US offers $10 million reward for information on two suspected IRGC-linked cyber operatives

The State Department has announced a reward of up to $10 million for information leading to the identification or location of two individuals accused of helping direct cyber operations for an Iranian military-linked hacking unit. The action focuses on Mohammad Bagher Shirinkar and Fatemeh Sedighian Kashi, who officials say have played key roles in planning and conducting cyberattacks tied to Iran’s strategic interests.

The two are alleged to work with Shahid Shushtari, a cyber unit operating under Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command. The State Department described the pair as maintaining a close working relationship in support of operations targeting critical infrastructure and private-sector networks in the United States, Europe and the Middle East. The unit’s activities have caused financial losses and service disruptions across sectors including news media, shipping, travel, energy, financial services and telecommunications.

Shahid Shushtari functions as an Iran-based cyber organization that has operated under multiple aliases over the past several years. The group has previously been known as Emennet Pasargad, Aria Sepehr Ayandehsazan, Ayandeh Sazan Sepehr Arya, Eeleyanet Gostar and Net Peygard Samavat Co. Shirinkar is described as overseeing the unit’s operations.

Security analysts tracking the threat activity identify the group as UNC5866 and note that its methods have evolved alongside Iran’s broader cyber and influence objectives. The unit has been linked to a coordinated campaign targeting the 2020 U.S. presidential election that began in August 2020 and employed a combination of online manipulation and network intrusion techniques. It has also engaged in cyberespionage efforts, including operations built around a false-flag online persona.

The Treasury Department imposed sanctions on Emennet Pasargad and six of its members in late 2021 for activities connected to election interference. The same group is also monitored under the threat labels Cotton Sandstorm and Haywire Kitten and has maintained a steady operational tempo since at least 2018. Government agencies assessing the threat landscape reported in 2024 that the unit had demonstrated new tradecraft in preparation for future influence efforts.

Industry experts describe the group as consistently active in phishing and malware distribution operations and note that its targeting spans government, financial services, healthcare, technology and other sectors viewed as strategically important to Iran. Analysts also characterize the broader contractor ecosystem supporting the Islamic Revolutionary Guard Corps as highly adaptive, often shifting tactics rapidly in response to geopolitical developments.

The reward is offered through the State Department’s Rewards for Justice program, which seeks public assistance in disrupting foreign threats to U.S. national security. Officials issued the appeal last week, urging anyone with actionable information on Shirinkar or Kashi to come forward.