Hybrid Threat Signals: Assessing Possible Iranian Involvement in Recent Attacks in Europe

Since the United States (US) and Israel launched a joint attack against Iran on 28 February, Western security services, including Europol, have warned of an increased terrorist threat, particularly targeting Jewish and Israeli sites, due to the risk of retaliatory attacks in the form of Iranian state-backed terrorism. These concerns now appear to be materialising. Since 9 March, a series of attacks, primarily directed at Jewish sites, have unsettled Europe. The first incident occurred in the early hours of 9 March, when an improvised explosive device (IED) was detonated in front of a synagogue in the Belgian city of Liège. Although the blast caused no casualties and only limited damage, Belgian Prime Minister Bart De Wever described it as “an attack on our values and our society.” Since then, attacks have occurred in the Netherlands, and most recently on 23 March in London, when four cars belonging to a volunteer Jewish ambulance service were set on fire.

Possible links with Iran became clearer when the Liège attack was claimed by a previously non-existent group calling itself Harakat Ashab al-Yamin al-Islamia (HAYI), roughly translated as “The Islamic Movement of the Companions of the Right[eous].” The claim was disseminated via a video showing brief footage of the attack, branded with the group’s logo, and circulated on Telegram and X channels affiliated with groups of the axis of resistance, especially Iraqi pro-Iranian Shia militias, as well as pro-Iranian news outlets. In the days that followed, HAYI claimed responsibility for additional attacks: against a synagogue in Rotterdam on 13 March, a Jewish school on 14 March and a commercial centre on 16 March, both in Amsterdam, and most recently on 23 March in the United Kingdom (UK). In addition, HAYI has claimed attacks against an unspecified site in Greece on 11 March, as well as in France and another in the Netherlands both on 23 March, which all likely constitute disinformation. Although these attacks have so far resulted in no casualties and only minor damage, they nonetheless display a clear terrorist intent, as evidenced by the deliberate targeting of Jewish sites and subsequent claims accompanied by further threats.

Against this backdrop, this analysis examines the series of attacks, with a particular focus on the digital footprint associated with the claims, presenting further evidence of likely Iranian involvement. It then places the incidents within the broader context of recent Iranian external operations in Europe, before turning to the profile of the perpetrators, whose apparent recruitment patterns resemble those observed among other hybrid threat actors, including Russian-orchestrated sabotage networks in Europe. 

Digital Footprint of HAYI in pro-Iranian Ecosystem

To analyse the activities of HAYI, we examined its digital footprint, including the first public mentions of the attacks online and the initial dissemination of the corresponding claim videos. This analysis was conducted using the OSINT tools XNetwork and TGStat, which were queried using Arabic-language keywords. In addition, an AI-based detection tool was employed, which indicated that all claim videos were likely genuine recordings. 

There are no known references, neither online nor offline, to HAYI prior to 9 March, when a post of the group was circulated in a Telegram channel seemingly affiliated with the Iraqi pro-Iranian militia Liwa Zulfiqar. In this post, HAYI announced “the start of its military operations against US and Israeli interests around the world,” although it made no reference to the attack against the synagogue in Liège that occurred on the same day. This would suggest that HAYI is a new group, established for the purpose of this bombing campaign. 

On 11 March, two days after the Liège attack, HAYI first claimed responsibility. According to our investigation, the claim video was initially published on a Telegram channel affiliated with another Iraqi pro-Iranian Shia militia, Asaib Ahl al-Haq, which is reported to maintain close ties with the Quds Force of the Islamic Revolutionary Guard Corps (IRGC). The video itself features self-recorded footage of the attack, likely captured on a mobile phone, and includes the group’s logo and name, as well as the date and location of the incident, all in Arabic. The IRGC, which is designated as a terrorist organisation in several countries, including the United States and Canada, and most recently by the European Union, serves as the primary security arm of the Iranian regime. Within the IRGC, the Quds Force, one of its five branches, is responsible for operations abroad and is therefore chiefly tasked with conducting Iranian hybrid activities, including targeted killings, abductions, and the maintenance of relationships with Tehran’s network of proxy groups, such as Hezbollah and the Houthi militia in Yemen. 

