Inside Iran's Espionage Epidemic: How Tehran Recruited Dozens of Israeli Spies Through Social Media, Cash, and Coercion

On May 8, 2026, Israeli authorities filed indictments against three IDF soldiers and one civilian arrested two months earlier in Tel Aviv on suspicion of espionage for Iran [1]. The four suspects had maintained contact with Iranian intelligence operatives since adolescence, photographing train stations, shopping centers, and security cameras, and were at one point instructed to purchase weapons [1]. The case was the latest in what Israeli security officials now describe as an espionage "epidemic" — a sustained, high-volume Iranian campaign to recruit ordinary Israeli citizens through social media platforms, small cash payments, and blackmail [2].

The Scale of the Surge

The numbers tell a stark story. According to the Shin Bet's January 2026 annual report, approximately 25 Israelis and foreign residents were indicted in 2025 alone for espionage on behalf of Iran, with more than 35 indictments filed and 120 Iranian espionage incidents thwarted that year [3]. Recruitment attempts rose by 400% in 2024 compared to 2023, and then by another 400% in 2025 over 2024 [4]. Since the outbreak of the Gaza war in October 2023, over 50 indictments have been filed against Israeli citizens for spying on Tehran's behalf [2].

Source: Shin Bet Annual Reports / Washington Institute

Data as of Jan 15, 2026CSV

The Washington Institute for Near East Policy documented 39 known Iranian espionage plots targeting Israel between 2013 and 2025, 31 of which involved Israeli nationals as operatives [5]. Of those 31 cases, more than 45 individual participants were identified across multiple spy rings [5]. The most prolific single case involved seven Jewish Israelis — immigrants from Azerbaijan living in Haifa — who carried out approximately 600 missions over two years, photographing military bases, sensitive infrastructure, and the movements of senior military officials [6].

Former Shin Bet handler Gonen Ben Itzhak, who spent years recruiting sources within Palestinian society, told Fox News Digital that he had never previously seen so many attempts — and successful cases — of espionage against Israel [1].

The Recruitment Pipeline: From Graffiti to Assassination

Iran's intelligence services have adopted what experts describe as a "spray-and-pray" model — flooding social media platforms with offers of quick cash for seemingly innocuous tasks, then gradually escalating demands [2]. The pipeline follows a documented four-phase pattern [4]:

Phase 1: Contact and minor tasks. Iranian handlers infiltrate WhatsApp and Facebook groups used by Israelis seeking freelance work, or reach out through Telegram, Instagram, and X [1][4]. Recruits are offered $50 to $200 for tasks like spraying graffiti, putting up posters, or checking hidden bags in public places [4][5].

Phase 2: Escalation. Payments increase to $200–$1,000 for surveillance of shopping malls, hospitals, and public spaces, or for arson attacks [4].

Phase 3: Military intelligence. Recruits are asked to photograph IDF bases, weapons systems, or the homes of security officials, with payments of $1,000–$5,000. One Iron Dome reservist was offered $1,000 in cryptocurrency for information on the missile interception system [7][8].

Phase 4: Assassination and sabotage. At the top of the escalation ladder, recruits have been offered $60,000 to $200,000 for assassination contracts targeting scientists, academics, and senior officials [5][8]. In one case, the transition from initial contact to an assassination proposal occurred within nine days [5].

Source: Jerusalem Post / Washington Institute

Data as of May 9, 2026CSV

Payments are almost exclusively delivered via cryptocurrency. Of 31 documented cases involving Israeli perpetrators, 20 involved monetary compensation through digital wallets [5]. One network of seven suspects collectively received approximately $300,000, while at the other extreme, one soldier received just $21 [1].

Blackmail as a Recruitment Tool

Beyond financial inducements, Iranian handlers have used compromising material to coerce cooperation. Israeli police reported that Iranian agents infiltrate pornography websites frequented by Israelis, collecting material that is later used as blackmail to force compliance [1]. Captain Sefi Berger of the Israel Police noted that "when recruiting a person, a relationship can develop between the handler and the spy," describing a process where emotional dependency and fear of exposure become the primary mechanisms of control [1].

The blackmail component typically enters the pipeline after initial financial engagement. Once a recruit has completed early tasks and accepted payments — creating a paper trail of cooperation with an enemy state — handlers shift from offering rewards to issuing threats, backed by evidence of the recruit's existing involvement [4][5].

