The Anatomy of a Mirage

The Report

In January 2026, a report appeared on Cybershafarat.com — the blog of a boutique cyber-intelligence firm called Treadstone 71. Its title was dramatic: “The Anatomy of a Mirage.” Its conclusion was explosive: ninety percent of Reza Pahlavi’s online engagement was “inorganic” — orchestrated by the Islamic Republic’s own cyber-armies to create a “controlled opposition” figure who would serve the regime’s interests.

If true, this would be one of the largest state-run disinformation operations ever documented — a 356,000-account botnet operated by the IRGC to manufacture the appearance of a popular opposition leader. The discovery of a network at that scale would typically dominate the cybersecurity news cycle for weeks. CrowdStrike, Mandiant, and Recorded Future — the firms that track state-sponsored cyber operations — would publish analyses. The story would reach the front pages of the Washington Post and the Financial Times.

None of that happened. The report was picked up immediately and exclusively by Iran Focus, Iran News Update, NCRI-US, and Iran Probe — all MEK-affiliated outlets. It was presented as “breaking news” from an “independent US intelligence firm.” Mainstream cybersecurity vendors did not touch it. Independent Iran analysts did not cite it. The silence from the people whose job it is to identify state botnets was, itself, the most informative data point in the entire affair.

Within weeks, NCRI lobbyists in Washington and Europe were citing the report as “proof” that the Pahlavi movement was a regime construct — using it to dissuade Congress members from supporting the “Solidarity” coalition that had been gaining traction among Iranian opposition groups.¹

The technique at work is intelligence laundering — a process in which partisan claims are published through a seemingly neutral source, amplified through aligned media, and cited by political operatives as independent verification. Recognizing the pattern is the first defense against it. The technical claims are the second.

The Metronome

The report’s most dramatic claim was the “Metronome Heartbeat” — an allegation that 356,000 pro-Pahlavi accounts were created or posted at precise sixty-second intervals. The precision, Treadstone argued, could only result from automated state scripts. No human network could maintain such clockwork regularity.

The claim sounds devastating. It collapses under the most basic familiarity with how social media platforms and data collection tools actually work.

The sixty-second interval is a common artifact of API rate limits. Social media scraping tools and third-party scheduling applications batch-process actions in sixty-second windows because the platforms’ own programming interfaces impose that timing. Buffer, Hootsuite, and dozens of similar scheduling tools queue posts at standardized intervals. The “metronome” is not evidence of a state botnet. It is evidence of scheduling software used by ordinary people.

The paradox is precise and damning: a sophisticated state botnet — the kind operated by the IRGC or Russian intelligence — would employ “jitter” — randomized delays between actions specifically designed to evade the kind of pattern detection Treadstone claims to have performed. Perfect periodicity is the signature of low-sophistication scheduling tools, not high-sophistication state operations. The “Metronome Heartbeat” is paradoxically less likely to be a state operation and more likely to be grassroots activists using the same scheduling apps available to anyone with an internet connection.

Any cybersecurity professional reviewing the methodology would have flagged this immediately. The mainstream firms’ silence is not an oversight — it is a professional assessment.

The White SIMs

The second claim — “LocationGate” — traced IP addresses of pro-Pahlavi accounts back to Tehran and linked them to “White SIMs.” These are real: privileged SIM cards issued by the regime that bypass Iran’s national firewall, giving holders unrestricted internet access. Treadstone’s logic was syllogistic: only regime insiders have White SIMs; these accounts were posted through White SIMs; therefore, these accounts are operated by regime insiders.

The correlation between White SIMs and regime affiliation is real — but correlation is not identity. The analytical question is about base rates: what percentage of White SIM holders are intelligence operatives versus professionals who simply received privileged access? Treadstone treats the answer as one hundred percent. The evidence says otherwise.

After the November 2025 internet restrictions — when the regime tightened access during the uprising — White SIM distribution expanded significantly beyond intelligence operatives. Journalists, doctors, tech workers, and government bureaucrats across multiple ministries received them.² The holders are not exclusively IRGC agents. Many are upper-middle-class professionals — the demographic most ideologically aligned with Western liberalism and, in many cases, with the Pahlavi-era memory of a secular Iran.

The alternative explanation is simpler and more consistent with the evidence: educated professionals with privileged internet access use that access to browse opposition content and express political opinions the regime would punish. This is not a false-flag operation. It is elite defection — a sign of internal rot within the regime’s own class structure, visible precisely because White SIMs make uncensored browsing possible.

