The metamorphosis of Arvin Club, from a ransomware group to a group of activists against the Iranian Islamic regime


Arvin Club in the recent past has been a hacker group capable of targeting different entities all over the world and in different sectors such as education, finance, banking, commercial and transport (Kendriya Vidyala – India, Universiteit Leiden – Netherlands, Bureau van Dijk – Netherlands, Beh Pardakht Mellat – Iran, Utair – Russia), but calling it a ransomware group that targets victims for financial gain is not entirely correct.

During the first half of 2021 Arvin Club opens a .onion site within the Tor networks (http://xxz6hl6wwoa25er62tbjdxda4nxyt5iqziavb73mhda6q6zujsgfoxqd.onion/), the website remains active until the end of the same year, in which period it is closed. Then a drastic change of course and the consequent change of objective: to curb the Iranian Islamic regime with cyber attacks on mainly governmental structures.

He returns to write more frequently on his Telegram channel dealing with issues relating to cybercrime in general by recounting the birth of new ransomware groups, but what interests him most is informing public opinion about the real situation in which the people are forced to live Iranian within a dictatorship imposed by the Iranian Islamic regime.

In the questions we sent to him, Arvin Club tells us about some government entities that have been targeted by his activist group, such as the Ministry of Culture and Islamic Guidance and Khomeini’s state-owned bank and website, but he also tells us that many other targets affected preferred not to make them public.

During our “chat” that took place before sending our questions, Arvin Club wanted to inform us that some time before he had managed to enter the computer network of the city of Shiraz, a city located in the central-southern part of Iran .

We were also curious to know the truth about the case of the hacking of the website of the Stormous ransomware group, an Arabic-speaking group of hackers. His answer was unexpected and equally curious.

The answer he gave us about the birth of new ransomware groups and the possible trendย that we can expect in the near future was obvious, but no less worrying. A trend in stark contrast, according to him, to statements made by some industry analysts and journalists who argue that the “ransomware phenomenon” in 2022 has decreased compared to the last two years.

On some questions he did not want to express himself.

There were some questions that we chose not to answer
Thank you

Below is our interview

SuspectFile – We saw your first announcements on your Tor blog in mid-2021, even if you were already present on a Telegram channel, what was the reason that prompted you to close the blog?

Arvin Club – Yes, lack of motivation to work, we decided to stop our black activities almost during this period

SuspectFile – In the past, some industry analysts and journalists have wanted to associate you with the Iranian government, you denied with a note. What more can you tell us about it?

Arvin Club – There is really nothing more, because we attacked targets in the West, they quickly judged and linked us to the terrorist regime of the Islamic Republic of Iran, while all these accusations are false.

SuspectFile – From the information collected it seems that your way of operating is not comparable to that used by ransomware groups, we do not understand that your purpose is to extort money from victims, but to report deficiencies regarding the security of people’s data and, in some cases, the financial mismanagement of the goals you hit. Is it wrong if SuspectFile came to these conclusions?

Arvin Club – It is true to some extent, we used to buy data and sell it as a middleman or sell our hacked data, but now we have stopped all these activities.

SuspectFile – According to SuspectFile to date there are no in-depth and incontrovertible analyzes regarding your group. How would you define the Arvin group?

Arvin Club – Nothing answer

SuspectFile – What can you tell us about “Operation Stormous” which saw this group’s .onion blog blacked out in March of this year? Is it an operation that we can really define Arvin’s work?

Arvin Club – Yes, the hacking of stormous website was our work. This Arabic-speaking group does not even have the ability to launch a website. Pretentious novices

SuspectFile – Do you consider yourself a politically linked group?

Arvin Club – Yes, we consider ourselves a hacktivist group. Now that I am interviewing you, the terrorist government is killing my countrymen. We are fighting in cyber and real world. We attackedย  the sites of the Ministry of Culture and Islamic Guidance and Khomeini’s site and state banks and our hidden targets that we never openly announced.

SuspectFile – We have noticed, within your Telegram channel, that in some cases the language used is Persian. Is it a way to mislead, or actually among your operators or subscribers to your channel there are people from Iran, Tajikistan, Afghanistan, Uzbekistan?

Arvin Club – Our language is Farsi and there is no confusion. We work with all nationalities, Russian, English and Farsi languages

SuspectFile – We know that you recently entered the computer networks of Shiraz, a city in the south central part of Iran. What can you tell us about it?

Arvin Club – We infiltrated the government’s computer systems and closed-circuit cameras in the south of Shiraz and deleted the information of the dictatorial regime. This was just one example of our hidden target that is being published for the first time.

SuspectFile – During the first ten months of 2022 we have seen dozens of new ransomware groups form, many of them disappeared within a few months, others are still very active like Black Basta, RansomHouse, BianLian, Royal just to name a few. Some analysts and journalists in the sector claim that in 2022 the ransomware phenomenon has dropped, this statement does not agree with SuspecFile, we believe instead that the phenomenon is constantly increasing especially in the medical and educational sector.
What can you tell us about it? What is your opinion?

Arvin Club – In my opinion, the phenomenon of ransomware is not only not decreasing, but also increasing. Maybe large groups will stop, but they will be activated again in small groups. This phenomenon will increase in the future and smaller groups will enter the market.

SuspectFile – Regarding the operation of ransomware groups we would like to know your opinion. SuspectFile was able to read numerous chats between the victim and the group operator. In several cases, some communication problems emerged during the negotiation. The victim asked for hard evidence of the data breach and a complete list of the directories attacked, but the operator could not respond because all the data was in the hands of the affiliate. Don’t you think these situations could undermine the reliability of a ransomware group?

Arvin Club – Nothing answer

SuspectFile – How do you approach other RaaS groups, is there something your group does not share in their way of acting?

Arvin Club – Nothing answer

SuspectFile – In fact, most companies in any industry invest little or nothing in cybersecurity. But beyond that, what are the main shortcomings that companies should intervene on?

Arvin Club – Nothing answer

SuspectFile – Do you also think, like some other groups, that some cybersecurity companies to which companies entrust the role of “negotiators” eventually conclude a deal with the ransomware group in secret and for a fee? If so, how common do you think this incorrect practice is?

Arvin Club – Nothing answer