The cost of talking against the Iranian government as a CyberSecurity expert
My shameful past
(Please be aware that this is a personal story and nothing technical)
Now that I’m writing this, I have no hope of any improvement in my situation; so I’m going to tell the untold while I know no one really cares. When I entered the world of Cyber Security, I was full of dreams. As a 12 years old boy in an extremely controlled and fearful space of this field in Iran, I was brainwashed by the government’s propaganda; Working and learning every day to make my country proud by “Defacing Websites”…
Soon and after passing the first stages of being a “Script kiddie”, A horrifying truth ruined my dream world and my image of my country. I found my heroes (government and Iranian intelligence agencies) against us, my friends got blackmailed and arrested, to forcefully work with them. This wasn’t the best situation for a teenager like me, so I left all my beliefs behind and stopped “Defacing” and other meaningless aggressive actions. This was not easy for me and made my days really hard since a few months before that, doctors told me that I have psychosis problems (which is a whole different story about living like that in Iran).
Trying to be better
In the past few years, I’ve tried to clear my destructive and shameful past by being a real hacker, dedicated to making the world more secure and be more than a “puppet script kiddie”, and that’s where my encounter with the Iranian government began. As a member of some white-hat hacker groups, I’ve started criticizing the government’s policy about their aggressive cyber operations and their weak defensive policies. It got worse when I’ve found out that the government is spying on its own citizens (referring to the “Golden Telegram” story), I began to write about it in Persian and show the people how the lack of CyberSecurity policies AND their spying and blocking operations endangers people. (https://virgool.io/@moh53n)
Soon after that, another thing showed up. For many years I knew (and many people knew) that the government is trying to block and control the Internet like China or even worse, so I was documenting them on my Twitter (https://twitter.com/search?q=from%3Amoh53n%20%D9%81%DB%8C%D9%84%D8%AA%D8%B1%D9%86%D8%AA), but I found out the great Iranian technology companies and startups are even working with the government to provide alternatives to blocked services in Iran and in return, the government helps them to stay the only option and be a monopoly. So I’ve started to analyze them.
In those years I was targeted by multiple blackmails and harassments against myself and my family (unknown calls, warning me by friends, etc…), but I knew I can handle them and avoid serious danger by some techniques and drawing a line for myself. Then they came to buy me since I had some bold projects those days (like Telegram and Twitter crawling). Having a job and working as a Cyber Security expert in Iran is hard. There are many government-sponsored companies (I call them proxies from other places) that recruit cyber security experts and developers to launch foreign cyberattacks, or to complete their “Domestic Network”, which is an alternative to the Internet (because they try to shut that down for people). So you have to be very careful about what are you doing and who are you working for.
As an honor, I never worked with them or their proxies (despite the fact that they would pay GOOD and I really need that), instead, it was a few months that I was making money by education services and cyber security advisory to companies. It was the only way since I was heavily restricted to have some jobs, but things got even worse…
In June 2020, I’ve published research at an Iranian Cyber Security conference about the biggest android market in Iran (https://github.com/moh53n/bazz), How their claims about being one of the most secure Android markets in the world are false, and how much they’re unsafe. The next week, I had lost all of my income. My advisory to those few startups ended without any explanation, So I started to send a resume to find a day job. Nothing, after working professionally for about 3 or 4 years, no one responded. A few months later a friend of mine told me that I’m “Black-listed”, which means companies and startups will not recruit me because some big brother didn’t like some of my works. The only reason that I can relate to that is I agree I’m not that good in this field, but it is very hard for me to believe that I’m “too bad” for any job in this country. I have no proof for the “blacklist” thing and I’m not going to convince people, that’s just what happened, coincidence or not…
From June 2020 to this day, I have no job. I hardly study at university (because of my psychosis problems) and live with my family. My old dreams of being a good hacker and do the thing that I love, are all gone. Under the sanctions on Iran, I can’t do these new “Bug Bounty” things (or I have to do it in a way that I’m not sure if it’s legal) and I can’t leave the country.
These days, I write Persian Cyber Security articles and teach people to be a hacker, a good and ethical one. I tell them my story and warn them to not repeat my mistakes. In a country that every person and every company fears the government and complies (even if they pretend that they’re not), no one has a chance to make a change…