Overview
Episode 2 begins the systematic exposure of Department 40 personnel identities, starting with members of the Karaj team. This documentation reveals the individuals responsible for conducting cyberattacks on behalf of the IRGC-IO Counterintelligence Division.Vahid Molawi
Identity Information
Full Name: Vahid Molawi National ID Number:0323217087
Team: Karaj team
Role: Attacker/Operator
Evidence
Vahid Molawi’s identity was exposed through:- Hours Report: Work hour tracking documents show his involvement in Department 40 operations
- Daily Reports: Referenced in operational documentation from Episode 1
- Team Assignment: Confirmed member of the Karaj team
“As we mentioned, we will begin exposing the identities of the unit’s employees – one of the attackers from Karaj team we published in Episode 1 is called Vahid Molawi (see the hours report) – his national ID number is 0323217087.”
Karaj Team
The Karaj team is one of several operational teams within Department 40.Team Structure
Based on the available evidence:- Multiple operators working in coordinated fashion
- Daily work reporting requirements
- Hours tracking and accountability
- Participation in multi-country attack campaigns
Team Operations
The Karaj team was involved in:- ProxyShell exploitation campaigns
- Webshell deployment operations
- Target reconnaissance
- Attack infrastructure management
Other Operational Teams
MJD Team
Evidence: Extensive daily work reports Documentation Period: September-October 2024 (Persian calendar Mehr 1403) Report Files:- Daily reports from 1403-06-25 through 1403-07-23
- Monthly summary report
- Entry/exit tracking forms
- Systematic daily operations
- Performance tracking
- Coordinated attack campaigns
- Regular reporting to management
HSN2 Team
Evidence: Daily work reports Documentation Period: August-September 2024 (Persian calendar Shahrivar-Mehr 1403) Report Files:- Daily reports from 1403-05-27 through 1403-06-03
- Parallel operations to MJD team
- Similar reporting structure
- Coordinated targeting
Management Structure
Abbas Rahrovi (Abbas Hosseini)
National ID:4270844116
Role: Head of Department 40
Also Known As: Abbas Hosseini
Responsibilities:
- Overall management of Department 40
- Direction of attack campaigns
- Establishment of front companies
- Coordination with IRGC-IO Counterintelligence Division (Unit 1500)
- IRGC official
- Established several front companies for APT operations
- Directed attacks against dozens of targets including telecommunications, aviation, and intelligence organizations
Work Reporting System
Daily Reports
All teams maintain detailed daily work reports including:- Date and team identifier
- Tasks completed
- Hours worked
- Attack progress
- Technical issues encountered
- Next steps planned
Monthly Performance Reviews
Evidence shows monthly performance reports:- Monthly summary of operations (e.g., “گزارش کار مهر- MJD.pdf”)
- Performance metrics
- Goal achievement tracking
- Resource utilization
Hour Tracking
Staff members track their hours through:- Daily hour reports
- Entry/exit forms (“entry_exit_form.pdf”)
- Time accountability systems
- Work period documentation
Operational Security Failures
The personnel exposure reveals multiple OPSEC failures:Identity Protection Failures
- Real Names in Documents: Use of actual names in internal documentation
- National ID Numbers: Inclusion of government identification numbers
- Work Reports: Detailed tracking creating identity trails
- Team Assignments: Clear organizational structure documentation
Digital Footprints
- Command History: Personal command line history preserved (
zsh_history.txt) - Server Logs: Activity logs linking individuals to operations
- Report Metadata: Document metadata revealing user information
- Infrastructure Access: Access logs to shared resources
Infrastructure Compromises
- Internal Networks: Penetration of Department 40 internal networks
- Chat Systems: Access to Isabelle, 3CX, and Output Messenger communications
- File Servers: Compromise of shared document repositories
- Attack Logs: Preservation of operation logs and reports
Front Companies
As mentioned in Episode 1, Abbas Rahrovi established several front companies:Known Front Companies
- Multiple companies established to provide cover for APT operations
- Companies used to hire personnel
- Infrastructure procurement through commercial entities
- Financial transactions obscured through business channels
Personnel Categories
Based on the evidence, Department 40 personnel fall into several categories:Technical Operators
- Exploit developers
- Webshell deployers
- Infrastructure maintainers
- Malware operators
Analysts
- Target researchers
- Vulnerability analysts
- Intelligence analysts
- Report writers
Management
- Team leaders
- Project coordinators
- Department heads
- IRGC liaisons
Support Staff
- IT administrators
- System maintainers
- Documentation specialists
- Security personnel
Attribution Evidence
The personnel exposure is backed by multiple evidence types:Primary Evidence
- Work Reports: Daily and monthly reports with names
- Hour Tracking: Time sheets and attendance records
- National IDs: Iranian national identification numbers
- Team Assignments: Organizational charts and team structures
Supporting Evidence
- Chat Logs: Internal communications from Isabelle, 3CX, Output Messenger
- Email Archives: Internal email communications
- Server Logs: Access logs showing usernames and activities
- Document Metadata: Author information in files
Corroborating Evidence
- Attack Reports: Operation documentation with personnel references
- Photos: Employee photographs from Episode 1
- Official Documents: Internal IRGC-IO documentation
- Translation Documents: Translated reports with attribution
Impact on Operations
The personnel exposure has significant implications:Individual Impact
- Public identification as IRGC agents
- International recognition
- Potential legal consequences
- Operational limitations
Organizational Impact
- Compromised operational security
- Exposed organizational structure
- Damaged recruitment capabilities
- Reduced effectiveness
Strategic Impact
- International awareness of IRGC-IO methods
- Attribution of attacks to specific individuals
- Pressure on Iranian intelligence operations
- Deterrent effect on future operations
Ongoing Exposures
As stated in the original announcement:“Every few days, we will release more evidence about their activities, along with additional information about their personal lives.”This suggests:
- Continued personnel revelations in future episodes
- Additional personal information to be released
- More detailed operational documentation
- Further exposure of Department 40 structure
Conclusion
The exposure of Vahid Molawi and the Karaj team represents the beginning of systematic personnel attribution for Department 40 operations. These individuals, who believed they were operating under the protective cover of the IRGC, are now recognized worldwide as agents of the IRGC-IO Counterintelligence Division. As stated in Episode 1:“These individuals believed they were operating under the protective cover of the IRGC — today, they will be recognized worldwide as agents of the IRGC.”The evidence demonstrates that Department 40 personnel maintained detailed records of their activities, creating an extensive trail that now enables attribution of specific attacks to identified individuals.