Arvin-Club

The metamorphosis of Arvin Club, from a ransomware group to a group of activists against the Iranian Islamic regime

Arvin Club in the recent past has been a hacker group capable of targeting different entities all over the world and in different sectors such as education, finance, banking, commercial and transport (Kendriya Vidyala – India, Universiteit Leiden – Netherlands, Bureau van Dijk – Netherlands, Beh Pardakht Mellat – Iran, Utair – Russia), but calling it a ransomware group that targets victims for financial gain is not entirely correct.

During the first half of 2021 Arvin Club opens a .onion site within the Tor networks (http://xxz6hl6wwoa25er62tbjdxda4nxyt5iqziavb73mhda6q6zujsgfoxqd.onion/), the website remains active until the end of the same year, in which period it is closed. Then a drastic change of course and the consequent change of objective: to curb the Iranian Islamic regime with cyber attacks on mainly governmental structures.

He returns to write more frequently on his Telegram channel dealing with issues relating to cybercrime in general by recounting the birth of new ransomware groups, but what interests him most is informing public opinion about the real situation in which the people are forced to live Iranian within a dictatorship imposed by the Iranian Islamic regime.

In the questions we sent to him, Arvin Club tells us about some government entities that have been targeted by his activist group, such as the Ministry of Culture and Islamic Guidance and Khomeini’s state-owned bank and website, but he also tells us that many other targets affected preferred not to make them public.

During our “chat” that took place before sending our questions, Arvin Club wanted to inform us that some time before he had managed to enter the computer network of the city of Shiraz, a city located in the central-southern part of Iran .

We were also curious to know the truth about the case of the hacking of the website of the Stormous ransomware group, an Arabic-speaking group of hackers. His answer was unexpected and equally curious.

The answer he gave us about the birth of new ransomware groups and the possible trend that we can expect in the near future was obvious, but no less worrying. A trend in stark contrast, according to him, to statements made by some industry analysts and journalists who argue that the “ransomware phenomenon” in 2022 has decreased compared to the last two years.

On some questions he did not want to express himself.

There were some questions that we chose not to answer
Thank you

Below is our interview

SuspectFile – We saw your first announcements on your Tor blog in mid-2021, even if you were already present on a Telegram channel, what was the reason that prompted you to close the blog?

Arvin Club – Yes, lack of motivation to work, we decided to stop our black activities almost during this period

SuspectFile – In the past, some industry analysts and journalists have wanted to associate you with the Iranian government, you denied with a note. What more can you tell us about it?

Arvin Club – There is really nothing more, because we attacked targets in the West, they quickly judged and linked us to the terrorist regime of the Islamic Republic of Iran, while all these accusations are false.

SuspectFile – From the information collected it seems that your way of operating is not comparable to that used by ransomware groups, we do not understand that your purpose is to extort money from victims, but to report deficiencies regarding the security of people’s data and, in some cases, the financial mismanagement of the goals you hit. Is it wrong if SuspectFile came to these conclusions?

Arvin Club – It is true to some extent, we used to buy data and sell it as a middleman or sell our hacked data, but now we have stopped all these activities.

SuspectFile – According to SuspectFile to date there are no in-depth and incontrovertible analyzes regarding your group. How would you define the Arvin group?

Arvin Club – Nothing answer

SuspectFile – What can you tell us about “Operation Stormous” which saw this group’s .onion blog blacked out in March of this year? Is it an operation that we can really define Arvin’s work?

Arvin Club – Yes, the hacking of stormous website was our work. This Arabic-speaking group does not even have the ability to launch a website. Pretentious novices

SuspectFile – Do you consider yourself a politically linked group?

Arvin Club – Yes, we consider ourselves a hacktivist group. Now that I am interviewing you, the terrorist government is killing my countrymen. We are fighting in cyber and real world. We attacked  the sites of the Ministry of Culture and Islamic Guidance and Khomeini’s site and state banks and our hidden targets that we never openly announced.

SuspectFile – We have noticed, within your Telegram channel, that in some cases the language used is Persian. Is it a way to mislead, or actually among your operators or subscribers to your channel there are people from Iran, Tajikistan, Afghanistan, Uzbekistan?

Arvin Club – Our language is Farsi and there is no confusion. We work with all nationalities, Russian, English and Farsi languages

SuspectFile – We know that you recently entered the computer networks of Shiraz, a city in the south central part of Iran. What can you tell us about it?

