Full Report
Citizen Lab has uncovered a coordinated AI-enabled influence operation against the Iranian government, probably conducted by Israel. Key Findings A coordinated network of more than 50 inauthentic X profiles is conducting an AI-enabled influence operation. The network, which we refer to as “PRISONBREAK,” is spreading narratives inciting Iranian audiences to revolt against the Islamic Republic of Iran. While the network was created in 2023, almost all of its activity was conducted starting in January 2025, and continues to the present day. The profiles’ activity appears to have been synchronized, at least in part, with the military campaign that the Israel Defense Forces conducted against Iranian targets in June 2025. ...
Analysis Summary
# Threat Actor: PRISONBREAK
## Attribution & Identity
The network is referred to as "PRISONBREAK."
**Attribution Hypothesis:** Most consistent with available evidence is an unidentified agency of the **Israeli government**, or a sub-contractor working under its close supervision.
**Associated Accounts:** Citizen Lab assesses that the X account *@TelAviv_Tehran* may be coordinated with the PRISONBREAK group.
## Activity Summary
PRISONBREAK is a coordinated network of more than 50 inauthentic X profiles conducting an AI-enabled influence operation.
* **Objective:** Spreading narratives inciting Iranian audiences to revolt against the Islamic Republic of Iran, with one report suggesting posts pushing to reinstate the Shah monarchy.
* **Timeline:** The network was created in 2023, but nearly all observable activity commenced in January 2025 and continues up to the article's publication date (October 2025).
* **Synchronization:** The profiles’ activity appears to have been synchronized, at least in part, with the military campaign conducted by the Israel Defense Forces (IDF) against Iranian targets in June 2025.
* **Reach:** Limited organic engagement, but some posts achieved tens of thousands of views, likely through seeding to large public communities on X and potentially paid promotion.
## Tactics, Techniques & Procedures
- **Influence Operation:** Conducting a coordinated influence campaign through inauthentic X profiles.
- **AI-Enabled Content:** Utilizing Artificial Intelligence (AI) to generate content for the operation.
- **Account Network:** Operation involves a network of over 50 inauthentic X profiles.
- **Content Seeding:** Seeding posts to large public communities on X.
- **Promotion:** Possibly paying for the promotion of posts.
- **Visual Sophistication:** Posts are described as "visually stunning."
- **Coordinated Inauthentic Behavior (CIB):** Classic CIB employing generative AI technologies.
## Targeting
- **Sectors:** Political influence targeting a state regime.
- **Geography:** **Iran** (Iranian audiences).
- **Victims:** The Islamic Republic of Iran (target of the influence narratives).
## Tools & Infrastructure
- **Malware Families used:** None explicitly mentioned, but relies on AI tools for content generation.
- **Infrastructure (C2, domains, IPs):**
- Platform: X (formerly Twitter).
- Potential Instagram presence associated with @TelAviv_Tehran.
- No specific IP addresses or domains are defanged in the source text, aside from the platform handles.
## Implications
This operation demonstrates the increasing use of advanced AI capabilities by state actors (or proxies) to conduct sophisticated, targeted influence operations designed to incite regime change or civil unrest abroad, synchronizing digital information warfare with kinetic military actions.
## Mitigations
- Systematic review of alternative explanations when assessing influence operations (as done by Citizen Lab).
- Monitoring for coordinated inauthentic behavior, especially networks utilizing modern tools like generative AI.
- Implementing robust detection methods for visually generated misleading content (deepfakes/AI-generated media).
- Monitoring public X communities for seeded adversarial content.