Two Sentences on Telegram
Part 1 of 3. Iran ordered its cyber proxy to stand down, in public, on a feed anyone could read.
This is Part 1 of Architectures of Cyber Power, a series on the various ways a State builds and employs cyber power. Here is Part 2 and Part 3.
On or about April 9, 2026, the Iranian state-directed cyber group Handala posted to its Telegram channel. Two sentences.
The first: “According to the orders from the highest leadership of the Resistance Axis, we have currently postponed overt confrontation with the United States.”
The second: “Handala, at full force, continues its cyber operations against the infrastructure of the Zionist regime.”
Those messages are the cleanest piece of public evidence the open-source community has ever had of a state-directed cyber proxy receiving a chain-of-command order. It happened on Telegram, by the proxy, on a public channel. The usual evidence (leaked cables, court filings two years late) never arrives this early or this cleanly.
A conduit runs from political leadership to operational output. After all, conflict is just the continuation of politics by other means. In some architectures, the conduit is buried by design because the architecture’s entire value depends on deniability. The state pretends the conduit is not there. The proxy pretends it is autonomous. The conduit stays inside the wall.
For two sentences in early April, Handala exposed the conduit.
The doctrinal architecture became visible at the moment of termination.
The architecture exists to be invisible. Iran’s Ministry of Intelligence and Security does not advertise its relationship with Handala. The FBI alleges the relationship; DomainTools maps it through the Panjaki handler infrastructure; the analyst community infers it from technical overlap. None of that is the same as Handala saying we receive our orders from the government of Iran. Cyber attribution as a discipline has spent twenty years engineering precision around the phrase “we are 87% confident.” Handala just published a confession. The architecture leaks its own existence only when the state needs it to, or when the proxy needs it to. On April 9, both happened at once. The architecture told us about itself.
Cyber attribution as a discipline has spent twenty years engineering precision around the phrase “we are 87% confident.” Handala just published a confession.
I argued in April that it was national security malpractice that CISA was running at 38% staffing during the campaign Handala has now publicly ended. That piece looked at the defender. The April 9 Telegram post drove me to look back at the attacker. Same campaign, two visible halves: a defender starved by design, an attacker switched off by command.
I spent years inside a fundamentally different architecture at US Cyber Command and the National Security Agency. The operator and the state were the same entity. I was the state when I sat at the keyboard. The legal framework that constrained me was the same legal framework that authorized me. Different architecture.
It is nearly impossible to understand an architecture from the outside unless the architecture lets you. Handala let us.
Trace the conduit through eleven weeks of war.
February 28, 2026. Operation Epic Fury launches. Iran’s missile, drone, and naval industrial base becomes the target set. Over the next thirty-eight days, US Central Command will conduct more than 1,450 strikes. CENTCOM commander Admiral Brad Cooper will later tell the Senate Armed Services Committee that 85% of Iran’s production capacity for those systems has allegedly been degraded. Whatever that means.
March 1. Iran goes dark. A 47-day internal internet shutdown. The conduit severs its own domestic visibility before US response options can be calibrated.
March 3, March 13, March 23. Three waves, ten days apart. Check Point Research documents an Iran-nexus password-spraying campaign against Microsoft 365 cloud environments. More than 300 Israeli organizations hit. Twenty-five in the UAE. Government, municipalities, transportation, energy, satellite, aviation, maritime. The technical fingerprint aligns with Gray Sandstorm, an IRGC-linked operator. The wave timing is precise. The target list geographically correlates with cities Iran was bombing in the same weeks. Check Point’s interpretation is that the password-spraying was running bombing damage assessment for the missile track. The conduit is providing battlefield support in real time.
March 11. Handala compromises a Microsoft Intune admin account inside Stryker, the Fortune 500 medical-device company. Between five and eight in the morning UTC, the operator pushes wipe commands through Intune’s native OS-reset function. No malware deployed or payload dropped. Microsoft’s own enterprise mobility platform weaponized at scale. BleepingComputer’s reconstruction logs around 80,000 devices wiped. Handala claims more than 200,000 across 79 countries. Stryker’s April 30 Form 8-K puts the damage in the numbers. Q1 revenue lands $317 million below analyst consensus. Adjusted earnings per share falls 8.5 percent year over year. Check Point, CrowdStrike, Microsoft, and Palo Alto Networks attribute the operation to Void Manticore, an Iranian destructive-operations unit. A state-directed proxy used legitimate management tooling to wipe a US Fortune 500’s global fleet, in 79 countries, in three hours. The Western architecture, attempting the same operation, would still be in legal review.