In the following days, a dissemination pattern emerged that is consistent across all subsequent attack claims. In each case, the same set of four Arabic-language Telegram channels, each with a followership in the hundreds of thousands, play a central role. In addition to the two aforementioned channels affiliated with Iraqi pro-Iranian militias, this includes two other channels which present themselves as “news outlets” but function primarily as vehicles for pro-Iranian content. The latter two channels also exhibit ties to major sanctioned pro-Russian networks, as evidenced by frequent reciprocal mentions. Typically, one of the four channels first reports an incident via a brief text post. Within minutes, the same, or another of the four accounts, releases the corresponding HAYI video claim. The material is then cross-posted to their X accounts and subsequently amplified by a broader network of pro-Iranian influencers. Later on, several Telegram channels linked to the Houthi movement and Hezbollah have also shared the videos. At the same time, the non-simultaneous posting of attack reports and video claims, as well as slight variations in messaging, suggests a human-coordinated rather than bot-driven campaign, in contrast to, for example, the Russian “Doppelgänger” campaign where bots were used to amplify cloned news websites containing pro-Russian disinformation.

In the case of the three latest attacks in the Netherlands, the timing of online reporting is particularly noteworthy. Mentions of the incidents, despite occurring in the middle of the night, were published within minutes by the same four channels, followed shortly thereafter by the corresponding video claims. For example, the Rotterdam synagogue attack, which occurred at approximately 03:40 AM, was first reported at 03:57 AM, with the video claim released around 04:19 AM. In the case of the attack against the Jewish school, the temporal proximity was even closer: the incident reportedly took place around 03:45 AM, with initial mentions already appearing at 03:44 AM, followed by the video release roughly two hours later. The close proximity of these channels to Iranian-aligned networks, combined with the near-immediate reporting and access to attack footage, suggests that they were informed of the incidents almost in real time, either directly by the perpetrators or via intermediaries. 

Assessing HAYI’s Authenticity

The suspicious dissemination patterns raise the question whether HAYI is a genuine terrorist group or merely serves as a façade for Iranian hybrid operations that enable plausible deniability. Following the attack on 16 March against a Jewish school in Amsterdam, ICCT identified an allegedly official Telegram account of HAYI, which hosted the corresponding claim video. However, the authenticity of this account warrants caution. Although it was reportedly created in 2023, it only became active in connection with the latest incidents, and the claim video appeared there only after it had already been disseminated via the aforementioned pro-Axis and pro-Iranian channels. Furthermore, the account only has a few dozen followers. Following the most recent attack in the UK on 23 March, ICCT identified another Telegram account, likewise posing as an official mouthpiece of HAYI. It was created two days before the attack – on 21 March – and the claim of the London attack included a QR code linking to the Telegram channel. According to our investigation, through this account, HAYI published a claim before any other channel for the first time, although reporting of the attack, without reference to HAYI, had already appeared hours earlier on pro-Iranian channels. However, there are also a number of inconsistencies with this account, foremost the misspelling of the Arabic channel name, likely resulting from an incorrect English translation. 

Furthermore, inconsistencies in some of the claimed attacks warrant further attention. While geolocation analysis confirmed the authenticity of five attacks in Belgium, the Netherlands, and the UK, it suggests that the alleged attack in Greece is likely disinformation. Specifically, the analysis of the ‘Greek attack video’ indicates that it depicts an explosion at a residential building in Rotterdam on 3 March. Furthermore, Greek authorities have not announced that they are aware of any such incident, nor is there any corresponding coverage in the Greek press. Similarly, there is also no public evidence for the attack claims in Paris and Haarlem that were published by the same alleged HAYI channels. 

Doubts regarding the authenticity of HAYI are, however, not only raised by the appearance of its Telegram channel and the likely falsely claimed attack in Greece, but also by inconsistencies within the claim material itself. For example, the videos contain noticeable linguistic errors. Further, the Arabic inscription beneath the group’s logo, which closely resembles the flag of Hezbollah and other pro-Axis groups, except for featuring a Soviet SVD sniper rifle instead of the more typical AK-style imagery, includes multiple mistakes, including the misspelling of the word “Islamic.”