The deeper technical problem is one of access. Distinguishing White SIM traffic from traffic routed through commercial VPNs — which eighty percent of Iranians use — requires ISP-level data. That means either cooperation from Iran’s state telecommunications infrastructure or illegal access to network routing tables. A boutique intelligence firm operating from outside Iran is, as the report’s own methodology implicitly admits, “unlikely to possess legally or technically” the data required to make the attribution it claims.

The Contamination

The third claim — “Extremist Contamination” — identified a subset of pro-Pahlavi accounts using fascist imagery, including swastikas and profiles labeled “Barcode” accounts. Pahlavi’s failure to explicitly and individually disavow these accounts constituted, in Treadstone’s framing, “strategic consent” — proof that the movement tolerated or endorsed extremism.

The technique here is guilt by association — attributing the views of a fringe subset to an entire movement based on the absence of a specific disavowal. By this standard, any political movement in any country could be discredited by identifying its most extreme self-identified supporters and demanding individual denunciation. The standard is designed to be impossible to meet — which is its purpose.

Every large online political movement contains a fringe. The question is proportion and centrality. GAMAAN data — the most reliable polling from inside Iran — shows Pahlavi’s support at thirty-one to forty percent of the population, concentrated among the working class and provinces outside Tehran.³ The presence of a small number of extremist accounts within a movement supported by millions of people is a statistical inevitability, not evidence of “strategic consent.”

The Amplification

The claims matter less than the path they traveled. The amplification pattern is the forensic evidence of intent.

Step one: Origin. The report was published on Cybershafarat.com — Treadstone 71’s own blog. Not at a peer-reviewed security conference. Not through a major cybersecurity vendor’s threat intelligence platform. Not in an academic journal. On a blog controlled by the firm that wrote it.

Step two: Amplification. Within hours, the report was presented as “breaking news” by Iran Focus, Iran News Update, NCRI-US, and Iran Probe. All are MEK-affiliated outlets. The framing: an “independent US intelligence firm” had exposed the regime’s manufacture of the Pahlavi movement.

Step three: Silence. CrowdStrike, Mandiant, Recorded Future, Microsoft, and every other firm that tracks state-sponsored cyber operations said nothing. No independent Iran analyst cited the report. No academic institution reviewed its methodology. In a field where a genuine 356,000-account state botnet would generate weeks of analysis, the total response from the professional community was silence.

Step four: Policy weaponization. NCRI lobbyists cited the report in meetings with Western policymakers as evidence that the Pahlavi movement was a regime creation — and that backing the “Solidarity” coalition of opposition groups would mean supporting a construct of Iranian intelligence.

The Laundering Chain

Step Action Venue
1. Origin Published as “forensic audit” Cybershafarat.com (Treadstone’s own blog)
2. Amplification Repackaged as “breaking news” Iran Focus, Iran News Update, NCRI-US, Iran Probe
3. Professional silence Zero validation CrowdStrike, Mandiant, Recorded Future
4. Weaponization Cited as “proof” in policy meetings NCRI lobbyists in Washington and European capitals

Step	Action	Venue
1. Origin	Published as “forensic audit”	Cybershafarat.com (Treadstone’s own blog)
2. Amplification	Repackaged as “breaking news”	Iran Focus, Iran News Update, NCRI-US, Iran Probe
3. Professional silence	Zero validation	CrowdStrike, Mandiant, Recorded Future
4. Weaponization	Cited as “proof” in policy meetings	NCRI lobbyists in Washington and European capitals

The circular citation pattern completes the laundering. A niche blog publishes the report. A MEK outlet cites it as “breaking news.” A paid speaker references it at a rally as “verified intelligence.” A press release quotes the speaker. A Western journalist, encountering the claim from multiple apparently independent sources, treats it as established fact. The partisan origin has been stripped away — the information has been laundered.

The Authors

Treadstone 71’s principal, Jeff Bardin, has a background in military intelligence and transitioned into the commercial OSINT space. Co-author or associated analyst Dancho Danchev has a history of legitimate malware analysis and prolific cybersecurity blogging. Their general work includes reports on Russian banks and other non-Iran topics.

