Denis Korkodinov: Death from a Traffic Camera

On the morning of February 28, 2026, the government building complex on Pasteur Street in Tehran was destroyed by precision-guided munitions. Along with the building, Iran’s Supreme Leader Ali Khamenei and virtually the entire top military-political leadership of the country perished. Minutes before the strike, mobile communication systems within a two-kilometer radius of the target stopped accepting incoming calls, and traffic cameras on the approaches to the complex captured the final images of the convoy’s entrance.

Tehran’s traffic video surveillance system became the first and most significant channel of penetration. Israeli intelligence had gained access to nearly all cameras installed in the Iranian capital several years before the operation. Video streams from these devices were encrypted and transmitted to servers located in Tel Aviv and southern Israel, where they were continuously processed by machine learning algorithms developed by specialists from the Unit 8200 signals intelligence division. A camera installed at an intersection adjacent to the government complex on Pasteur Street was of critical importance. Its viewing angle made it possible to record the parking locations of official vehicles accompanying the convoys of high-ranking officials arriving for meetings with the Supreme Leader. Based on this data, analysts from Israeli military intelligence (AMAN) compiled detailed dossiers on security personnel, including information about their places of residence, working hours, travel routes around the city, and the individuals they guarded and transported.

The use of machine vision technologies made it possible to automate the surveillance process and reconstruct the complete guard rotation schedule without the need for constant operative presence on the ground. Instead of exposing agents to direct risk, algorithms analyzed secondary details, such as the travel routes of guards’ personal vehicles during off-duty hours, which allowed for highly accurate prediction of the target’s presence in a specific room within the complex at a specific time.

The equipment forming the backbone of Tehran’s video surveillance system was purchased from Chinese manufacturers Hikvision and Dahua through complex chains of shell companies in the UAE and Turkey, circumventing sanctions restrictions. The unified Tehran traffic control center, based in the Shemiran district, used controllers with standardized firmware that had vulnerabilities in their authentication protocols. These vulnerabilities allowed for the injection of code that redirected data streams to external servers without immediate detection.

Iranian engineers from the telecommunications company Irancell had recorded anomalies in network traffic as early as 2024; however, these incidents were attributed to software glitches caused by external factors, particularly sandstorms. The problem was compounded by the fact that a significant portion of the equipment did not use original firmware but rather modified versions created by local contractors, which expanded the attack surface.

Concurrently with the collection of visual information, Israeli cyber units worked on disrupting the functioning of mobile communication networks in the immediate vicinity of the target. Unit 8200 operators carried out targeted attacks on the switching equipment serving approximately 10-12 cell towers in the Pasteur Street area. Instead of completely jamming the signal, which would have been immediately detected by monitoring systems, they employed a technique of selective data packet dropping. Algorithms simulated line congestion or temporary connection degradation specifically for incoming calls addressed to certain individuals among the Supreme Leader’s security detail and the operational duty officers of the Islamic Revolutionary Guard Corps (IRGC).

The attack exploited vulnerabilities in the SS7 protocol, which is still used in Iran’s roaming agreements with neighboring countries and remains poorly protected against interception and traffic modification.

Minutes before the strike, when Tehran’s regional allies attempted to urgently contact the complex to warn of unusual activity by the Israeli Air Force, the calls were not completed, appearing in the systems as a technical failure. This created a temporary window of approximately 45 minutes during which the security detail did not receive a critical warning.

The server infrastructure used for storing and processing the collected data was a hybrid system. The main capacities were deployed within Israel, but some processing algorithms ran on virtual servers rented through shell companies from providers in third countries, complicating the identification of the cyber-intelligence source.

The vast majority of servers containing critically important information, including movement logs of top officials and security schedules, are physically located within Iran. However, their maintenance is carried out by companies affiliated with Russian and Indian contractors. The Trusted Operating Root hardware modules in these servers had zero-day vulnerabilities in the implementation of their encryption algorithms, allowing the Israeli cyber unit to obtain copies of encryption keys.

Iran’s cybersecurity system, known under the code name Deif, is built on the principle of physically isolating critical networks from the global internet. However, this physical isolation was breached through the electricity supply chain.

The hacking of Siemens industrial controllers managing the server cooling system at a key data center based at Imam Hossein University allowed for the injection of malware that did not transmit data through traditional network channels but instead read the electromagnetic emissions from the processors. This technology, previously considered experimental, enabled data extraction even from completely isolated systems.

A separate episode of the operation relates to the exploitation of vulnerabilities arising from the Iranian authorities’ implementation of digital blackouts.

In January 2026, amidst protests, Iran imposed a complete internet shutdown that lasted over two weeks, affecting both mobile and wired networks. Paradoxically, these measures created additional vulnerabilities. During the shutdowns, Israeli servers remained the only stable channels receiving video streams from cameras, as the national data collection center was blinded by the internal isolation. Iranian state-backed hacker groups, such as Infy (also known as Prince of Persia), faced coordination difficulties during the blackout.

Furthermore, Infy ceased support for its command-and-control servers on January 8th, coinciding with the internet shutdown, and only resumed activity on January 26th when restrictions were eased. This confirms that Iran’s state cyber structures became dependent on global connectivity and could not function effectively under the very isolation they had created.

When internet access is restored after blackouts, new threats emerge. At the moment connectivity is re-established, there is a massive burst of accumulated data—logs, transactions, cloud service synchronizations, update queues. This creates an abnormally high load on systems, and attackers aware of the shutdown schedule can plan attacks for the moment of reconnection, capitalizing on the confusion and vulnerabilities in outdated software that hasn’t been updated.

Analysis of Iranian cases shows that the complete seven-day communication shutdown in November 2019 created a predictable environment, and companies switched to siege mode, employing offline procedures. However, the curfews introduced in 2022–2023, involving cyclical 12-hour mobile internet shutdowns, created multiple and recurring windows of vulnerability during each transition between online and offline modes.

Coordination between Israeli and US intelligence agencies entered its final stage days before the strike. The CIA had a source within the Iranian leadership who, while not knowing the details of the timing and technology of the strike, was able to confirm the fact that a key meeting of the top military-political leadership was taking place on the morning of February 28th at the government complex on Pasteur Street. This information allowed for adjusting the attack time, which had originally been planned for the night hours. Combining data from the human source with the results of video stream analysis obtained by the Israeli side made it possible to assert with a high degree of confidence that the Supreme Leader would be in that exact location at the time of the strike.

Israel’s Unit 8200, responsible for signals intelligence, used the obtained data to create a dynamic model of the functioning of the perimeter security.

The disabling of mobile communication elements in the target area, carried out via a cyberattack days before the strike and maintained during the attack, deprived the security detail of the ability to receive an emergency warning about approaching aircraft and the commencement of the strike. This ensured tactical surprise, despite the relatively long flight time of the aircraft. The security system, built on physical isolation of the facility and access control, proved vulnerable to a threat emanating from the city’s own infrastructure, which was turned by the adversary into a tool for continuous surveillance.

Traffic cameras, intended to regulate traffic, became the eyes of the enemy. Cell towers, providing communication, were turned into instruments for blocking it. Servers holding state secrets became accessible for reading via electromagnetic emissions.

The international reaction to the events is just taking shape, but it is already clear that the incident will prompt a reassessment of approaches to critical infrastructure security in many countries. The vulnerabilities exploited against Iran are typical for nations that utilize commercial urban video surveillance and communication systems.

Author: Denis Korkodinov, CEO of the International Center for Political Analysis and Forecasting “DIIPETES