Arvin Club – We infiltrated the government’s computer systems and closed-circuit cameras in the south of Shiraz and deleted the information of the dictatorial regime. This was just one example of our hidden target that is being published for the first time.

SuspectFile – During the first ten months of 2022 we have seen dozens of new ransomware groups form, many of them disappeared within a few months, others are still very active like Black Basta, RansomHouse, BianLian, Royal just to name a few. Some analysts and journalists in the sector claim that in 2022 the ransomware phenomenon has dropped, this statement does not agree with SuspecFile, we believe instead that the phenomenon is constantly increasing especially in the medical and educational sector.
What can you tell us about it? What is your opinion?

Arvin Club – In my opinion, the phenomenon of ransomware is not only not decreasing, but also increasing. Maybe large groups will stop, but they will be activated again in small groups. This phenomenon will increase in the future and smaller groups will enter the market.

SuspectFile – Regarding the operation of ransomware groups we would like to know your opinion. SuspectFile was able to read numerous chats between the victim and the group operator. In several cases, some communication problems emerged during the negotiation. The victim asked for hard evidence of the data breach and a complete list of the directories attacked, but the operator could not respond because all the data was in the hands of the affiliate. Don’t you think these situations could undermine the reliability of a ransomware group?

Arvin Club – Nothing answer

SuspectFile – How do you approach other RaaS groups, is there something your group does not share in their way of acting?

Arvin Club – Nothing answer

SuspectFile – In fact, most companies in any industry invest little or nothing in cybersecurity. But beyond that, what are the main shortcomings that companies should intervene on?

Arvin Club – Nothing answer

SuspectFile – Do you also think, like some other groups, that some cybersecurity companies to which companies entrust the role of “negotiators” eventually conclude a deal with the ransomware group in secret and for a fee? If so, how common do you think this incorrect practice is?

Arvin Club – Nothing answer



Arvin Club nel recente passato è stato un gruppo hacker in grado di colpire diverse entità in tutto il mondo e in diversi settori come quello dell’istruzione, finanziario, bancario, commerciale e dei trasporti (Kendriya Vidyala – India, Universiteit Leiden – Paesi Bassi, Bureau van Dijk – Paesi Bassi, Beh Pardakht Mellat – Iran, Utair, Russia), ma definirlo un gruppo ransomware che colpiva le vittime per un ritorno economico non è del tutto corretto.

Durante la prima metà del 2021 Arvin Club apre un sito .onion all’interno delle reti Tor (http://xxz6hl6wwoa25er62tbjdxda4nxyt5iqziavb73mhda6q6zujsgfoxqd.onion/), il sito web rimane attivo fino alla fine dello stesso anno, periodo nel quale viene chiuso. Poi un drastico cambiamento di rotta e il conseguente cambio di obiettivo: frenare il regime islamico iraniano con attacchi informatici alle strutture prevalentemente governative.

Torna a scrivere e con più frequenza sul proprio canale Telegram trattando temi riguardanti il crimine informatico in generale raccontando la nascita di nuovi gruppi ransomware, ma ciò che gli interessa maggiormente è informare l’opinione pubblica sulla reale situazione nella quale è costretto a vivere il popolo iraniano all’interno di una dittatura imposta dal regime islamico iraniano.

Nelle domande che gli abbiamo inviato, Arvin Club ci racconta di alcune entità governative finite nel mirino del proprio gruppo di attivisti come il Ministero della Cultura e della Guida Islamica e il sito e le banche statali di Khomeini, ma ci dice anche che molti altri obiettivi colpiti hanno preferito non renderli pubblici.

Durante la nostra “chiacchierata” avvenuta prima dell’invio delle nostre domande, Arvin Club ha voluto informarci che qualche tempo prima era riuscito a entrare all’interno della rete informatica della città di Shiraz, una città situata nella parte centro-meridionale dell’Iran.

Ci incuriosiva conoscere anche la verità sul caso dell’hackeraggio del sito web del gruppo ransomware Stormous, un gruppo di hacker di lingua araba. La sua risposta è risultata inaspettata e allo stesso modo curiosa.

Scontata, ma non per questo meno preoccupante, è stata la risposta che ci ha dato sulla nascita di nuovi gruppi ransomware e sul possibile trend che dobbiamo aspettarci nel prossimo futuro. Un trend in netto contrasto, secondo lui, su dichiarazioni rilasciate da alcuni analisti e giornalisti del settore i quali sostengono che il “fenomeno ransomware” nel 2022 sia calato rispetto agli ultimi due anni.

