European law enforcement authorities have dismantled a large-scale online propaganda network linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), removing around 14,200 links as part of a coordinated crackdown targeting extremist and terrorist-linked content across digital platforms. Led by Europol’s EU Internet Referral Unit, the operation focused on disrupting online ecosystems used to spread propaganda, influence campaigns, and extremist narratives tied to the IRGC, which the European Union recently designated as a terrorist organization.
The action reflects growing concern among European authorities over use of social media and online platforms by state-linked actors to amplify propaganda, coordinate influence operations, and expand extremist messaging across borders.
Under a coordinated Europol-led operation, authorities from 19 countries moved to dismantle online content linked to Iran’s Islamic Revolutionary Guard Corps, targeting propaganda and extremist material circulating across digital platforms. The participating countries included Austria, Belgium, Bosnia and Herzegovina, Bulgaria, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Italy, the Netherlands, Portugal, Spain, Sweden, Ukraine, and the United States. Between Feb. 13 and April 28, investigators carried out synchronized operational phases that involved gathering intelligence, cross-checking targets, and jointly referring IRGC-linked content to online platforms for removal.
“The content was spread across mainstream social media platforms as well as streaming services, blog hosting sites and standalone websites. Propaganda was identified in several languages, including Arabic, Bahasa Indonesia, English, French, Persian, and Spanish,” Europol said in a Monday statement. “The material ranged from speeches blending religious martyrdom narratives with highly charged political messaging to AI-generated videos glorifying the IRGC and calls to avenge the Ayatollah Ali Khamenei.”
It noted that the interconnectedness of IRGC-linked websites operating across multiple languages offered important insights into the network’s online architecture. “Investigating how IRGC propaganda was disseminated and amplified online also supported efforts to trace and remove statements and videos produced by proxy groups and aligned entities, including Hezbollah, Ansar Allah, Hamas, PIJ, and HAYI.”
Europol’s move comes against a backdrop of a complex and evolving threat environment. Terrorist networks are becoming more fluid and continue to adapt their methods, making sustained and coordinated action essential to limit their reach and impact.
U.S. and allied agencies warned last month that these operations increasingly target ICS (industrial control systems) and SCADA (supervisory control and data acquisition) environments capable of causing real-world operational disruption, particularly in water and wastewater facilities. Security researchers and government advisories have also linked IRGC cyber units to malware campaigns aimed at industrial devices, including Rockwell Automation and Unitronics PLCs, underscoring growing concerns over the convergence of geopolitical conflict and operational technology threats.
Europol’s move comes against a backdrop of a complex and evolving threat environment. Terrorist networks are becoming more fluid and continue to adapt their methods, making sustained and coordinated action essential to limit their reach and impact.
Beyond the volume, investigators uncovered how the IRGC continues to grow its digital playbook. “The action revealed the group’s reliance on a network of hosting service providers across multiple jurisdictions, from Russia to the United States, helping it to maintain resilience online. Such providers may have also been offering hosting services before the IRGC’s formal designation, and Europol continues to engage positively with involved Member States and private parties.”
The post disclosed that authorities also identified the use of cryptocurrency transactions to sustain and amplify its online operations – a tactic designed to bypass traditional financial controls.
Last month, Europol published its annual Internet Organised Crime Threat Assessment (IOCTA), outlining how the cybercrime landscape has evolved over the past 12 months, with a focus on emerging threats and shifting criminal tactics. Ransomware remains a dominant threat across the EU, with more than 120 active ransomware brands observed by Europol in 2025. Criminal actors continue to exploit vulnerabilities in the digital supply chain and employ increasingly sophisticated social engineering techniques. The extortion model is shifting away from data encryption toward pure data theft, with attackers increasingly relying on the threat of exposure to force payment.
