Israeli authorities registered some 4,800 hostile cyber incidents in June 2026, up from around 1,600 in June 2025, according to Yossi Karadi, director general of Israel’s National Cyber Directorate. The near-tripling of monthly attacks, detailed in a German newspaper interview published Monday, is the sharpest public jump of the wider conflict so far.
Karadi told Die Welt that the surge began after the launch of the joint US-Israeli offensive against Iran in February 2026 and has continued throughout the spring and summer. The attackers include skilled groups, he said, and Israel can handle them but must take them seriously. His warning frames a contest that has played out alongside missile exchanges and airstrikes, with no expectation of letup even as Washington works to lock in a broader peace deal.
From 1,600 to 4,800 Incidents Year Over Year
The June 2026 figure, drawn from the National Cyber Directorate’s count of hostile cyber incidents, is roughly three times the load seen during the 12-Day War of June 2025, when Israel ran a separate round of military operations against Iran. That earlier month produced the around 1,600 hostile cyber incidents that Karadi’s new interview cites as the baseline. June 2026, by contrast, produced some 4,800. The 2026 Iran war, which began on 28 February under the codenames Operation Roaring Lion (Israel) and Operation Epic Fury (the United States), has run four months longer than last year’s exchange, giving attackers more runway.
In February, the INCD and the Shin Bet issued an update warning the Israeli public that, since mid-2025, there had been a campaign of hundreds of highly sophisticated cyber attacks against Israeli government officials, security officials, academics, and media figures.
The official pointed to a layered threat: state-aligned groups running coordinated campaigns, hacktivist personas carrying out visible strikes for propaganda effect, and criminal-tier operators opportunistically wiping systems once they get inside smaller firms.
Where the Attacks Are Landing
Karadi said the attacks are aimed at four distinct layers of Israeli life: critical infrastructure, central organizations, small to medium-sized companies, and the public. He singled out law practices and accounting firms as among the smaller organizations hit, a category with thin security budgets and the kind of client data that invites ransomware-style wipeouts.
| Target category | What Karadi described |
|---|---|
| Critical infrastructure | Attacks so far contained |
| Central organizations | Targeted in the ongoing campaign |
| Small and medium-sized companies | Among the easier-to-penetrate victims |
| Law and accounting firms | Named as smaller organizations hit |
| The public | Reached through mass text-messaging campaigns |
Israel has so far kept the most damaging tier out of harm’s way. “So far, and hopefully it stays that way, we’ve managed to fend off attacks on critical infrastructure,” Karadi told Die Welt. The country’s defenses have held at the top of the stack even as the attack volume tripled.
Karadi on a Cyber War Without a Ceasefire
Some groups are very skilled. We can handle them, but we have to take them seriously. Unlike in the kinetic realm, there’s no ceasefire in cyberspace.
Karadi, the director general of Israel’s National Cyber Directorate, told the German newspaper Die Welt that the cyber front would not honor any kinetic ceasefire. The Karadi interview on the cyber surge was posted Monday and included the warning that attacks on smaller organizations had produced system wipeouts.
In a separate interview in May, Karadi made the same point more bluntly. “There is no ceasefire in cyber,” he said. “You cannot force any agreement on cyber.” Karadi’s May interview on Iran-linked coordination covered AI tools, mass texting campaigns, and the Stryker compromise.
That asymmetry, in his account, is why the National Cyber Directorate plans for a permanent contest rather than a paused one. Karadi said he considers the cyber realm to be heading into a permanent state of cyber warfare, against enemies he knows and, more often, against ones he does not.
The Smaller Firms That Lost Systems to the Hackers
The critical-infrastructure tier has been held, by Karadi’s account. The tier below it has not. Companies that were easier to penetrate often ended up having their computer systems wiped, he said, declining to name any.
Wiper attacks, which erase data rather than steal it, are a hallmark of state-aligned Iranian operations and of the hacktivist front groups operating under Tehran’s umbrella. The pattern matches what outside researchers have documented over the past year, including the March compromise of medical-technology giant Stryker by an Iran-linked group. Smaller Israeli firms, professional services offices, and local businesses are attractive targets because their security budgets cannot match those of utilities or government ministries.
A Sharper, More Coordinated Adversary
The attackers are more numerous. They are also more organized. In the May Nextgov interview, Karadi said Iranian state-aligned groups have grown more willing to share tools and information with each other. “In the last year, Iran’s state-backed hacking units have increasingly begun to talk to each other, and then collaborate with each other, and then even sometimes exchange information among themselves,” he said. “Of course, when they work together, they can work more efficiently and better.”
