The latest materials from the Charming Kitten network access reveal three significant findings that expand our understanding of Iran’s APT35 cyber operations: complete salary records for operative teams, expanded surveillance platform capabilities, and a classified 2004 document connecting Iran’s obtained IAEA inspection materials to Department 40 assassination targeting.
The leaked materials document unprecedented compensation data for both the Sisters Team (Aqiq) and Brothers Team (Pelak1), providing direct visibility into how Iran’s state-sponsored hacking units compensate their personnel.
The Sisters Team’s salary records from April-May 2025 reveal a clear hierarchical structure. Senior operatives earn approximately $200 monthly, while junior or part-time personnel receive minimal compensation.
Leila Sharifi earns the highest salary at $220 per month, followed by Parisa Zare at $215. The distribution demonstrates a tiered system reflecting operational seniority.
Notably, the presence of two individuals with the surname Nadafi (Narges and Atieh) at dramatically different pay grades suggests possible familial recruitment patterns within the unit, with Narges earning $102 monthly while Atieh receives only $5.
The Brothers Team financial records document eighteen male operatives with comparable salary structures.
Senior personnel such as Mohammad Hassan Hassanzadeh Vozhdeh and Omid Fallah earn approximately $250-270 monthly, while junior members like Davood Bayat receive $39. The highest-paid individual, Davood Akbari Mojadar, earns $330 monthly.
These records complement previously documented organizational structures, confirming team sizes and providing financial identifiers that enable sanctions authorities and investigators to trace IRGC payment networks and identify potential front companies facilitating compensation.
Kashef Surveillance Platform
The expanded Kashef platform footage reveals the full scope of Iran’s integrated surveillance system, demonstrating capabilities extending far beyond cyber operations.
The system aggregates data from multiple IRGC Intelligence Organization departments, including geographic divisions focused on the Persian Gulf Zone, Israel, the United States, and foreign nationals.
The platform integrates specialized databases tracking foreign travel of Iranians (777+ visible records), dual nationals, students abroad, visits to diplomatic premises (494+ visible records), Iranian embassy staff, and international journalists.
This integration creates a comprehensive surveillance infrastructure targeting Iranian citizens based on their contacts and movements.
Personal data collection capabilities are extensive. The system records national identity numbers, passport details, birth information, family relations including parents’ and spouses’ names, contact information, and professional background.
Notably, the system explicitly categorizes Iranian citizens by religious sect specifically Shia or Sunni enabling religious profiling of the population.
The platform’s diplomatic surveillance demonstrates sophisticated intelligence gathering. Kashef monitors visits to foreign embassies in Tehran, recording vehicle details, license plates, entry and exit times, and intelligence annotations referencing “Internal agents” and “Embassy agents.”
Border crossing records track passport numbers, specific crossing points, religious sect, and destination travel. A visible progress indicator shows a “merge process” at 99% completion, indicating cross-referencing capabilities that combine records across multiple databases into comprehensive individual profiles.
The IAEA Document
A classified 2004 Ministry of Intelligence letter retrieved from Abbas Rahrovi’s personal computer provides historical context for Department 40’s targeting of Olli Heinonen.
The document, dated May 19, 2004, notified senior military leadership that Iranian intelligence had obtained confidential IAEA inspection documents regarding Iran’s heavy water reactor program at Arak.
The letter references 27 pages of classified IAEA technical reports authored by Olli Heinonen and three colleagues, plus 18 inspection questions the IAEA planned to pose during their May 2004 Arak facility visit.
Heinonen later served as IAEA Deputy Director-General for Safeguards from 2005 to 2010, playing the central role investigating Iran’s nuclear program.
Significantly, Heinonen appears on Department 40’s surveillance and assassination target list.
The department conducting cyber espionage maintains parallel target packages for kinetic operations, and this 2004 document demonstrates why Heinonen became priority targeting he authored the confidential assessments that Iranian intelligence successfully obtained and possessed detailed knowledge of international nuclear oversight objectives.
Handwritten annotations reveal handling by Ahmad Vahidi, then IRGC Quds Force commander and currently Iran’s Minister of Interior (wanted by Interpol for the 1994 AMIA bombing), and reference to the Fakhrizadeh Institute.
Mohsen Fakhrizadeh headed Iran’s covert AMAD nuclear weapons program before his 2020 assassination.
That Fakhrizadeh’s organization appears on a 2004 document concerning IAEA inspections directly connects his institute to nuclear program operations years before his role became publicly known internationally.
The exposed salary records, surveillance platform scope, and IAEA document collectively transform abstract threat actor designations into documented employment relationships while demonstrating how Iran’s cyber capabilities integrate with broader intelligence objectives spanning nuclear program protection, international official targeting, and comprehensive domestic population surveillance.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.