In early April 2026, Israel’s domestic intelligence agency Shin Bet arrested four active-duty IDF soldiers on suspicion of espionage for Iran. In another case, a 21-year-old Jerusalem resident was arrested for filming sensitive locations for an Iranian intelligence agency, met through social media. An engineer working on the Iron Dome air defence system, Raz Cohen, was accused of leaking classified information about the missile defence system. Two residents of a West Bank settlement were charged with surveilling the home of a military officer. And a group of suspects in southern Israel were found to have manufactured and tested explosive devices at the request of Iranian handlers. As Israel National News reported, the Shin Bet and Israel Police emphasised that this reflects a consistent and broadening Iranian pattern of recruiting young Israelis online through financial incentives.
All were paid in cryptocurrency. None of the recruits were trained intelligence operative. This is what modern espionage looks like, and it should concern every nation with a smartphone-connected population and social fault lines to exploit. Israeli security officials have described this as a consistent Iranian modus operandi.
The Model: Volume Over Value
Iran has improvised the intelligence tactics for cultivating high-value insiders. The old model of espionage required years of cultivation. A handler would identify a senior official, build a relationship, and slowly turn them into an asset. Iran has abandoned that playbook entirely. What the IRGC and MOIS (Ministry of Intelligence) are running instead resembles a “gig-economy” more than a spy ring. Tehran treats its recruits not as valuable assets but as disposable instruments, applying digital marketing logic: target thousands of young people on social media, accept that only a fraction will respond. The cost of acquiring each human asset is low, while the potential damage is immense.
The recruitment follows a pattern known as the “Salami Technique.” A target receives a direct message on Telegram, WhatsApp, and Instagram. The first task is to photograph a street corner and report on local sentiment. Payment arrives instantly in USDT or other cryptocurrency, bypassing banking triggers that would alert domestic intelligence services. Once the recruit accepts that first payment, they are legally compromised. The tasks then escalate to filming a military convoy, documenting a missile impact zone, and mapping an officer’s daily commute. The handler, sitting safely in Tehran, deletes the conversation, moves to the next candidate after each assignment, and creates a new profile using a burner device. What Iran wants from these networks is not nuclear secrets. It is a real-time, ground-level Battle Damage Assessment confirmation of where missiles hit, what was destroyed, and how the public reacted. A local asset with a smartphone provides what a satellite image later cannot: a live feed that bypasses the surveillance system and feeds directly into subsequent salvos. Tehran is effectively crowdsourcing its military reconnaissance.
A Coordinated Regional Activation
Israel is not the only target. In March 2026, Bahrain charged 14 people with spying for the IRGC. Bahraini prosecutors stated that the suspects had filmed vital installations and transmitted photographs and coordinates that were subsequently used in Iranian missile and drone strikes against the kingdom. Earlier that month, four Bahraini nationals had been arrested for using high-tech equipment and encrypted software to relay attacked prone data directly to Iran. The Jerusalem Post reported a further round of five arrests days later, with a sixth suspect identified as a fugitive abroad. The activation of human intelligence networks across Israel, Bahrain, and the wider Gulf suggests not isolated incidents, but a coordinated tactical doctrine.
The Russian Precedent
Iran did not invent this model. An investigation by OCCRP revealed that Russian military intelligence has used Telegram bots to recruit what European security services describe as “disposable agents”, young, financially motivated individuals tasked with photographing NATO bases, Ukrainian logistics chains, and conducting surveillance. NBC News reported that Britain’s Metropolitan Police Counter-Terrorism Command identified the use of criminal proxies on behalf of foreign states as a rapidly growing threat, with encrypted apps and cryptocurrency creating plausible deniability. Germany’s intelligence chief warned the Bundestag that Europe was living through a period in which social media recruitment of low-level saboteurs had become a serious security challenge.
The Homeland Security Today analysis explicitly linked Iran’s methods to this Russian blueprint, describing the convergence as “gig-economy terrorism”, the commodification of violence through small payments to economically vulnerable individuals. The strategic logic for both Moscow and Tehran is identical: plausible deniability, minimal cost, and forcing the target state to divert its security apparatus inward.
The Indian Mirror: An Identical Threat Is Already Here
India does not need to study this phenomenon from a distance. It is already experiencing it. In March 2026, Ghaziabad Police arrested members of an ISI-directed espionage module that had installed solar-powered CCTV cameras at the Delhi Cantonment railway station and at Sonipat railway station. The cameras streamed live footage directly to Pakistani handlers for 18 days before discovery. The recruits were young men from economically weak backgrounds paid per task via WhatsApp. The WhatsApp group used for coordination was deliberately named “Lawrence Bishnoi 007” to disguise state-sponsored espionage as gang activity. The ISI’s network planned to install over 50 such cameras across India.
In April 2026, the Delhi Police Special Cell busted an even larger ISI-Babbar Khalsa International module, arresting 11 individuals who had installed surveillance cameras at nine locations spanning Punjab, Haryana, Jammu and Kashmir, and Rajasthan, all positioned near Army cantonments, border roads, and troop movement corridors. The cameras transmitted real-time footage to Pakistan using SIM cards obtained through fake identities. The methodology across all these cases is structurally identical to what Iran is deploying in Israel and what Russia runs across Europe: social media recruitment of financially motivated amateurs, cryptocurrency and disposable human assets providing real-time intelligence that technical collection cannot replicate.
India’s counter-intelligence agencies have demonstrated considerable capability. But each success also carries a warning: if one solar-powered camera operated undetected for months inside Delhi Cantonment, how many similar modules may be running elsewhere, undetected? The Observer Research Foundation has noted that India’s intelligence apparatus remains characterised by opacity and institutional stasis compared to the rapidly evolving global intelligence landscape. As adversaries adopt mass-recruitment, low-cost HUMINT models, India’s response must evolve correspondingly, not only in detection but also in deterrence through stricter sentencing, comprehensive digital literacy programmes for military personnel, and regulation of cryptocurrency channels exploited for espionage financing.
The lesson from Jerusalem, Manama, London, and now Delhi is the same- the high-tech war may be won at the border, but this alarming cyber trend has surrounded us like an invisible enemy at home and neighbourhood through social media and crypto wallets.
