Sabotage-for-Hire on Telegram: How Iran’s Intelligence Service Is Recruiting British Teenagers and Petty Criminals to Attack the UK

TL;DR: Two investigations published in late March and April 2026 — one by The Sunday Times, one by LBC — caught Telegram channels claiming affiliation with Iran’s Ministry of Intelligence openly recruiting UK residents, including teenagers, for sabotage, surveillance, and antisemitic vandalism. The first task offered to an LBC undercover reporter: burn photos of Donald Trump and Benjamin Netanyahu on a London street and send video proof, paid in crypto. The Metropolitan Police call it “an unprecedented level of national security investigations with suspected links to foreign states.” The tradecraft is a near-clone of Russia’s Wagner-linked playbook — and it is now standard practice across Europe.

What two undercover investigations exposed

The pattern surfaced publicly through two parallel pieces of reporting:

1. The Sunday Times / GB News (late March 2026): Iran’s intelligence ministry was found advertising surveillance of potential targets through public Telegram channels, with £500 offered for basic assignments and larger sums available for more sophisticated operations. The recruitment messages appear in both English and Hebrew, seeking individuals willing to film or follow designated targets, with automated chatbots handling initial contact — gathering location, motivations, and capabilities before arranging cryptocurrency payments designed to obscure the money trail. Security analysts told the paper that the same approach has been deployed in Israel, where individuals as young as 14 have faced charges for recording military installations in exchange for payment.

Roger Macmillan, a security expert formerly with Iranian diaspora outlet Iran International, characterized the bilingual approach bluntly to The Times: the messages target both disaffected Jewish or Israeli readers and English-speakers who need money, calling it “straight out of a Russian playbook”.

2. LBC undercover investigation (April 25, 2026): An LBC reporter posing as a recruit engaged with a Telegram channel advertising “high-paid” work on behalf of Iran’s intelligence service. The channel posted in both English and Hebrew, billing itself as a “completely secure and professional environment with 24/7 monitoring and support” and inviting recruits to “hit the start button and cooperate with us”. After tapping start, the reporter was greeted by an automated bot — a GIF of a waving cat — and rapidly handed off to an “agent.”

Within hours, the agent issued the first task: print a photo of Trump and Netanyahu, set it on fire on a famous London street, and send video proof — described as “the first step in building trust”. Payment was offered in cryptocurrency, with the agent indicating further, larger jobs would follow.

LBC handed the full exchange to UK Counter Terrorism Police.

The recruitment funnel, dissected

Strip away the geopolitics and the operation is a textbook social engineering funnel — the same shape as a phishing kit or a romance scam, just pointed at sabotage instead of credentials or money.

Stage 1 — Public channel as top of funnel. A Telegram channel openly branded as “Iran Intelligence Service” sits in the open. The pinned message in one observed channel linked to an Arabic-language sister channel; the visible content alternates between operational propaganda (“Sound of explosions in Kuwait… To cooperate with us contact:”) and recruitment ads in English and Hebrew. The bilingual targeting is deliberate: it widens the funnel to two distinct vulnerable populations — disenchanted Jewish/Israeli readers and English-speaking petty criminals.

Stage 2 — Automated bot triage. The “Iranian robot” handles initial qualification at scale. It asks abilities, location, age, and nationality before any human handler engages. This is the same architecture you’d find behind a Telegram crypto airdrop bot or a customer-service chat — the operational lift is trivial, but it lets a small handler team triage thousands of cold contacts and avoid burning any human controller until the prospect has self-qualified.

Stage 3 — Low-stakes task as the foot-in-the-door. Burning a printed photo on a public street is, on its face, almost trivial — vandalism, not terrorism. Jonathan Hall KC, the UK’s independent reviewer of state threats legislation, described the task as fitting “straight from that sort of recruitment playbook” — the individual is being asked to do something fairly minor and trivial, but presumably once they’ve done that and proved themselves, this is just the beginning. The cryptocurrency payment, however small, accomplishes two things: it documents the recruit’s willingness to commit a crime for foreign money, and it creates a leverage point for escalation.

Stage 4 — Escalation to surveillance, then arson. Confirmed tasks across the wider campaign include filming targets, following named individuals, gathering intelligence, and — at the top of the ladder — vandalism and arson. Payments scale roughly from £500 for basic filming to thousands for serious operations. By the time the recruit is being asked to torch a synagogue, they have already crossed a line they cannot uncross.

