Experts: Iran's 'project charming kitten' spy plot exposed
It's a case with all the hallmarks of a Cold War thriller.
Glamorous blonde sisters Samaneh and Soroor Ghandali were indicted in February on charges of stealing highly sensitive trade secrets from Google and other big tech companies.
But rather than working for Russia or China – both known for their formidable intelligence-gathering abilities – the pair have been linked to the Iranian regime.
Experts warn the revelation could be just a glimpse of something far more alarming: a sprawling Iranian espionage machine operating inside the United States that could help Tehran prosecute the war that's raging in the Middle East.
At the center of that digital battlefield is Charming Kitten, a shadowy hacking unit linked to the Islamic Revolutionary Guard Corps.
For more than a decade, the group has targeted US officials, journalists, academics and defense insiders with highly tailored phishing attacks.
Rather than sophisticated hacking techniques, operatives rely on deception – posing as colleagues, researchers or trusted contacts to trick victims into handing over passwords and sensitive information.
The shadowy group has tried to interfere in the 2020 and 2024 US presidential elections and even made off with scripts from HBO show Game of Thrones.
In some cases, they go further still, creating elaborate online personas – including fake profiles featuring attractive women – to build trust before striking.
Soroor Ghandali, 32, is accused along with her sister and brother-in-law of stealing tech secrets from Silicon Valley companies.
Samaneh Ghandali, 41, is also accused of stealing tech secrets from Google and other big tech firms.
Inside Iran’s Covert Intelligence Operations
Among the profiles used by Iranian operatives were Shir Benzion, a model, human rights activist Elina Noomen, and London-based photographer Mia Ash.
There is no connection between the Ghandali sisters and Charming Kitten, which this month launched a spear-phishing campaign on US think-tank researchers.
But experts told the Daily Mail they highlight the multi-pronged strategy of Iran's intelligence agencies.
The Ghandali sisters were indicted in California on charges including trade secret theft and obstruction of justice along with Samaneh's husband, Mohammad Khosravi.
Prosecutors allege the trio embedded themselves inside Google and other major tech firms, using trusted positions to siphon off sensitive data tied to processor security, cryptography and other cutting-edge technologies – and funnel it back to Iran.
If proven, it would mark a stunning breach at the very core of America's innovation economy. Yet what has most rattled investigators is not just what was allegedly taken – but how.
Rather than using sophisticated tech, the defendants are accused of photographing computer screens by hand – a old-school, low-tech workaround designed to evade sophisticated cybersecurity systems.
A former Trump administration Iran expert told the Daily Mail that Iran's intelligence operations in the US have long flown under the radar because Moscow and Beijing were seen as more pressing threats.
'After China and Russia, Iran is the third most sophisticated adversary we have,' said the former official, speaking on condition that his name was not used.
'And everyone pretended for nearly a decade that Iranian operations didn't exist.'
Niloufar 'Nelly' Bahadorifar was sentenced in 2023 to four years in prison after helping funnel money that supported surveillance operations targeting an Iranian-American activist.
The model Shir Benzion is among the phony avatars used to trick American officials into clicking on a malware link.
Insider Threats and National Security Risks
He pointed to a recent drone strike on a CIA-linked site at the US Embassy in Saudi Arabia, suggesting the precision could reflect either Iran's own intelligence capabilities or support from allies such as Russia.
Tehran excels in insider recruitment, procurement networks and online intelligence gathering – capabilities that can translate directly into battlefield advantage, he said.
The three accused in California have pleaded not guilty to charges of theft of trade secrets and obstruction of justice that could put them behind bars for decades.
Former FBI counterintelligence operative Eric O'Neill described the Ghandalis alleged technology heist as a 'slow, deliberate extraction' carried out by 'trained or directed actors.'
'The most damaging breaches often originate from within,' said the author of Spies, Lies, and Cybercrime.
'The threat is not just foreign adversaries attempting to break in, but trusted individuals already inside the system choosing to betray that trust.'
The Ghandali trio's alleged ties to Iran's clerical elite only deepen the intrigue.
Samaneh Ghandali, 41, is a naturalized US citizen; Khosravi, 40, is a green card holder; and Soroor, 32, is in the US on a student visa.
Ariane Tabatabai has enjoyed a stellar career in America's national security establishment despite her alleged ties to officials in Tehran.
Alleged Links to Tehran and Family Connections
The women's father, Shahabeddin Ghandali, is described as a regime insider while Khosravi is reported to have a background in the Iranian military, suggesting the defendants were taking orders from Tehran.
High-profile Iran spy cases have been rare in the US.
But one of the most notorious cases, Monica Witt, a Texas-born former US Air Force counterintelligence agent, defected to Iran in 2013 after converting to Islam.
She is accused of handing over sensitive information and helping Iranian operatives target American intelligence personnel, allegedly enabling phishing and malware attacks. She remains a fugitive.
Elsewhere, Niloufar Bahadorifar was sentenced in 2023 to four years in prison after helping funnel money that supported surveillance operations targeting Iranian-American activist Masih Alinejad.
And in Washington, Pentagon analyst Ariane Tabatabai has faced scrutiny over alleged links to Tehran, with calls from senior Republicans to revoke her security clearance – though officials insist she has been properly vetted.
Former CIA officer and FBI agent Tracy Walder said Iran's activities are part of a long-running strategy.
For decades, she noted, Tehran – like China and Russia – has systematically targeted trade secrets and sensitive technologies to cut research costs and accelerate development.
Silicon Valley insider Samaneh Ghandali seen here delivering a presentation on cybersecurity.
The Dual Role of Iran’s Intelligence Operations
Its operatives are typically highly educated specialists tasked with everything from cyber intrusion to surveillance. But not all of their efforts are aimed at military gain.
'Most of them… it's about crushing Iranian dissidents that are here,' Walder said, pointing to a quieter but critical mission: monitoring and intimidating critics of the regime living in the US.
That dual focus – external competition and internal control – makes Iran's intelligence apparatus uniquely complex.
And as tensions between Washington and Tehran continue to escalate, that hidden war for information may prove just as decisive as anything unfolding on the battlefield.
Because in the modern era of espionage, the most powerful weapon is not always a missile. Sometimes it is access.
