Full Report
We investigate a coordinated network of inauthentic X accounts that is spreading AI-generated content to induce revolt in Iran. The network has been active since 2023, but increased activity during the Iran-Israel conflict in June 2025.
Analysis Summary
# Threat Actor: PRISONBREAK (AI-Enabled Influence Operation)
## Attribution & Identity
The operation, referred to as "PRISONBREAK," is attributed with high consistency to an **unidentified agency of the Israeli government, or a sub-contractor working under its close supervision**. No specific threat actor group name or persistent alias beyond the operation's codename is provided, though it is presented as an effort by "the other side" in the "geopolitical and ideological competition between the Islamic Republic of Iran and its international and regional adversaries."
## Activity Summary
PRISONBREAK is a coordinated network of **more than 50 inauthentic X profiles** conducting an **AI-enabled influence operation (IO)**.
* **Goal:** Spreading narratives designed to incite Iranian audiences to revolt against the Islamic Republic of Iran.
* **Timeline:** The network was created in 2023, but most activity began in **January 2025 and continues to the present day**.
* **Synchronization:** Activity appears to have been synchronized, at least in part, with the **military campaign conducted by the Israel Defense Forces (IDF) against Iranian targets in June 2025**.
* **Reach:** While organic engagement seemed limited, some posts achieved tens of thousands of views, suggesting the operation *seeded* content to large public communities on X and possibly *paid for promotion*.
## Tactics, Techniques & Procedures
* **AI-Enabled Content Creation:** The operation relies on Artificial Intelligence to generate content for its influence efforts.
* **Inauthentic Network Operations:** Running a coordinated network of over 50 inauthentic X profiles.
* **Narrative Warfare:** Spreading narratives aimed at encouraging regime overthrow.
* **Amplification:** Utilizing seeding in large public communities on X and potential paid promotion to artificially inflate content visibility.
* *Note: The article describes this as "inauthentic use of X engagement features to artificially impact traffic or disrupt people’s experience."*
## Targeting
* **Sectors:** Not explicitly detailed, but the objective is regime change, suggesting broad societal impact.
* **Geography:** **Iranian audiences** (domestic and possibly diaspora).
* **Victims:** The **Islamic Republic of Iran** and its governing structures.
## Tools & Infrastructure
* **Malware Families Used:** None mentioned (This is an influence operation, not malware-focused intrusion).
* **Infrastructure:** A coordinated network of **more than 50 inauthentic X profiles**.
* *Note: An associated Instagram account, @Telaviv_Tehran, suggesting multi-platform presence, though its direct role in the 50+ X profiles is not specified.*
## Implications
PRISONBREAK represents a known escalation in the information warfare between Israel and Iran, utilizing advanced AI capabilities to conduct transparently subversive influence operations aimed at domestic unrest within Iran. The operation’s apparent synchronization with kinetic military actions suggests a strategy of coordinated informational and military pressure. The efforts by the actors to boost engagement imply a strategic concern with achieving audience saturation despite potential organic interest limitations.
## Mitigations
* **Content Vetting:** Users should systematically check links and URLs to ensure they are receiving news only from trusted sources (as advised by BBC in relation to media manipulation).
* **Platform Monitoring:** Social media platforms must aggressively detect and remove large-scale, inauthentic coordinated networks utilizing AI-generated personas for political influence.
* **Suspicion of High Reach/Low Organic Engagement:** Organizations and users should treat content enjoying artificially inflated engagement metrics with high suspicion.