Stage 5 — Disposability. The recruits are not assets in any traditional intelligence sense — they are single-use proxies. Met Police Deputy Commissioner Matt Jukes warned that proxies acting on Iran’s behalf are easily expendable and will be dropped by their handlers as soon as police get involved: “It’s a mug’s game. You’re going to prison if you do that. We are going to catch you because London, this fantastic city, is on the lookout for you.”

What was actually attacked in London

The recruitment story does not exist in a vacuum. UK Counter Terrorism Policing is currently investigating a string of incidents in north-west London that together prompted the “unprecedented” framing:

  • March 23 — Golders Green: Four ambulances belonging to a Jewish volunteer charity were torched.
  • April 15 — Finchley: Attempted arson at a synagogue around 00:10.
  • April 15 — north-west London: Attempted arson at the offices of a Persian-language media organization (one previously and repeatedly targeted by suspected Iranian operations).
  • April 17 — Hendon: Suspected arson targeting a premises linked to a Jewish charity.
  • April 18 — Harrow: Suspected arson targeting a synagogue.
  • April 19 — Finchley: Further incident outside a residential premises opposite a synagogue.

A previously unknown group calling itself Harakat Ashab al-Yamin al-Islamiya (Islamic Movement of the Companions of the Right) has claimed responsibility for most of the incidents. The same group has also claimed synagogue attacks in Belgium and the Netherlands; Israel’s government has described it as a recently founded group with suspected links to “an Iranian proxy”. UK security experts are openly skeptical the group has any genuine organizational existence — it functions as a flag of convenience that enables plausible deniability.

The Counter Terrorism Policing public statement itself is the source of the line that has been quoted everywhere this week: “We are now dealing with an unprecedented level of national security investigations with suspected links to foreign states, many of those with dangerous and often reckless intentions.”

The Russian template

The Iranian operation is not novel. It is a near-direct copy of the Wagner Group’s recruitment model that has been running in Europe since the full-scale invasion of Ukraine in 2022. The lineage is worth tracing because it tells defenders exactly what to expect next.

The reference case is Dylan Earl, a 21-year-old British petty criminal. UK authorities established that Earl was recruited via Wagner-linked Telegram channels in 2024, then went on to recruit four other young men, and together they set fire to a London warehouse connected to a Ukrainian company. Earl received a 17-year sentence under the National Security Act 2023 — the first major conviction for assisting a foreign intelligence service under the new legislation. The same playbook is now visible in:

  • Poland (February 2025): Two Russian nationals received five-and-a-half-year sentences for distributing Wagner Group recruitment stickers and conducting reconnaissance across the country, with handlers transferring at least $24,000 for intelligence-gathering and influence trips to Paris and Berlin.
  • Estonia, Latvia, Germany, Austria: OCCRP’s “Make a Molotov Cocktail” investigation (September 2024) documented the “Privet Bot” — a Russian-operated Telegram bot advertised to the 550,000-subscriber pro-Wagner Grey Zone channel, which after only a brief exchange began encouraging an undercover reporter to commit arson in Estonia.
  • EU-wide: GLOBSEC has identified at least 110 kinetic incidents linked to Russia since 2022, mostly in Poland and France, with at least 35 of 131 identified perpetrators having criminal pasts and recruited via Telegram or through prison and organized crime networks.

The strategic logic is the same on both sides. As MI5 Director General Sir Ken McCallum has stated, both Russian and Iranian state actors make extensive use of criminals as proxies — from international drug traffickers to low-level crooks. The reason is structural: Western counter-intelligence services have spent the past decade publicly identifying and expelling state intelligence officers operating under diplomatic cover. The tempo of Russia’s hybrid operations accelerated specifically after the expulsion of over 600 Russian operatives from Europe since 2018; deprived of officers under diplomatic cover, Moscow pivoted to Europe’s underworld and outsourced sabotage to “single-use” civilian agents. Iran, facing an analogous expulsion problem, is doing the same thing.

Why this matters beyond the geopolitics

For defenders — corporate security, executive protection, faith-community security teams, OSINT analysts, and platform trust-and-safety functions — there are several concrete takeaways here that go beyond the news cycle.

The attack surface has moved to your phone. The recruiter is not running an HVT cover identity in your country. The recruiter is a Telegram bot. The compromise vector is identical to a low-grade scam: a sketchy ad, a chatbot funnel, an offer of crypto for a small “test” task. Anyone in your organization who is financially distressed, ideologically aligned with a foreign actor, or simply curious can be onboarded in under an hour. Insider-threat programs that screen for traditional espionage indicators will miss this entirely.

