The conflict involving Iran has produced the first known case in history of coordinated cyber operations conducted in parallel with a missile attack and a civilian alert system. As air raid sirens sounded across central Israel, citizens began receiving mass SMS messages containing both threats and disinformation. At the same time, messages impersonating official civil defense communications were distributed, encouraging people to install an application designed to help locate shelters.
According to Check Point Research, the “ShelFriend” application was in fact malicious Android software that enabled full control over the user’s device, including access to location, camera, files, and messages.
Events from recent hours show that the boundary between armed conflict and cyberspace has effectively disappeared. Experts point to this as the first documented case of coordinated cyber activity conducted simultaneously with a missile attack and a civilian alert system. This shift may have significant consequences not only for national security, but also for businesses and financial markets.
The events of the night of March 20 have already become a precedent in the history of warfare. That same night, the FBI shut down the website of the Handala group—a criminal hacking organization that relied heavily on public communication channels to amplify the psychological impact of its claimed operations.
“Shutting down Handala’s websites and channels strikes them where it hurts most. Their operations largely depend on publishing content to create a psychological effect, often exaggerating the scale of damage to amplify fear. Limiting their ability to broadcast undermines this effect,” said Gil Messing, Chief of Staff at Check Point Software.
At the same time, another operation was observed that experts say sets a new standard for hybrid warfare. At 6:55 a.m., precisely when sirens sounded in central Israel, mass SMS messages began reaching citizens. These included both threats and disinformation, such as the message: “Netanyahu is dead. Death is coming for you, and soon the gates of hell will open before you.” Simultaneously, messages posing as official civil defense alerts encouraged users to install a shelter-finding application.
The “ShelFriend” app, according to Check Point Research, was malicious Android software designed to fully compromise user devices, granting access to location data, camera, files, and communications.
A first in history: missiles, SMS, and malicious apps combined
What makes this incident particularly significant is not just the nature of the attack, but its synchronization. Analysts emphasize that this is the first known case of the simultaneous use of missile strikes, air raid sirens, mass SMS distribution, and mobile malware.
“This is the first instance of combining a physical attack—missile strikes and sirens—with a cyber offensive targeting citizens’ mobile phones. The fact that everything was synchronized down to the minute makes this operation unprecedented,” noted experts from Check Point.
The operation has been attributed to Iran and the Islamic Revolutionary Guard Corps (IRGC) and, according to analysts, was not an isolated incident. It was a coordinated campaign using multiple channels simultaneously, including legitimate communication infrastructure such as SMS systems and email.
Use of AI and psychological pressure
A key element of the operation was the use of artificial intelligence tools for translation and localization of messages, increasing both their credibility and speed of distribution. The attackers used language and formats resembling official communications, as well as visual elements designed to build trust. As a result, the campaign achieved wide reach and a strong psychological impact in a very short time.
Wojciech Głażewski, General Manager of Check Point Software Technologies in Poland, emphasized that for Poland this incident is a clear signal that modern conflicts combine military operations with immediate cyber activities targeting civilians. Securing state-to-citizen communication systems—such as emergency alert systems—becomes critical, as they may be exploited for disinformation. Governments should treat citizens’ smartphones as part of national security infrastructure, requiring both protection and user education. It is also essential to develop rapid response capabilities to counter information operations, particularly those using AI. In practice, this means integrating cyber defense, crisis response systems, and military operations into a single cohesive framework.
Implications for the economy and businesses
From an economic perspective, these events carry several important implications. First, operational risk is increasing for companies operating in regions affected by geopolitical tensions—especially those reliant on mobile and communication infrastructure.
Second, there is growing pressure to invest in cybersecurity, particularly in endpoint protection and crisis communication systems.
Third, these developments may influence the valuation of cybersecurity companies, which are becoming a critical component of modern infrastructure.
A new paradigm of conflict
Both the FBI’s actions against Handala and the synchronized operation in Israel point to a clear shift in how conflicts are conducted. Cyberspace is no longer merely a support tool for military operations—it has become an integral part of them.
For financial markets, this introduces a new category of risk: attacks that simultaneously affect physical infrastructure, digital systems, and public psychology. In practice, this may lead to increased volatility, higher security costs, and a redefinition of global risk management strategies.