Su alcune domande non ha voluto esprimersi.

There were some questions that we chose not to answer
Thank you

Di seguito la nostra intervista

SuspectFile – We saw your first announcements on your Tor blog in mid-2021, even if you were already present on a Telegram channel, what was the reason that prompted you to close the blog?

Arvin Club – Yes, lack of motivation to work, we decided to stop our black activities almost during this period

SuspectFile – In the past, some industry analysts and journalists have wanted to associate you with the Iranian government, you denied with a note. What more can you tell us about it?

Arvin Club – There is really nothing more, because we attacked targets in the West, they quickly judged and linked us to the terrorist regime of the Islamic Republic of Iran, while all these accusations are false.

SuspectFile – From the information collected it seems that your way of operating is not comparable to that used by ransomware groups, we do not understand that your purpose is to extort money from victims, but to report deficiencies regarding the security of people’s data and, in some cases, the financial mismanagement of the goals you hit. Is it wrong if SuspectFile came to these conclusions?

Arvin Club – It is true to some extent, we used to buy data and sell it as a middleman or sell our hacked data, but now we have stopped all these activities.

SuspectFile – According to SuspectFile to date there are no in-depth and incontrovertible analyzes regarding your group. How would you define the Arvin group?

Arvin Club – Nothing answer

SuspectFile – What can you tell us about “Operation Stormous” which saw this group’s .onion blog blacked out in March of this year? Is it an operation that we can really define Arvin’s work?

Arvin Club – Yes, the hacking of stormous website was our work. This Arabic-speaking group does not even have the ability to launch a website. Pretentious novices

SuspectFile – Do you consider yourself a politically linked group?

Arvin Club – Yes, we consider ourselves a hacktivist group. Now that I am interviewing you, the terrorist government is killing my countrymen. We are fighting in cyber and real world. We attacked  the sites of the Ministry of Culture and Islamic Guidance and Khomeini’s site and state banks and our hidden targets that we never openly announced.

SuspectFile – We have noticed, within your Telegram channel, that in some cases the language used is Persian. Is it a way to mislead, or actually among your operators or subscribers to your channel there are people from Iran, Tajikistan, Afghanistan, Uzbekistan?

Arvin Club – Our language is Farsi and there is no confusion. We work with all nationalities, Russian, English and Farsi languages

SuspectFile – We know that you recently entered the computer networks of Shiraz, a city in the south central part of Iran. What can you tell us about it?

Arvin Club – We infiltrated the government’s computer systems and closed-circuit cameras in the south of Shiraz and deleted the information of the dictatorial regime. This was just one example of our hidden target that is being published for the first time.

SuspectFile – During the first ten months of 2022 we have seen dozens of new ransomware groups form, many of them disappeared within a few months, others are still very active like Black Basta, RansomHouse, BianLian, Royal just to name a few. Some analysts and journalists in the sector claim that in 2022 the ransomware phenomenon has dropped, this statement does not agree with SuspecFile, we believe instead that the phenomenon is constantly increasing especially in the medical and educational sector.
What can you tell us about it? What is your opinion?

Arvin Club – In my opinion, the phenomenon of ransomware is not only not decreasing, but also increasing. Maybe large groups will stop, but they will be activated again in small groups. This phenomenon will increase in the future and smaller groups will enter the market.

SuspectFile – Regarding the operation of ransomware groups we would like to know your opinion. SuspectFile was able to read numerous chats between the victim and the group operator. In several cases, some communication problems emerged during the negotiation. The victim asked for hard evidence of the data breach and a complete list of the directories attacked, but the operator could not respond because all the data was in the hands of the affiliate. Don’t you think these situations could undermine the reliability of a ransomware group?

Arvin Club – Nothing answer

SuspectFile – How do you approach other RaaS groups, is there something your group does not share in their way of acting?

Arvin Club – Nothing answer

SuspectFile – In fact, most companies in any industry invest little or nothing in cybersecurity. But beyond that, what are the main shortcomings that companies should intervene on?

Arvin Club – Nothing answer

SuspectFile – Do you also think, like some other groups, that some cybersecurity companies to which companies entrust the role of “negotiators” eventually conclude a deal with the ransomware group in secret and for a fee? If so, how common do you think this incorrect practice is?

Arvin Club – Nothing answer