False Pentagon cyber warning spreads as 5M Iranians receive prayer app defection messages during strikes

As U.S. and Israeli forces launched coordinated strikes on Iran during Operation Epic Fury, a separate battle unfolded in the digital space. Cyber operations targeted Iranian infrastructure while false warnings circulated among U.S. military personnel, creating confusion amid genuine security threats.

On March 1, 2026, a viral message claiming to be from U.S. Cyber Command spread through military channels, falsely warning service members that Uber, Snapchat, and Talabat were compromised. Pentagon officials quickly denied issuing the warning. Meanwhile, hackers breached BadeSaba, a prayer app used by over 5 million Iranians, sending messages urging military defections as strikes commenced.

The cyber landscape grew more complex as Iran’s internet connectivity collapsed and decentralized hacker groups launched retaliatory operations. With Iranian leadership decimated by the strikes, cyber operations shifted from centralized command to autonomous actors coordinating through platforms like Telegram and Reddit.

5M+

Users Reached by BadeSaba Hack

Remaining Internet Connectivity in Iran

Apps Falsely Flagged in Viral Message

36hr+

Duration of Iran’s Internet Blackout

Timeline of Cyber Operations

Key events during Operation Epic Fury and cyber response

February 28, 2026 – 9:52 AM Tehran Time

BadeSaba Prayer App Compromised

The BadeSaba Calendar app, with over 5 million downloads, began sending push notifications reading “Help has arrived” as strikes commenced on Tehran. Messages urged Iranian military personnel to defect, promising amnesty for those who abandoned the regime.

February 28, 2026 – 10:14 AM

Surrender Instructions Broadcast

Additional notifications called on forces to “lay down weapons or join liberation forces.” The hack reached millions over a 30-minute period, targeting Islamic Revolutionary Guard Corps members and conscripts simultaneously.

February 28-March 1, 2026

Iran Implements Internet Blackout

NetBlocks reported Iran’s internet connectivity dropped to 4% of normal levels, eventually falling to 1% after more than 36 hours. State media outlets including IRNA and ISNA were taken offline by suspected coordinated cyberattacks.

March 1, 2026

False Cybercom Warning Goes Viral

A fabricated message claiming to be from U.S. Cyber Command spread through military circles and social media, accumulating hundreds of thousands of views. Pentagon officials and U.S. Central Command quickly denied issuing the warning.

March 1-2, 2026

“Great Epic” Cyber Campaign Escalates

Iran’s loosely coordinated “Cyber Islamic Resistance” group launched what cybersecurity firm Flashpoint called the “most aggressive” use of the campaign to date. Hacktivists coordinated attacks through Telegram and Reddit, posting screenshots as proof.

Decentralized Cyber Operations Create Unpredictability

The cyber threat landscape shifted dramatically following the strikes on Iranian leadership. With Tehran’s central command structure decimated, cyber operations transitioned from organized state-directed campaigns to decentralized actions by autonomous groups.

Kathryn Raines, a former NSA expert now serving as threat intel team lead at Flashpoint, explained the implications: “The Iranian leadership vacuum is likely going to lead to more unpredictable, decentralized proxy attacks. It’s in the hands of a 19-year-old hacker in a Telegram room with really no oversight or direction.”

This shift means aligned hacktivists and proxy groups make their own targeting decisions without approval from central authorities. If an aggressive group decides to target a mid-sized logistics firm, the risk cascades beyond major capitals like Tehran, Washington, or New York.

Active Cyber Threat Categories

Understanding the multifaceted cyber risks facing organizations

High Risk

Decentralized Proxy Attacks

With Iranian leadership gone, cyber operations have become unpredictable. Autonomous hackers in coordination channels can strike targets without central oversight, making traditional threat modeling based on state behavior less reliable.

High Risk

Psychological Operations

Attacks designed to target employee mental state and trust rather than steal data. The BadeSaba hack demonstrated how trusted apps can deliver misinformation directly to personal devices, creating panic and confusion.

Medium Risk

Misinformation Campaigns

False warnings attributed to official sources spread rapidly on social media. The fake Cybercom message reached hundreds of thousands of views before Pentagon officials debunked it, showing how quickly false information propagates.

High Risk

Infrastructure Targeting

The NSA, CISA, FBI, and Pentagon’s Cyber Crime Center warned that Iranian-affiliated actors routinely target poorly secured U.S. critical infrastructure in retaliation for military operations.

Medium Risk

Deepfake Communications

Experts warn of potential deepfake audio attributed to regional leaders or CEOs. When local news is offline and employees have limited fact-checking ability, distinguishing legitimate from false communications becomes nearly impossible.

High Risk

Supply Chain Disruption

Previous Iranian operations included shutting down gas stations in Jordan and attacks against U.S. and Israeli military providers to destroy data and conduct psychological operations.

Corporate Security Gap

Most corporate security plans focus on data breaches and system disruptions. They are not prepared for “nihilistic psychological operations” targeting employee mental state and organizational trust, according to Flashpoint’s threat intelligence team. Companies need protocols for verification when normal communication channels are compromised. Few organizations have plans for scenarios where staff receive urgent messages that appear legitimate but cannot be fact-checked due to internet outages or offline news services.

