New data from KELA recognizes that Iranian state-sponsored threat actors have moved well beyond traditional espionage, increasingly blurring the line between nation-state operations and financially motivated cybercrime. Rather than running large-scale ransomware cartels of their own, these groups have embedded themselves into the existing criminal ecosystem, acting as initial access brokers, collaborating with ransomware affiliates, and deploying pseudo-ransomware to mask destructive attacks as extortion campaigns.
A key example is Pay2Key, an Iran-linked ransomware operation that has resurfaced as a professionalized RaaS platform operating on the anonymous I2P network, actively recruiting affiliates from Russian cybercrime forums and offering an elevated profit share, bumping the affiliate cut from 70% to 80%, for attacks on U.S. and Israeli targets. The model creates a significant compliance risk for victim organizations: paying what appears to be a routine ransom demand could unknowingly funnel money to OFAC-sanctioned Iranian entities, exposing companies to severe legal and financial penalties.
The KELA Cyber Intelligence Center identified in its Monday post that one of the more concerning developments is the growing collaboration between Iranian state-linked actors and the broader ransomware ecosystem.
A joint advisory from the Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, and Department of Defense Cyber Crime Center in August 2024 highlighted groups such as Pioneer Kitten, also known as UNC757 or Fox Kitten. Rather than deploying their own ransomware, these actors focus on exploiting vulnerabilities in internet-facing edge devices, including VPNs and firewalls, to gain initial access. Once inside, they collaborate directly with ransomware affiliates such as NoEscape, RansomHouse, and ALPHV/BlackCat, effectively handing off compromised networks in exchange for a share of ransom payments.
The model allows Iranian hackers to generate revenue from financially motivated cyber operations while enabling ransomware groups to gain streamlined access to high-value targets, including schools, healthcare organizations, and financial institutions in the U.S.
KELA finds that the evolution of Pay2Key highlights how Iran is increasingly leveraging ransomware as a geopolitical tool. Initially launched in 2020 by the state-aligned Fox Kitten group to target Israeli organizations, Pay2Key combined extortion with information warfare, using data leaks and public pressure to punish adversaries. Amid rising regional tensions, the group has reemerged with a broader and more aggressive focus, including high-impact attacks on US targets such as healthcare organizations, aiming to maximize disruption and strategic pressure.
By 2025, Pay2Key had evolved into Pay2Key.I2P, a more professionalized RaaS (ransomware-as-a-service) operation operating on the anonymous I2P network. Using advanced ransomware variants and actively recruiting affiliates, including from Russian cybercrime circles, the group reflects a shift toward scalable, state-aligned ransomware operations that blend political objectives with criminal business models.
The intelligence team disclosed that Iranian actors have repeatedly used ransomware-style encryption not for financial gain, but as a cover for destruction and political retribution. The Agrius APT group, for instance, repurposed the Apostle malware, originally a data wiper, into a ransomware variant, allowing them to disguise geopolitical sabotage as ordinary extortion. A similar pattern played out in July 2022, when an Iranian state-sponsored actor hit Albanian government networks with the ROADSWEEP ransomware alongside a destructive wiper, in what analysts concluded was a chaos-driven disruption campaign rather than a ransom-seeking operation.
Attribution is further muddied by a ‘moonlighting’ phenomenon, where Iranian operators use state-provided tools and access for personal financial gain on the side. In April 2024, the U.S. DOJ and Treasury Department took action against individuals linked to Mahak Rayan Afraz, a front company for the IRGC’s Cyber-Electronic Command, whose operatives were found to be running ransomware extortion schemes for private enrichment alongside their official state duties.
As geopolitical tensions escalate, the boundary between state-sponsored cyber warfare and opportunistic cybercrime has effectively collapsed. Such convergence creates serious legal exposure for victim organizations, since paying a ransom to what appears to be an independent group could unknowingly violate OFAC (Office of Foreign Assets Control) sanctions if that group has undisclosed ties to Iran.
The convergence of state and criminal cyber activity creates serious legal and operational risks for US organizations, particularly around attribution. In ransomware incidents, identifying the true actor is no longer just a technical challenge but a compliance issue, as Iranian-linked groups and proxies are under sanctions by the U.S. Treasury’s OFAC. Paying a ransom to a group that appears independent but is tied to sanctioned entities could trigger significant legal and financial penalties. This complexity highlights the limits of traditional security alerts and the need for continuous monitoring of threat actor relationships.
Defending against hybrid threats requires recognizing that what appears to be routine ransomware may in fact be a state-linked operation, demanding both strong foundational resilience and proactive controls. Organizations should prioritize patching internet-facing edge devices, while also validating systems for signs of prior compromise, since patching alone does not remove an existing attacker. Strengthening authentication through phishing-resistant multi-factor methods, such as hardware security keys or passkeys, is essential to counter adversary-in-the-middle attacks and MFA fatigue tactics.
At the network level, strict segmentation between IT and OT (operational technology) environments is critical to prevent attackers from moving laterally into sensitive systems, alongside hardening measures such as removing direct internet exposure, eliminating default credentials, and enforcing secure remote access.
Foundational resilience must include offline, regularly tested backups, centralized logging, and updated incident response plans, supported by participation in information-sharing communities. At the same time, proactive threat intelligence monitoring plays a key role in identifying adversary infrastructure and compromised credentials early, enabling organizations to respond before attacks escalate to data encryption or destruction.
