On 28 October 2025, researcher Nariman Gharib detailed leaked CSV files reportedly tied to Charming Kitten containing domain registrations, hosting activity, payment records, and operational email infrastructure spanning 2023 to 2024, along with references to Iranian telecom blocks and suspected IRGC-aligned procurement channels. The disclosure appears to map core service providers, cryptocurrency-based payments, and active operator accounts used to support phishing and infrastructure rotation.
Analysis: If authentic, these files provide actionable insight into Charming Kitten’s procurement and infrastructure lifecycle, including financial flows and service dependencies that could accelerate attribution, blocking, and proactive disruption. Public exposure of operators, service vendors, and domestic network blocks may pressure Tehran’s cyber units to retool, yet historical behavior suggests Iran will likely maintain tempo and diversify infrastructure rather than cease activity. This case underscores the importance of tracking adversary logistics and payment mechanisms as a means of degrading persistent state-aligned access operations.
The Security Brief 