Understanding the Threat Landscape

Key questions about cybersecurity during military operations

What was the false Cybercom warning and why did it spread? ▼

The viral message claimed to be from U.S. Cyber Command, urging service members to turn off location services and stating that Uber, Snapchat, and Talabat were compromised. Multiple defense officials confirmed to DefenseScoop that Cybercom did not issue this message. The false warning spread through military circles and social media amid heightened tensions during Operation Epic Fury. Uber responded directly on social media, calling it an “unsubstantiated rumor.” The incident demonstrates how misinformation can rapidly circulate during crisis situations when people are more susceptible to believing urgent security warnings.

How was the BadeSaba prayer app compromised and what was the impact? ▼

The BadeSaba Calendar app, with over 5 million downloads, was compromised early on February 28, 2026. Starting at 9:52 AM Tehran time, the app sent push notifications reading “Help has arrived” and urging Iranian military and security forces to defect or lay down weapons. Cybersecurity experts, including former NSA operative Jake Williams, attributed the operation to Israeli intelligence. The hack was timed to coincide with strikes on Tehran, creating synchronized psychological and military pressure. Messages promised amnesty for those who abandoned the regime, reaching millions including Islamic Revolutionary Guard Corps members. The operation represents a calculated psychological warfare tactic that bypassed state-controlled media to deliver defection messaging directly to personal devices.

What makes Iran’s “Great Epic” cyber campaign unique? ▼

The “Great Epic” campaign operates through the “Cyber Islamic Resistance,” a loosely coordinated group of cyber operatives. Unlike centralized state operations, this network uses Telegram and Reddit as coordination hubs. Hackers post screenshots of alleged attacks as proof, though verification takes weeks or months. Following the decimation of Iranian leadership in the strikes, the command structure overseeing cyber operations essentially disappeared. This created what Flashpoint describes as “extreme volatility” where hacktivists and proxies make targeting decisions without central approval. Previous operations included shutting down gas stations in Jordan and attacks on U.S. and Israeli military providers.

Why are companies unprepared for psychological cyber operations? ▼

Corporate security plans typically focus on preventing data breaches and system disruptions. They lack protocols for attacks targeting employee mental state and organizational trust. Former NSA expert Kathryn Raines explains that companies face scenarios where staff in the Gulf region might receive what appear to be urgent messages—perhaps deepfake audio from leaders or false evacuation communications—while local news is offline and internet service is limited. Without the ability to fact-check, employees cannot distinguish legitimate communications from attacks. Brian Carbaugh, former director of the CIA’s Special Activities Center and now CEO of Andesite, emphasizes that this conflict requires “constant vigilance” as it could take many directions and is unlikely to resolve quickly.

What are the implications of Iran’s internet blackout? ▼

Iran’s internet connectivity dropped to 4% of normal levels initially, then to 1% after more than 36 hours, creating a near-total blackout. NetBlocks noted this severely limited civic engagement at a critical moment following the killing of Ayatollah Ali Khamenei. Major data centers lost international connectivity. State-affiliated news agencies including IRNA and ISNA went offline. Digital rights advocates warned these outages eliminated visibility, preventing civilians from documenting events or seeking help. The blackout also made it difficult to verify the extent of cyberattacks or assess the success of psychological operations like the BadeSaba hack. This level of information control allows authorities to operate without external scrutiny while hampering coordination among opposition groups.

Corporate Security Recommendations

Essential measures for organizations during heightened cyber threats

🔐

Verify Communications

Establish out-of-band verification protocols for critical communications, especially from leadership. Use multiple channels to confirm instructions during crises when primary systems may be compromised.

⏱️

Assess Recovery Time

Determine the maximum offline time for business functions before revenue and reputation impact. Focus on recovery capabilities over prevention alone, as Raines notes: “We’re less interested in the block rate, and more interested in recovery time.”

🎯

Evaluate Risk Exposure

Assess whether your business faces elevated risk based on geographic presence, industry sector, or operational dependencies in affected regions. Avoid assumptions that only major corporations are targets.

🤝

Partner Intelligence Sharing

Engage with partners and security communities to understand how they detect attacks and what AI tools are being deployed for threat detection. Collaborative intelligence improves collective defense.

📱

Monitor Employee Apps

Be aware of consumer applications employees use for work purposes. The BadeSaba hack demonstrates how trusted apps can become attack vectors, delivering false information or malicious content.

🛡️

Plan for Communication Disruption

Develop protocols for when normal communication channels are compromised or unreliable. Establish alternative methods for employee verification, coordination, and fact-checking during information blackouts.

Coverage Summary

The events during Operation Epic Fury were discussed, including the false U.S. Cyber Command warning that spread through military channels on March 1, 2026. The BadeSaba Calendar app breach was covered, showing how over 5 million users received defection messages during the strikes. Iran’s internet blackout was documented, with connectivity dropping to 4% of normal levels before reaching 1% after 36 hours.

The shift from centralized to decentralized cyber operations was examined, with quotes from former NSA expert Kathryn Raines and former CIA Special Activities Center director Brian Carbaugh explaining the implications. The “Great Epic” campaign and coordination through Telegram and Reddit were detailed. Corporate security gaps regarding psychological operations were addressed, along with recommendations for organizations.

Information was presented from official sources including DefenseScoop, the National Security Agency, NetBlocks, and cybersecurity firm Flashpoint. The material covered demonstrates how cyber warfare operates alongside conventional military operations and how misinformation spreads during conflicts.