Who Iran Is Targeting — and Why

The demographic profile of those arrested has confounded expectations. During 2024–2025, recruits included active-duty IDF soldiers, reservists, ultra-Orthodox yeshiva students, immigrants from the former Soviet Union and Azerbaijan, married couples, and teenagers as young as 13 [3][4]. The oldest suspect was 73 [5]. Over half of documented recruits were in their teens or twenties [5].

The shift is significant. Before the Gaza war, Iranian intelligence relied primarily on Arab-Israeli citizens or Palestinians for recruitment. The recent wave predominantly involves Jewish Israeli citizens [4]. The seven-member Azerbaijani-origin spy ring from Haifa — all Jewish — included two minors aged 16 and 17, as well as a soldier who had deserted the military [6].

This broad demographic targeting reveals Iran's strategic calculus: rather than attempting to recruit individuals with existing access to classified material — a slow, difficult process with high failure rates — Tehran is casting a wide net, testing thousands of potential recruits with low-cost initial tasks before investing in those who show willingness to escalate [5]. The goal is less about placing moles in sensitive positions than about building distributed networks capable of providing tactical intelligence — photographs of infrastructure, locations of security cameras, movement patterns of officials — that can support operational planning for attacks [4].

Researchers from the Dor Moriah Analytical Center identified broader societal conditions that make this approach viable: economic hardship, ideological alienation following the October 7 security failures, weakened deterrence, and declining social cohesion [4]. Intelligence journalist Yossi Melman characterized the phenomenon as reflecting "the deterioration of society" [2].

The Encryption Problem: Why Platforms Are Both Tool and Obstacle

Iranian recruitment operates primarily through end-to-end encrypted messaging services — WhatsApp, Telegram, and Signal — that present structural obstacles for Israeli counter-intelligence. WhatsApp's encryption means that even if the Shin Bet identifies a suspect, message content is not accessible to law enforcement without physical access to the device [9].

The relationship between Meta (WhatsApp's parent company) and Israeli intelligence is further complicated by the NSO Group spyware controversy. Meta sued NSO in 2019 after the Israeli firm exploited WhatsApp vulnerabilities to install Pegasus spyware on approximately 1,400 users worldwide [9]. In May 2025, a U.S. jury found NSO liable and ordered $168 million in damages [9]. Reports from The Guardian in July 2024 revealed that the Israeli government had seized documents from NSO's offices in an apparent effort to prevent disclosure during that lawsuit [9].

This legal backdrop makes platform cooperation with Israeli law enforcement requests politically fraught. While Israeli authorities can and do obtain metadata — who communicated with whom, and when — through legal processes, the content of recruitment conversations on encrypted platforms typically becomes available only after a suspect's arrest and device seizure [9].

Counter-Intelligence Effectiveness: What Gets Detected

Israeli security agencies have prevented all known Iranian assassination plots during 2024–2025, according to official reports [4][5]. The Shin Bet reported thwarting 120 espionage incidents in 2025 alone, along with 85 Iranian cyberattacks linked to assassination planning [3][10].

But these numbers require careful interpretation. The 120 "thwarted" incidents include cases at every stage of the recruitment pipeline — from initial contact to advanced intelligence gathering. The question of how many recruitment approaches succeeded without detection is, by definition, unanswerable from public data. One indicator of intelligence compromise: in at least one documented case, a military base was photographed before it was subsequently targeted by a drone attack, suggesting that intelligence collected by recruits may have been operationally useful to Iran [4].

The conviction lag is also telling. Despite over 50 indictments filed since October 2023, as of early 2026 only one defendant — Elimelech Stern, a 22-year-old ultra-Orthodox yeshiva student from Beit Shemesh — had been convicted, receiving a three-year prison sentence and a NIS 10,000 ($3,200) fine [11]. Most cases remain in the court system. The most severe prior conviction was that of former Energy Minister Gonen Segev, sentenced to 11 years in 2019 for espionage for Iran [11].

Legal Consequences and the Citizenship Question

Israeli espionage law provides for severe penalties: up to 15 years for contact with foreign agents, over 10 years for providing intelligence, and life imprisonment or death for aiding the enemy during wartime [1]. The seven Azerbaijani-origin suspects from Haifa face potential charges of "cooperation with the enemy" — carrying a maximum sentence of life imprisonment [6].