Altogether, these inconsistencies and, at times, relatively unsophisticated errors argue against both a highly professional, independent terrorist organisation and the direct execution of the attacks by Iranian intelligence operatives. 

There is also another possible scenario. On 7 March, an encrypted message was posted on the aforementioned Telegram channel of Asaib Ahl al-Haq, which granted permission to “all silent cells” to take action and was later referred to in messaging claiming the attack in Liège. While the activation on Europe-based sleeper cells cannot be excluded, significant evidence points toward the involvement of locally recruited actors, as will be discussed in greater detail in the following section. 

HAYI in Context of Iranian Hybrid Warfare

Concerns regarding Tehran’s potential involvement in this wave of attacks, particularly in light of the observed online patterns, are not unfounded, given Iran’s long-standing history of conducting hybrid operations abroad. One recent study identified 218 Iranian external operations, including assassinations, abductions, intimidation and surveillance plots since 1979, of which 102 occurred in Europe.

More broadly, although not a new phenomenon, the use of hybrid threats as part of the toolbox of hostile state actors to pursue strategic interests abroad has increased significantly in recent years.  Iran appears to have intensified its activities in recent years: more than half of 102 European plots have taken place since 2021, with the MI5 stating that, in 2025 alone, it had disrupted more than 20 Iranian-linked plots in the United Kingdom. Recent cases can, for instance, be found just earlier in March this year, when British police arrested four men on suspicion of targeting Jewish sites in the London area, while in May 2025, authorities reportedly foiled a large-scale plot, allegedly directed against the Israeli embassy in London. Comparable incidents have also been recorded elsewhere in Europe. A recent ICCT study identified 151 kinetic hybrid incidents linked to Russia since its full-scale invasion of Ukraine in 2022. In Germany, authorities arrested several individuals in 2025 who were reportedly acting on behalf of the Quds Force of the IRGC and were planning attacks against Israeli and Jewish locations in Berlin. Likewise, Iran already has a documented history of conducting hybrid operations in the Netherlands. In its most recent annual report, the Dutch intelligence service AIVD assesses that Iran was likely responsible for an assassination attempt against an Iranian dissident in Haarlem in 2024. In addition, Dutch authorities have previously identified “strong indications” of Iranian involvement in the killings of two Dutch nationals of Iranian origin in 2015 and 2017.

Several operational features of the recent attacks in Belgium and the Netherlands point towards possible Iranian involvement, beyond the online footprint discussed above. The sudden emergence of a series of explosive attacks against Jewish targets generates precisely the type of confusion and intimidation that lies at the core of hybrid warfare. At the same time, claims by a previously unknown Shia group introduce an additional layer of ambiguity, thereby enabling plausible deniability. In fact, the creation of new (terrorist) groups, later leveraged to serve strategic objectives, has been a hallmark of Iranian (hybrid) warfare practices. While genuine authorship by an independent Shia terrorist group, similar to the shooting on 1 March in Austin, Texas, cannot be entirely ruled out, it appears unlikely. Across ideological spectra, terrorist actors typically aim to inflict casualties, whereas the apparent effort to avoid casualties, evidenced by the timing of attacks during the night, stands in contrast to this pattern. By comparison, both the target selection, predominantly Jewish and Israeli sites, and the use of explosive devices are consistent with known patterns of Iranian external operations.

The profile of the perpetrators further reinforces this assessment. Rather than involving official operatives, the attacks appear to rely on locally recruited individuals. In the one case where perpetrators have reportedly been identified – the  Rotterdam synagogue attack – the suspects involved were five youths from Tilburg aged between 17 and 19. This reflects a broader trend in hybrid activities in Europe, pioneered in particular by Russia, whereby sabotage and diversionary actions are outsourced to ordinary citizens acting as so-called “disposable agents” in return for financial reward. Young people, who may be more susceptible to promises of quick and easy money and less able to fully assess the consequences of their actions, have become a key recruitment pool for hybrid threat actors. An ICCT study on Russian hybrid operations, for example, found that approximately a fifth of all identified perpetrators were under the age of 21. Iran has similarly made use of young recruits, as illustrated by a Tehran-orchestrated grenade attack against the Israeli embassy in Stockholm, in which the perpetrators were aged 16 and 18.