The coordination has been visible in the messaging layer. During the recent war, Iran has sent hundreds of thousands of text messages to Israelis as part of a deception and influence campaign, Karadi said. Some messages told Israelis not to go to bomb shelters because they were closed. Others sought to recruit Israelis for intelligence-sharing. Earlier messages were in poor Hebrew; recent ones, polished with AI, are harder to dismiss out of hand.
- State-aligned groups sharing tools and coordinating campaigns, per Karadi
- AI-assisted phishing and influence content in Hebrew and Arabic
- Mass text-messaging campaigns sent to Israeli phones during the war
- Destructive wiper malware deployed against smaller Israeli organizations
Iran’s Cyber Operations Reach Beyond Israel
Iran’s cyber operators have not confined themselves to Israel. Over the past few months, Iran-linked hackers have deployed cyberespionage techniques that targeted the United States, Israel, the UAE, and other Middle Eastern nations, according to researchers cited in the May Nextgov interview. Pro-Iran hackers separately targeted various U.S. industrial control systems, federal officials said.
The volunteer tier of the operation has expanded alongside the state-aligned one. A surge in hacktivist activity was observed, with more than 60 groups claiming actions by 2 March 2026. The most prominent, Handala Hack, is linked to Iran’s Ministry of Intelligence and Security and has claimed responsibility for attacks against Israeli energy firms, Jordanian fuel systems, and healthcare targets.
On 11 March 2026, the same persona claimed credit for a destructive malware attack on a U.S.-based multinational medical technologies firm. The U.S. Justice Department, in a seizure of four Iranian MOIS domains, formally linked the operation to Iran’s MOIS and announced a takedown of the network’s infrastructure. The State Department’s Rewards for Justice program is offering a reward of up to $10 million for information on the operators.
The Iranian playbook, per the Justice Department, pairs destructive cyber-attacks with what U.S. investigators call “faketivist” psychological operations using stolen data. A separate Iranian-linked breach of Los Angeles Metro in March, attributed by Israeli researchers to Tehran’s MOIS, fit the same civilian-target pattern.
Israel’s Wartime Cyber Defenses
Israel’s response is leaning heavily on allied partnerships. Karadi told The Jerusalem Post in February that cooperation with the United States “is still excellent. We are still helping each other.” He added that Israel had recently signed an agreement to send a permanent cyber liaison to Germany, formalizing a working channel that had been informal until now.
Karadi is also pressing major AI labs for controlled access to advanced models like Anthropic’s Mythos, arguing that governments need the same tools attackers are seeking to adopt. The effort is, in his words, “a work in progress.” Anthropic’s Mythos, withheld from public release over hacking concerns, sits alongside OpenAI’s GPT-5.5-Cyber as one of the frontier models governments are now trying to secure for defensive use.
The broader posture, Karadi said, is permanent alert. “Since the 12-Day War last year, we were in an 100% alert situation, and we have been preparing ourselves for high-scale cyber war,” he said. As the kinetic phase cools, the cyber contest continues.
Frequently Asked Questions
Who is Yossi Karadi?
Yossi Karadi is the Director General of Israel’s National Cyber Directorate (INCD), the country’s lead civilian cyber-defence authority. The INCD sets national cyber policy, coordinates incident response across government and private sectors, and publishes public guidance.
What is the 2026 Iran war?
The 2026 Iran war began on 28 February 2026 when Israel and the United States launched coordinated airstrikes, codenamed Operation Roaring Lion (Israel) and Operation Epic Fury (the United States), targeting Iranian leadership, nuclear facilities, and military sites. It is distinct from the shorter 12-Day War of June 2025.
Why is Iran continuing to attack Israel in cyberspace?
According to Karadi, attribution in cyberspace is deniable in a way that kinetic strikes are not. That asymmetry makes a cyber ceasefire unenforceable: any party can deny an attack. As the U.S. and Iran work on a wider peace deal, Karadi expects the cyber layer to keep running.
Which smaller Israeli firms have been hit?
Karadi named law practices and accounting firms as among the smaller organizations affected, without naming specific firms. Companies that were easier to penetrate often had their systems wiped, he said. Israel does not publish a per-incident breakdown of severity, so the count of successful wipeouts is not public.
