A massive leak of internal documents has exposed Amnban, an Iranian cybersecurity firm with ties to the country’s Ministry of Intelligence and Security (MOIS), as a front for state-sponsored cyber operations targeting global airlines and logistics companies.
Far from being legitimate consultants, Amnban’s operatives have been unmasked as key actors within APT39 (also known as Chafer), a notorious cyber-espionage group sanctioned by the FBI for attacks against U.S. critical infrastructure.
Investigation Exposes Amnban
Founded in 2018 by Sharif University graduates and other top Iranian technologists, Amnban positioned itself as a champion of Iran’s digital defense sector.
Yet a trove of gigabytes of data siphoned from its headquarters reveals orchestrated attacks against dozens of international airlines including Royal Jordanian, Turkish Airlines, Etihad, Emirates, Wizz Air, Air Arabia, Rwanda Air, and more as well as major U.S. freight and logistics providers such as FedEx, USPS, and DHL.
Analysis of the leaked documents and hours of attack footage make clear these were not internal audits or authorized security tests.
Instead, the firm systematically mapped vulnerabilities, exfiltrated sensitive passenger data, and produced detailed operational blueprints that mirror intelligence-gathering runs rather than compliance-driven risk assessments.
The project structure within Amnban’s servers leaves no doubt about the intent. Folders labeled “Projects” and “R&D” catalog attack campaigns against airline targets across the Middle East, Africa, and Europe, including nations both aligned and adversarial to Tehran.
Each recon dossier is thorough: passenger manifests, passport numbers, flight itineraries, home addresses and contact info all data points essential for intelligence profiling, dissident tracking, or identity theft on an industrial scale.
State-Sponsored Espionage
The involvement of known APT39 personnel further underlines the espionage objective. Among the firm’s leadership is Behnam Amiri, already red-flagged by Western intelligence, who hired infamous hacker Ali Kamali sanctioned by the U.S. Treasury for infrastructure attacks.
The leaked server logs also tie MOIS operative Hamed Mashayekhi to regular Amnban office visits, confirming government direction at the highest level.
Beyond airlines, Amnban’s reach extends into cryptocurrency exchanges, where its “social engineering.docs” file details phishing and attempted insider recruitment at firms like KuCoin, CoinSwitch, Binance, and others.
Their methodology merges psychological manipulation with technical exploits: phishing links disguised as support tickets, fake LinkedIn profiles to entice unwitting employees, and overt offers to bribe insiders if initial access fails.
They also maintain a globe-spanning infrastructure of virtual private servers and provisioned email domains designed to launch attacks while obfuscating attribution.
Notably, the breach exposes the personal risk to international travelers and businesses alike; private details of millions of airline passengers have been siphoned into the hands of Tehran’s intelligence services, providing an invaluable resource for future cyber and physical operations.
According to the Report, The revelations also raise urgent questions about border and immigration controls after it was found that Arshia Akhavan, a longtime Amnban employee, recently immigrated to the United States despite his employment coinciding with sanctions on APT39.
This unprecedented breach into the operational heart of Amnban paints a chilling portrait: far from protecting information security, the firm served as a digital mercenary force, abusing its position to feed Iran’s campaigns of surveillance, cyber-sabotage, and global human rights violations.
The sophistication and scale of these state-sponsored operations underscore the need for international vigilance among airlines, critical infrastructure providers, and digital asset firms facing the new reality of persistent, government-backed cyber threats.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