In February 2026, Prime Minister Benjamin Netanyahu ordered legal proceedings to revoke the citizenship of Israelis convicted of wartime espionage for Iran [12]. The move was described as unprecedented because it extends citizenship revocation — previously considered primarily for Arab-Israeli citizens involved in terrorism — to Jewish Israeli citizens [12].

The question of differential treatment between Jewish and Arab-Israeli defendants is difficult to assess with available data. The current wave of prosecutions disproportionately involves Jewish defendants because the recruitment campaign itself has disproportionately targeted Jewish Israelis [4]. Whether sentencing patterns differ along ethnic lines will become clearer only as the dozens of pending cases reach verdicts.

The Steelman Case for Skepticism

There are reasons for caution about the official narrative. The Mondoweiss analysis of the espionage wave argued that Israeli discourse "performs alarm so thoroughly that the frenzy itself becomes reassuring," suggesting that the state "has learned to metabolize panic as a form of governance" [2]. The critique raises a legitimate question: how much of what is being described as a "coordinated state program" might instead involve low-level opportunists responding to Iranian-linked scripts circulating on social media without meaningful direction from Tehran's intelligence apparatus?

Several factors support this skepticism. The vast majority of documented recruits had no access to classified information. Many of the "missions" involved photographing public locations — train stations, shopping centers — that are visible on Google Maps. Payments were often trivially small. And the conviction rate remains extremely low relative to the number of arrests and indictments [5][11].

On the other hand, the escalation pattern — from graffiti to weapons procurement to assassination contracts — suggests a level of operational planning inconsistent with freelance opportunism. The seven-member Haifa cell's 600 missions over two years, including intelligence on military bases and security chiefs, represents sustained, directed activity [6]. And the Shin Bet's track record of preventing assassination attempts suggests that at least some of the operations it detects involve genuine threats [4].

The truth likely lies between the extremes: Iran is running a mass-recruitment operation that generates many low-value contacts alongside a smaller number of operationally significant penetrations. Whether the Israeli legal system's response is proportionate to each individual's actual role — versus the aggregate threat — is a question the courts will answer case by case.

Comparative Context

Iran's social-media recruitment model differs from the approaches attributed to Russia and China. Russian intelligence services — the GRU and SVR — have traditionally favored LinkedIn-based approaches targeting individuals with existing security clearances, offering higher compensation and investing more heavily in individual relationships [13]. Chinese intelligence has similarly focused on targeted recruitment of individuals with specific technical access, using professional networking platforms and academic conferences as vectors [13].

Iran's "spray-and-pray" approach is lower in per-target investment but broader in reach — an adaptation that reflects both Iran's weaker human intelligence infrastructure compared to Russia or China, and the specific vulnerabilities of Israeli society during a period of prolonged conflict and social stress [5][13]. Israeli intelligence assessments characterize Iran as a "third-tier cyber power" compared to Russia and China, but one that has effectively exploited the lack of preparedness of its targets [13].

What Comes Next

The escalation curve shows no sign of flattening. Each successive year since 2022 has brought more cases, more indictments, and more ambitious operations. The Shin Bet has launched public awareness campaigns targeting teenagers, and Israeli authorities are pursuing enhanced social media monitoring, tighter vetting of immigrant populations, and stricter controls on reserve personnel access to classified information [3][4].

These measures carry their own risks. Enhanced surveillance of immigrant communities — particularly those from former Soviet and Caucasus states, who are overrepresented among recruits — raises civil liberties concerns and risks stigmatizing entire populations based on the actions of a small number of individuals [4]. The citizenship-revocation policy adds another layer of controversy, particularly given its historical association with measures directed at Arab citizens [12].

The fundamental challenge remains structural: encrypted messaging platforms provide the infrastructure for recruitment that is difficult to monitor proactively, cryptocurrency enables payments that are hard to trace in real time, and the sheer volume of Iranian recruitment attempts means that some fraction will inevitably succeed before detection. Israeli counter-intelligence has demonstrated an ability to identify and disrupt these networks after they form — but the gap between initial recruitment and detection remains the space where damage occurs.