April 1, 8 PM Tehran time. Iran’s IRGC publishes an eighteen-company target list in Tasnim, the regime’s own news outlet. US and Gulf tech companies, named, with a public countdown. A state organ broadcasts its targeting menu before the operations run. The Western architecture, in the equivalent scenario, would have classified the menu, the press release, the existence of the menu, and the post-it note with the planning staff’s pizza order stuck to the inside cover of the plan’s folder.
April 7. CISA issues joint cybersecurity advisory AA26-097A with the FBI, NSA, DOE, EPA, and US Cyber Command. The advisory names Iranian state-directed and pro-Iran hacktivist targeting of US water, energy, and oil-and-gas operational technology. Censys, scanning independently, documents 5,219 exposed Rockwell Allen-Bradley PLCs matching the CVE profile the advisory describes. The attack surface is sitting there.
April 8. A ceasefire is brokered. Trump announces. Tehran broadcasts. Hours later, pro-Iran hacktivists (313 Team, DieNet) hit Saudi, UAE, and Bahrain targets. Amazon’s Saudi Arabia operations go offline for four hours. The conduit has received an instruction to stop the US confrontation, and has used the same instant to retask, not reduce. The architecture redirects.
April 9. Handala posts the postponement.
April 27 and 28. CyberAv3ngers and IRGC-linked outlets publish names, photos, and unit affiliations of 2,379 US Marines stationed in Bahrain. Handala Hack Team opens WhatsApp threads directly to US service members on Naval Support Activity Bahrain. The Pentagon opens an investigation.
May 14. Cooper testifies that forty years of Iranian missile, drone, and naval industrial investment have been rolled back in thirty-eight days. Iran’s remaining kinetic capability, in his word, is “nuisance.” Iran’s cyber voice, he tells the committee, is “very loud.” But the kinetic capability to disrupt Hormuz commerce is “dramatically depleted.”
Cooper does not give a number for cyber capability degraded.
There isn’t one.
You can bomb a missile factory. You cannot bomb a TTP.
The proxy model has four properties. It is state-directed, publicly-fronted, criminally-fungible, and politically-discretionary.
State-directed. MOIS tasks; Panjaki handles; Handala operates. The legal accountability runs back to Tehran, but Tehran can deny the legal accountability all the way to a courtroom.
Publicly-fronted. Handala is the face. So is CyberAv3ngers. So is Pay2Key. So is Homeland Justice, Karma, and the dozen other masks the same underlying infrastructure has worn. The public face changes; the conduit underneath does not.
Criminally-fungible. Pay2Key runs as a ransomware-as-a-service operation with an eighty-percent affiliate profit share. The proxy’s day job is crime; its night job is geopolitics. I wrote in February that AI had turned offensive cyber into an assembly line for one operator. The proxy architecture is the same trick at the state level. The criminal ecosystem is the assembly line, and the state is the foreman who can change the order list overnight.
Politically-discretionary. April 9. The leadership ordered the proxy to postpone confrontation with the United States. The proxy postponed confrontation with the United States. The leadership did not order the proxy to postpone confrontation with Israel. The proxy did not postpone confrontation with Israel. The conduit is taut against one target and slack against the other. The political instruction is being followed. The architecture is doing exactly what its designers wanted it to do.
A conduit like Iran’s buys you four things at once: speed, deniability, an off-switch you can demonstrate in public, and the ability to retask under political pressure.
A conduit like Iran’s buys you four things at once: speed, deniability, an off-switch you can demonstrate in public, and the ability to retask under political pressure. The Western architecture trades all four away. The Western architecture has lawyers.
The conduit was always there. April 9, for two sentences, Iran’s was exposed.
Iran is not the only state running this architecture. Russia runs the same architecture with criminal-ransomware ecosystems as the cover layer. China runs something that may be the same architecture and may be a stiffer construction with less proxy autonomy. North Korea runs the contrast: no conduit, no proxy, just state-direct without legal frameworks.
There are five ways to build cyber power. Three have conduits. Two don’t.
Next week in part two, I’ll take a deeper look at the other members of the cyber power playing field.
Part 1 of three. The last two months gave us more open-source evidence of how state cyber power gets built than the last two decades combined. Iran went first, on Telegram, in early April. The others come next.
If you enjoy A Discipline of Seeing, it would mean the world to me if you shared it with others. Please use the button below to send my Substack to someone who might find my work interesting. Thanks!
— Brandon