Another relevant development is the emergence of a new crime–terror nexus, whereby hostile state actors increasingly cultivate ties with criminal networks, ranging from organised crime groups to local petty criminals, and leverage them for hybrid activities. Iran, for instance, has reportedly commissioned criminal gangs such as Foxtrot and Rumba in Sweden, including for the aforementioned grenade attack against the Israeli embassy, as well as groups such as the Hells Angels for attacks against synagogues in Germany. In this context, the presence of a conducive environment in the Netherlands and Belgium could help explain a potential Iranian recruitment pathway. As highlighted in a recent Europol report, Belgium and the Netherlands have emerged as major hubs for organised crime in Europe, in part due to “Belgo-Dutch criminal networks” heavily involved in international drug trafficking via the ports of Rotterdam and Antwerp. Furthermore, especially in the Netherlands, criminal groups are already well experienced using IEDs, often to settle disputes and intimidate rivals, with over 1,500 such incidents recorded in 2025 alone. Moreover, these networks have increasingly recruited young individuals via online platforms such as Telegram and TikTok to carry out tasks ranging from intimidation to targeted killings, often in exchange for relatively small sums. As a result, criminal networks in the Netherlands and Belgium could in the future (or may already) serve as attractive partners for Tehran in facilitating hybrid operations.

Conclusion

Although, at the time of writing, there is no unequivocal proof of Iranian involvement in the series of attacks in Belgium, the Netherlands, and the UK, the surrounding circumstances, particularly the suspicious online footprint, including dissemination through accounts closely linked to the IRGC ecosystem, strongly point towards Iranian-backed activity. In addition, the operational characteristics further support this assessment. The modus operandi reflects a broader trend in contemporary hybrid warfare, whereby on-the-ground activities are outsourced to ordinary, often young, local individuals recruited for relatively small sums of money. 

With regard to the potential motive, assuming Iranian involvement, the targeting of Jewish and Israeli sites, while consistent with established patterns of Iranian hybrid activities, arguably extends beyond mere intimidation. The introduction of a previously unknown terrorist group, alongside the likely falsely claimed attack in Greece, mirrors tactics observed in Russian hybrid operations in Europe, namely the deliberate creation of ambiguity to sow confusion and disorder. Furthermore, the attacks can also be considered a signal from Tehran, that it is both willing and capable of conducting operations in Europe, while maintaining a layer of plausible deniability that complicates a decisive European response.

Nevertheless, the implications for the main target of this attack series, the Jewish community, are significant. In a context of heightened polarisation and rising antisemitism, both online and offline, such attacks, regardless of whether they are ultimately attributed to terrorist groups or state-backed actors, carry a substantial risk of exacerbating fear within Jewish communities across Europe. As part of the SENTINEL project, the ICCT, together with SACC by EJC, identified more than 250 kinetic antisemitic incidents in Europe in the past year.

The increasing threat posed by hostile state actors, most notably Russia and Iran, underscores the urgent need to adapt European intelligence paradigms. This entails moving beyond a counter-terrorism focus primarily centred on conventional, non-state actors, towards an approach that more fully incorporates the risks posed by state-backed terrorism and hybrid threats. While the current series of attacks appears to have been designed primarily to create disruption and psychological impact through limited material damage, recent cases, such as Russian-coordinated attempts to derail trains in Poland, as well as multiple foiled Iran-linked plots in Germany and the United Kingdom, demonstrate that these actors are both capable of, and willing to, cause mass casualties.

This publication represents the views of the author(s) solely. ICCT is an independent foundation, and takes no institutional positions on matters of policy unless clearly stated otherwise.

Photo credit: Javad Esmaeili/ Unsplash