Data Leak Outs Students of Iran’s MOIS Training Academy
Summary
An anonymous leak published a list of more than 1,000 people linked to Ravin Academy, a cybersecurity training school tied to Iran’s Ministry of Intelligence and Security (MOIS) and associated APT group APT34. The published data includes names, phone numbers, Telegram handles and national ID numbers; additional student records were reportedly obtained but not published. Ravin Academy — sanctioned by the US, UK and EU — runs high-profile events such as the Tech Olympics and has been accused of funneling talent into state cyber operations.
Key Points
- Over 1,000 individuals associated with Ravin Academy were listed in an open-web leak published on 22 October by British-Iranian activist Nariman Gharib.
- Leaked records include personally identifying details: names, phone numbers, Telegram usernames and national ID numbers.
- Ravin Academy is widely reported to be an MOIS-run programme used to recruit and train cyber talent for state APT operations such as APT34 (MuddyWater/OilRig).
- Many named individuals come from non-cybersecurity STEM backgrounds and a notable subset are academics tied to Western universities.
- The leak risks reputational damage, personal safety concerns for individuals unaware of the school’s state links, and exposes possible recruitment pipelines for Iran’s cyber capabilities.
Content Summary
On 22 October an activist published a list of people connected to Ravin Academy, a Tehran-based cybersecurity school founded by former MOIS employees that western governments have sanctioned. Ravin presents itself as an independent training institution but analysts and sanctions authorities say it provides direct cyber services and training for the MOIS, covering offensive and defensive disciplines.
Ravin runs a prominent event — the Tech Olympics — attracting thousands of participants and lending the school international visibility. The leak included contact details and identifiers for students; reporters noted many attendees are from broader STEM fields rather than established cybersecurity careers, suggesting deliberate talent harvesting. Some named individuals are academics at Western institutions and may not have understood the school’s state ties.
The academy has published proof-of-concept exploits and instructional material in the past that mirror techniques later used by state-linked threat actors. Ravin responded to the breach blaming opponents and competitors for seeking to damage the event and the institution’s reputation.
Context and Relevance
This incident sits at the intersection of cyber espionage, state recruitment and hacktivism. It highlights how states use ostensibly civilian education and research fronts to build offensive cyber capacity while maintaining plausible deniability. Leaked personal data raises safety and legal concerns — particularly for students and overseas academics who may have enrolled unaware of MOIS involvement.
For security teams and threat intelligence analysts, the leak offers potential indicators for tracking personnel movement and identifying recruitment patterns tied to APT34. For universities and collaborators, it is a reminder to vet partnerships and researchers’ affiliations carefully.
Author’s note
Punchy: This isn’t just another data dump. It peels back the curtain on how a sanctioned state actor masks recruitment under the guise of education — and it exposes people who might not have known they were part of that system. Read the details if you handle threat intel, academic partnerships or regional geopolitics.
Why should I read this?
Because it matters — for privacy, safety and intel. If you care about tracking state-linked cyber activity, protecting academics and students, or understanding recruitment pipelines, this story saves you time: we’ve boiled the leak down to what you actually need to know.