Based on the intelligence assessments from multiple government agencies, Ravin Academy functions as a MOIS-directed recruitment and training front operating under commercial cover. Recent developments have provided concrete evidence supporting this characterization through the emergence of comprehensive internal records from the organization.
A comprehensive database containing complete registration records of Ravin Academy students has been obtained by me, revealing detailed personal information of individuals enrolled in the organization's training programs. This database constitutes a significant intelligence asset, as it documents the systematic development of personnel for potential recruitment into MOIS cyber operations. The individuals identified in these records represent human resources that Ravin Academy cultivates and directs toward state-sponsored cyber activities targeting Iranian citizens, regional adversaries, and international entities on behalf of the Iranian government.
The timing of this data exposure carries particular significance. The leak occurred mere days before Ravin Academy's annual Tech Olympics event, scheduled for October 27-30 at Pardis Park in Tehran. The irony is notable that an organization publicly marketing itself as a cyber security training institution and defense service provider proved unable to protect the personal information of its own students. This operational security failure undermines the company's public credentials while simultaneously exposing individuals who enrolled in what they may have believed were legitimate professional development programs.
This list, which has been provided to me in the form of an Excel file sheet, includes many items such as the ID assigned to each person in Ravin's internal systems, phone number, first and last name, and the classes that the person has attended. By searching for individuals in various databases, diverse information about them is extracted. In addition, searching first and last names on Google also provides significant connections of individuals and networks associated with them.
This list is currently available for public search through the following address:
According to the U.S. Treasury Department's official designation, the two founders (Farzin Karimi Mazlganchai and Seyed Mojtaba Mostafavi) were specifically directed by MOIS to establish the company for recruitment purposes. The Treasury assessment explicitly states that Ravin Academy trains individuals in cyber security and hacking, then recruits from among these trainees for the MOIS. This indicates deliberate design rather than opportunistic exploitation of an existing business. The leaked student database provides documentary evidence of this recruitment pipeline in action, offering researchers and intelligence analysts a comprehensive view of the talent pool being developed for Iranian state-sponsored cyber operations.
The organization maintains legitimate public operations with transparent incorporation records, a physical office address in Tehran, a public website, and advertised training courses in cyber security. This public-facing business model provides MOIS with several strategic advantages including plausible deniability through the legitimate business structure, extended talent assessment opportunities during training periods, and cover for skills development that would otherwise appear suspicious. Students enroll believing they are receiving professional cyber security training, which they genuinely do receive, while the organization simultaneously identifies talented individuals and channels them into state-sponsored cyber operations.
The intelligence reporting reveals operational integration between the training environment and active intelligence operations. The PwC analysis documented temporal correlations between Ravin Academy training materials on specific vulnerabilities and subsequent exploitation of those same vulnerabilities by MuddyWater operations. This suggests the organization functions not merely as a recruitment vehicle but as an integrated component of MOIS cyber operations infrastructure. Individuals who excel in Ravin Academy's training programs are transferred directly into MOIS cyber campaigns where they conduct operations against a diverse array of targets including foreign governments, international organizations, Iranian allies, and domestic targets within Iran itself as part of MOIS's mandate to monitor and control Iranian citizens and suppress regime dissidents.
Mojtaba Mostafavi, who serves as the company's chief executive officer, has been identified by intelligence agencies as an active MOIS operative. Both Mostafavi personally and Ravin Academy as an entity are currently designated under sanctions by the U.S. Department of Treasury, reflecting official recognition of their role in supporting Iranian intelligence operations.
The model allows MOIS to outsource initial recruitment and vetting while maintaining operational control through the founders' direct relationship with the intelligence service. This dual-purpose structure enables MOIS to develop human capital for cyber operations while maintaining a layer of separation from direct government attribution. The emergence of comprehensive student records demonstrates both the scale of this recruitment operation and the vulnerability of individuals who associate with the organization, as their personal information is now documented and accessible to the international intelligence community, human rights researchers and cyber security community.
The exposure of this database serves multiple purposes for transparency and accountability. It documents individuals who have chosen to receive training from an entity designated by multiple governments for supporting intelligence operations. It provides human rights organizations and journalists with concrete evidence of MOIS recruitment mechanisms. It demonstrates to potential future students the operational security risks associated with enrolling in programs at designated entities. Most significantly, it creates a permanent record that links specific individuals to an organization that has been conclusively tied to state-sponsored cyber operations targeting critical infrastructure, government networks, and human rights defenders across multiple continents.