During his blindfolded, shackled and wheelchair-bound interrogation following his arrest in late September, Negin says he realized: blame him
“They told me. “You think you can get out of here alive? We will execute you. Your sentence is death sentence. We have evidence, we are aware of everything,” said Negin, whose name has been changed by CNN at his request, for his safety.
Negin, who says he has been accused by Iranian authorities of running an anti-regime activist group on Telegram (a charge he denies), said he has “some friends” who have been political prisoners. “They put in front of me the transcribed printouts of my phone conversations with those friends,” he said, and “asked me what my relationship was with those people.”
Negin believes Iranian agents hacked his Telegram account on July 12 when he realized a different IP address was accessing it. According to him, while Negin was in prison, Iranian authorities reactivated his Telegram account to see who tried to contact him and to identify the network of activists he was in contact with.
Negin was one of hundreds of protesters arrested in the notoriously brutal Evin prison in northern Tehran, Iran, during the first few weeks of protests following Mahsa Amini’s death. Amini, 22, was arrested by Iran’s morality police for not wearing her hijab properly.
As protests spread across the country, much of the attention has focused on the Iranian government’s efforts to shut down the Internet. But behind the scenes, some worry that the government is using technology in a different way — access to mobile apps — to monitor and suppress dissent.
Human rights activists in Iran and abroad have warned for years about the Iranian regime’s ability to remotely access and manipulate protesters’ cellphones. Experts say tech companies may not be well-equipped to handle such incidents.
Amir Rashidi, director of digital rights and security at rights group Miaan Group, said the methods described by Negin fit the Iranian regime’s playbook.
“I have documented many of these cases myself,” he said. “They have access to anything beyond your imagination.”
CNN reached out to the Iranian government for comment on Negin’s allegations, but did not receive a response.
The Iranian government may have used similar hacking tactics to monitor the Telegram and Instagram accounts of Nika Shahkarami, a 16-year-old protester who died after protests in Tehran on September 20. Iranian authorities have always denied any connection to his death. but a previous CNN investigation found evidence that he was arrested shortly before he disappeared during the protests.
Iranian authorities have not yet responded to CNN’s repeated inquiries about Nika’s death.
At least one tech company, Meta, has now launched an internal investigation into Nika’s Instagram account after she disappeared, CNN has learned.
After Nika’s disappearance, her aunt and other protesters told CNN that her popular Instagram and Telegram accounts were disabled. A week later, his family learned that he had died. But the mystery of who deactivated her social media accounts remained.
On Oct. 12, two of Nika’s friends briefly spotted her Telegram account online, they told CNN. Nika’s Instagram account was also briefly restored on Oct. 28, more than a month after her disappearance and death, according to a screenshot obtained and verified by CNN.
As with Negin, the reactivation of Nika’s accounts raises questions about whether Iranian authorities are responsible for accessing her social media profiles to allegedly phish other protesters or compromise them after her death.
“Telegram is everything in Iran,” Rashidi explained. “It was more than just a messaging app before it was blocked, and yet they were able to maintain a presence in Iran just by adding a proxy option to the app.”
“If users don’t have access to something because of censorship, they still have access to Telegram,” he continued. “As a result, Telegram has a lot of user data, and that’s why the Iranian government has an interest in hacking Telegram.”
Experts say there are various ways the government can access a person’s accounts or their network of contacts. Negin, for example, said authorities “kept creating Telegram accounts using my SIM card to see who I was communicating with.” In other cases, authorities may try to combine the two-factor authentication process, which is designed to provide greater security, by sending a text message or sending an access code via email.
“Usually what happens is they take the target phone number and then they send an access request to Telegram,” Rashidi told CNN. “If you don’t have 2-step verification, they’ll read your text message, read the passcode, and easily log into your account.”
That’s why some Iranian activists were delighted when Google introduced Google Authenticator to the country in 2016. This is a two-step verification process that adds a layer of security for mobile phone users.
Importantly, however, the Iranian regime doesn’t even need telecom companies to work with them, according to Rashidi. “The Iranian government manages the entire telecommunications infrastructure in Iran,” he said.
After Nika’s disappearance, Meta launched an investigation to find out if Nika disabled the account herself or if someone else was responsible. The investigation spanned nine days, from Oct. 6 to Oct. 14, according to a Meta source who spoke to CNN on condition of anonymity.
Conclusion. “While we cannot share specific details about Nika Shahkarami’s account for privacy and security reasons, we can confirm that Meta did not disable it in the first place,” a Meta spokesperson told CNN.
Meta also confirmed to CNN that Nika’s account was “briefly reactivated and held for less than 24 hours” on Oct. 27 “due to an internal process error, which we resolved by disabling the account again.” Meta told CNN he found the error after CNN reached out to investigate.
Meta also said that he received instructions from Nika’s family through one of the company’s trusted partners in Iran that they wanted Nika’s Instagram account to remain offline.
However, Iranian state media reports indicate that authorities accessed Nika’s Instagram account and direct messages, saying they had access to the judiciary.
Nika’s relative, who spoke on condition of anonymity for fear of repercussions, told CNN that Tehran’s prosecutor’s office has kept Nika’s phone since her death. “We went to the prosecutor’s office and found out that Nika’s phone is with Mr. Shahriari (prosecutor’s name). I saw with my own eyes that it is in their hands,” said the family member.
Meta’s investigation underscores both the seriousness of the case and the limitations that U.S. tech companies appear to have in addressing activist concerns about Iran’s handling of the accounts.
Mahsa Alimardani, a senior internet researcher at the freedom of expression organization Article 19, also raised concerns about Telegram. “We once asked them to reverse some edits that were made to a person’s account after their death and they were not helpful. They didn’t come back to us. They did not try to fix the problem. No support or help in this,” Alimardani said.
In response to CNN’s request for comment, Telegram spokesperson Remy Vaughn said: “We regularly process dozens of similar cases brought to us by activists from trusted organizations and disable access to compromised accounts. In all the cases we investigated, either the device was hijacked or the user inadvertently allowed such access by not setting a 2-step verification password or using a malicious Telegram impersonation app.”
“In authoritarian countries like Iran, the authorities can potentially intercept any SMS message,” Vaughn continued. “Therefore, it is important that users enable two-step verification, which requires an additional user-generated password when logging in, in addition to the SMS access code. It is also important that such users use official Telegram apps from trusted sources.”
“To protect the protesters, we blocked thousands of posts that tried to anonymize the protesters and could have reached hundreds of thousands if it weren’t for our intervention. We always actively monitor the publicly visible parts of our platform to detect such abuse,” he concluded.
“Tech companies need to work with civil society,” Rashidi said. “There are so many issues that they can work with us on to make sure that these platforms are safe, especially for those who are at risk.”