The Iran war has a cyber story. It's not the one you're reading

Metacurity is the only daily cybersecurity newsletter that is written outside the usual cyber press echosphere and is a refreshing alternative to vendor-driven content and PR-flavored threat intelligence.

Please consider supporting my work on Metacurity by upgrading your subscription. Thank you.

The most striking thing about how the press has covered the cyber angle of the Iran war so far is how consistently the actual findings across most reports contradict those stories’ framing. Nearly every piece leads with the implicit premise that a major Iranian cyber response is imminent, inevitable, or already underway — and then buries the lede that it simply isn't happening.

This isn't the first time this year that press coverage has implied a far more dramatic cyber dimension to a US military operation than the evidence supports. When Operation Absolute Resolve targeted Venezuelan leader Nicolás Maduro in January, early reporting treated the Caracas power outage as a "precision cyberattack."

In a piece I wrote for CyberScoop last month, I reported that the reality was considerably messier: videos and photographs from Caracas documented extensive physical damage to at least three substations, and every grid and military expert I spoke with concluded the visible kinetic damage alone was sufficient to account for the outages. Cyber likely played a supporting role — blinding defenders, enabling missiles to get through — but it was not the clean standalone operation the headlines implied. As one expert put it: "If you're going to go in and shoot up the substations, why do you need cyber again?"

Iran is a bigger, more capable foe than Venezuela, and the impulse to hype Iran as a cyber adversary is more understandable. But the gap between narrative and reality is, if anything, wider.

Bloomberg's reporting states flatly that Iranian groups have "gone almost entirely dark" and that active pro-Iranian hacking groups have collapsed from more than 130 during the 2025 conflict to just 17. The piece also quotes security researcher Hamid Kashfi arguing that Iran's cyber capabilities were always more hype than substance, with Western security firms "playing into such concerns to be able to sell their security products."

Even Western security firms are now suggesting that Iran’s current cyber capabilities might be exaggerated. CrowdStrike's Adam Meyers, Cisco Talos, and Palo Alto Networks Unit 42 all independently reached the same conclusion: no large-scale state-sponsored Iranian cyber activity has been observed. The most aggressive confirmed activity is low-level DDoS and website defacements — the digital equivalent of spray paint. Yet across press reports of potential Iranian cyber threats, those findings were packaged in coverage that foregrounded fears of what could happen rather than what is actually happening.

A Wall Street Journal report follows the same pattern: a parade of former officials — ex-CIA, ex-CISA, ex-FBI, ex-Energy Department — attesting that Iran has the capability, has used it before, and could expand its targets. All true but speculative. None of it is a description of anything that is happening in this conflict.

What has actually happened cuts sharply against the narrative that everyone should prepare for Iranian cyber offensives. The most consequential cyber operations of this conflict come from Israel and the US: years of silent camera hacks and mobile network penetration that built the intelligence picture enabling Khamenei's assassination; US Cyber Command disrupting Iranian communications as a first mover in the operation; a prayer app used by five million Iranians hijacked to broadcast surrender instructions to IRGC members.

Iran's hackers, meanwhile, are largely offline — not because they stood down, but because the kinetic strikes have destroyed the infrastructure they depend on. The actual offensive cyber story of this war runs in one direction only. [story continues after the paywall break]