacking campaigns targeting global entities. The leak coincided with the ongoing “Tech Olympics” event in Tehran, a high-profile international competition involving over 12,000 participants from 66 countries. The academy’s statement, as reported by *The Register*, suggested that the breach aimed to damage its reputation, undermine Iran’s cybersecurity standing, and disrupt the event, which it framed as a “national achievement.” The incident underscores the growing intersection of state-sponsored cyber operations and educational institutions, as well as the risks posed by such programs to individuals who may not be aware of their connection to government agencies.

The Ravin Academy, founded in 2019 by two MOIS employees, Seyed Mojtaba Mostafavi and Farzin Karimi, operates under the guise of a legitimate cybersecurity training school. However, investigations by organizations like PwC have revealed its direct ties to the Iranian state, including its role in developing and disseminating exploits used by APT34. For instance, the academy published proof-of-concept (PoC) exploits for critical vulnerabilities like CVE-2020-0688 (Microsoft Exchange) and CVE-2020-1472 (Netlogon) on GitHub, which were later exploited by APT34 in real-world attacks. The U.S. Treasury’s sanctions against the academy highlight its multifaceted role in supporting MOIS operations, including threat hunting, malware analysis, and penetration testing. Despite its public claims of being a neutral educational institution, the academy’s activities reflect a broader strategy by Iran to cultivate cyber talent while maintaining plausible deniability. The data leak, however, exposed the operational vulnerabilities of such programs, as many students may have enrolled without realizing they were participating in a state-backed initiative.

The leaked data also revealed that the majority of individuals associated with the academy did not have traditional cybersecurity backgrounds. Instead, they came from diverse STEM fields such as mechanical engineering, electrical engineering, and machine learning (ML), suggesting that Iran is actively recruiting talent from broader technical disciplines to bolster its cyber capabilities. This approach aligns with the academy’s stated mission of identifying and training individuals for roles in cyber operations, which could include both offensive and defensive cybersecurity tasks. More concerning is the presence of academics linked to Western universities, raising questions about the potential for espionage or knowledge transfer. The leak also highlighted a critical gap in operational security: by not disclosing its state affiliations, the academy failed to inform students about the implications of their participation. As activist Gharib noted, this lack of transparency could expose individuals to risks they were unaware of, including potential scrutiny from international authorities or entanglement in state-sponsored activities.

The leak’s timing and context further complicate the narrative. The breach occurred amid heightened tensions in the Middle East, particularly between Iran and Israel, which have seen a surge in cyberattacks and countermeasures. The Iranian government has increasingly leveraged cybersecurity as both a defensive tool and an offensive capability, with APT34 engaging in campaigns against entities in the Middle East, Asia, and beyond. The exposure of the Ravin Academy’s students could have broader geopolitical implications, as it may lead to increased scrutiny of Iran’s cyber infrastructure and its human resources. Additionally, the leak could disrupt the academy’s efforts to position itself as a legitimate player in global cybersecurity initiatives, such as the Tech Olympics. While the event aims to elevate Iran’s profile in the tech sector, the data breach risks undermining its credibility and creating reputational damage for participants who may now face suspicion or diplomatic consequences.

The incident also raises ethical and legal questions about the role of state-sponsored educational institutions in cyber warfare. By disguising its operations as academic, the Ravin Academy exploits the trust associated with educational institutions to recruit individuals who might otherwise avoid direct involvement with government intelligence agencies. This strategy allows the Iranian state to maintain a veneer of independence while cultivating a pipeline of skilled hackers and cybersecurity professionals. However, the leak demonstrates the risks of such an approach: when ties to state actors are exposed, individuals may lose their professional credibility or face legal repercussions. For example, students who were unaware of the academy’s connections could find their careers jeopardized if they are later linked to activities tied to APT34 or other state-sponsored groups. This dynamic underscores the complex interplay between education, national security, and individual agency in the digital age.

The leak also highlights the broader trend of hacktivist groups targeting state-aligned institutions to expose perceived injustices or challenge authoritarian regimes. Gharib’s actions, while controversial, reflect a growing phenomenon where activists use data leaks to hold governments accountable for their cyber activities. This approach, however, carries risks, as it can inadvertently harm individuals who are not directly involved in state-sponsored operations. The Ravin Academy’s statement, which accused its adversaries of seeking to “damage the reputation of this academy, undermine security in Iran, and harm the standing of the National Olympiad,” suggests that such leaks are often perceived as attacks on national interests. This framing complicates efforts to address the ethical implications of data breaches, as it blurs the line between whistleblowing and cyber warfare.

In addition to its immediate consequences, the leak may have long-term effects on Iran’s cybersecurity strategy. The exposure of student data could deter potential recruits from enrolling in the academy, particularly if they fear retaliation or surveillance. It may also prompt Iran to strengthen its efforts to compartmentalize its cyber operations, potentially leading to more covert recruitment methods or the establishment of additional institutions with similar objectives. On the international stage, the incident could fuel calls for stricter oversight of state-sponsored cyber training programs and increased transparency in how governments collaborate with educational institutions. However, given the opaque nature of many such programs, enforcing accountability remains a significant challenge.

The data leak also serves as a cautionary tale about the vulnerabilities of digital infrastructure in state-sponsored projects. The fact that Gharib was able to access and disseminate sensitive information highlights the potential for internal or external breaches within such institutions. This underscores the need for robust cybersecurity measures, not only to protect against external threats but also to prevent insider leaks or accidental disclosures. For the Ravin Academy, the breach represents a significant setback, as it undermines its efforts to present itself as a credible and independent entity. The incident may also prompt the Iranian government to reassess its approach to cyber education, potentially shifting toward more closed or restricted programs that minimize exposure to external scrutiny.

Ultimately, the leak of the Ravin Academy’s student data illustrates the intricate relationship between education, cybersecurity, and state power. While the academy was designed to cultivate talent for Iran’s cyber operations, its exposure has revealed the fragility of such models in an era of heightened digital transparency. The incident raises critical questions about the ethics of state-sponsored training programs, the risks faced by individuals who participate in them, and the broader implications for global cybersecurity. As nations continue to invest in cyber capabilities, the Ravin Academy case serves as a reminder of the complex trade-offs between national interests and individual privacy, as well as the potential consequences of operating in the shadows of state power.