The pattern appears in the selection. While Treadstone produces reports across multiple domains, its Iran-specific work is exclusively aligned with NCRI positions. Previous Iran-focused reports targeted the “Ashiyane” hacking group — a long-time MEK target — suggesting a sustained client relationship. The rhetorical style of the “Anatomy of a Mirage” uses terms like “strategic consent,” “symbiotic relationship,” and “regime-manufactured” — the language of political opposition research, not forensic attribution.

The Kaveh Afrasiabi precedent completes the immunization. Afrasiabi — a political scientist paid $265,000 by Iran’s UN mission over thirteen years to pose as an independent analyst — was arrested in 2021.⁴ He was a vociferous critic of the MEK. The MEK now cites his arrest as proof that anyone who criticizes them is likely a regime agent — a dangerous syllogism that effectively silences independent scrutiny. Questioning the Treadstone report’s methodology risks the same smear.

The Honest Ledger

The Iranian regime operates real cyber-armies. The Basij have been documented flooding social media to harass dissidents and spread disinformation. State-sponsored operations targeting opposition figures are a confirmed reality, not a conspiracy theory. The existence of regime cyber operations is not in question.

What is in question is whether a specific report, produced by a specific firm with a documented alignment to a specific political client, using methodology that would not survive peer review in the cybersecurity community, and amplified exclusively through that client’s media ecosystem, constitutes evidence — or whether it constitutes a commissioned product designed to achieve a political outcome.

The deeper corruption is institutional. Intelligence analysis depends on a chain of trust — a source publishes findings, peers review them, and policymakers act on validated conclusions. What the Treadstone report does is counterfeit that chain. It wears the uniform of intelligence analysis while serving as a commissioned political product. When a firm produces work designed to reach a predetermined conclusion for a paying client, it degrades the entire institution of intelligence assessment that democracies depend on. The MEK’s laundering operation treats the credibility of independent analysis the way a counterfeiter treats currency: each fake bill makes every real bill less trustworthy.

Consider how this works closer to home. Imagine a report appeared tomorrow claiming that ninety percent of the online support for a political candidate in your country was manufactured by a foreign government — and the only outlets covering it were run by that candidate’s direct political rival. Imagine the report was never peer-reviewed, never picked up by any mainstream cybersecurity firm, and was published on the author’s own blog. You would treat it as opposition research. The question is whether that same critical instinct applies when the target is an Iranian opposition leader most Western readers have never heard of.

The GAMAAN data provides the decisive counter-evidence. Thirty-one to forty percent of Iranians inside Iran — surveyed through encrypted channels that bypass censorship — express explicit support for Pahlavi.⁵ The claim that ninety percent of his online engagement is fabricated requires that a movement supported by roughly thirty million people produces almost no organic digital activity. This is statistically impossible in a country where eighty percent of the population uses VPNs and where the slogans “Reza Shah, Bless Your Soul” echo through street protests recorded on video from hundreds of independent sources.

In January 2026, Iran International’s systematic video analysis settled the question empirically. Researchers coded 641 chant instances across 453 protest videos from 91 locations. Pro-Pahlavi slogans — “This is the final battle; Pahlavi will return,” “Javid Shah,” “Reza Shah, bless your soul” — constituted 31.8 percent of all chanting, converging precisely with GAMAAN’s polling. You cannot fabricate 453 videos from 91 cities. The support is real. The mirage is the report that says otherwise.

The mirage is not Pahlavi’s support. The mirage is the report that claims it doesn’t exist — a construction of laundered intelligence designed to fracture the only opposition coalition that threatens the status quo both machines depend on.

Iran News Update (MEK-affiliated), “The Anatomy of a Mirage: Treadstone 71 Forensic Audit Exposes the Industrial-Scale Manufacturing of Reza Pahlavi’s Digital Support,” January 2026 ↩
Filterwatch, “X Update Reveals Digital Authoritarianism in Iran: The ‘White SIM Card’ Scandal,” investigative report, November 2025 ↩
GAMAAN, “Iranians’ Political Preferences in 2024: An Analytical Report on GAMAAN’s Survey Findings,” August 2025 ↩
US Department of Justice, “Political Scientist Author Charged with Acting as an Unregistered Agent of the Iranian Government,” Press Release, January 2021 ↩
GAMAAN, “Analytical Report on Iranians’ Political Preferences in 2024,” survey methodology using encrypted channels inside Iran, August 2025 ↩