Crypto payment rails are core infrastructure for the operation, not a side detail. The use of cryptocurrency is not incidental — it is what allows the funnel to scale across borders without correspondent banking exposure. Any institution running a serious threat-intelligence program should be tracking the payment side as aggressively as the messaging side. Wallet clustering, on-chain attribution, and exchange-level transaction monitoring become counter-intelligence tools.

Public Telegram channels are an OSINT goldmine — and a TI blind spot for most. The channels are openly accessible. The recruitment ads are in English. The bots can be engaged with by any researcher willing to navigate the legal and ethical questions involved (and authorities, including LBC’s reporters, have shown what responsible engagement looks like). Telegram-focused OSINT toolchains — TGStat, telemetry.io, channel-graph mapping — should already be in the kit of any analyst who covers state-sponsored threats.

Attribution will remain ambiguous on purpose. The “Harakat Ashab al-Yamin al-Islamia” naming is the giveaway. The International Centre for Counter-Terrorism’s analysis found no references to the group, online or offline, prior to 9 March, with its first post circulating in a Telegram channel seemingly affiliated with Iraqi pro-Iranian militias — raising the question whether the group is genuine or merely a façade for Iranian hybrid operations that enable plausible deniability. Expect more “groups” of this shape — front names whose only function is to claim attacks and muddy attribution while the real operational pipeline runs through Telegram bots and crypto wallets.

The legal frame is finally catching up. The UK’s National Security Act 2023 — under which Dylan Earl was sentenced and under which the two suspects accused of conducting Iran-directed surveillance on Jewish and Israeli sites in London now await trial at the Central Criminal Court — was designed precisely for this category of offense. The Belgian, Dutch, Polish, and German equivalents are at varying stages of maturity. Expect prosecution under “engaging in conduct likely to assist a foreign intelligence service” to become a much more frequent charge across Europe in 2026.

What to watch next

Three indicators worth tracking on a rolling basis:

  1. Attribution on the Golders Green and synagogue arson cases. Two men, aged 45 and 47, have been arrested and bailed in connection with the ambulance attack. The question for the public record is whether prosecutors can establish the Telegram-and-crypto recruitment chain in court — that would be the definitive evidentiary mapping of the operation.

  2. Cross-border replication of the front-group naming convention. “Harakat Ashab al-Yamin al-Islamia” surfacing in Belgium and the Netherlands as well as the UK suggests the operational design is centralized. Watch for the same name (or a sibling) appearing in Germany, France, or the United States.

  3. Telegram’s response. Pavel Durov’s arrest in France in 2024, and Telegram’s subsequent commitments to platform governance, set up an unresolved tension. Channels openly branded as “Iran Intelligence Service” still being live in late April 2026 is, on its own, a notable platform-governance fact.

Sources and further reading

  • LBC, “Sabotage-for-hire: ‘Iranian agent’ offers to pay undercover LBC reporter for criminal acts on London’s streets” (April 25, 2026)
  • The Sunday Times (cited via GB News, March 26, 2026): “British teenagers ‘recruited by Iranian agents’ via social media to ‘spy on UK’”
  • Metropolitan Police Counter Terrorism Policing, official update on north-west London arson investigations (April 2026)
  • UK Government, Security Minister statement on antisemitic attacks (April 2026)
  • International Centre for Counter-Terrorism (ICCT): “Hybrid Threat Signals: Assessing Possible Iranian Involvement in Recent Attacks in Europe” (March 23, 2026)
  • OCCRP: “‘Make a Molotov Cocktail’: How Europeans Are Recruited Through Telegram to Commit Sabotage, Arson, and Murder” (September 2024)
  • GLOBSEC: “Russia’s Crime-Terror Nexus: Criminality as a Tool of Hybrid Warfare in Europe”
  • TorchStone Global: “Hybrid Warfare/Criminal Nexus”
  • Lawfare: “The Legal Counteroffensive to Russia’s Hybrid War”
  • NPR / CBS News reporting on the London arson investigations (April 2026)
  • Jerusalem Post: “Iranian intelligence service attempts to recruit London-based journalist” (April 26, 2026)
  • Iran International: “UK’s LBC finds alleged Iran-linked channel hiring Britons for sabotage” (April 2026)
  • Moscow Times / Financial Times: “Russia Uses Ex-Wagner Operatives to Recruit ‘Disposable’ Saboteurs in Europe” (February 2026)

Breached.Company covers state-sponsored cyber and hybrid threats, breach disclosures, and signals intelligence for the security community. For threat intelligence retainers and vCISO consulting, CISO Marketplace connects you with vetted advisors.