Here we present an interview with Gabi, a member of the Cyber Toufan team. We contacted Gabi on Telegram and shared a list of questions, which we make available here in full. This team, active since October 2024, has published details of 13 operations it has conducted against Israeli targets on its website since late February 2025. The group has purely political motivations.

The Cyber ​​Toufan team also publishes evidence of their attacks in a Telegram channel.

All Telegram links to this team’s channels can be found within the deepdarkCTI project.

General Group Background & Identity

Q: When and how did your group, Toufan, first become active in cyber operations?
A: When you witness all this injustice, with the blood of over 50,000 children, women, and elderly in Gaza and Palestine, when you see the betrayal and abandonment from Arab and Muslim neighbors, when you observe most Western governments, led by the head of evil, America, sending weapons to kill children, and you remain unmoved—then you are no longer part of humanity. We possess cyber capabilities that must be used to confront this beast known as “Israel.” In short, The group is active after october 7. After Israeli started the genoside against Palestinin people.

Q: What motivated the creation of your group — political, ideological, financial, or other reasons?
A: Our group name “Toufan Alaqsa” brought from the name of Palestininan operation against Israel in october 7 2023.
The Al-Aqsa Mosque is one of the holiest sites for Muslims. The Zionists are attempting to occupy and desecrate it, conducting excavations beneath it. Throughout the previous period, the situation has escalated against Muslims and their sacred sites, which is why the Al-Aqsa Flood operation took place.
The name of our group is inspired by the name of this blessed operation.

Q: How many members are currently part of Toufan, and what are their main roles (e.g., malware developers, operators, propagandists)?
A: Our numbers may be few, but our determination is high, and strong enough to confront the occupation.

Q: Are all the team members Palestinian? Are there any restrictions on who can join the team? Are there any tests required to join?
A: Multinational including palestinians
Any one could participate directly in (few tasks) not necessary operations, by time and other tests can be participate in others more critical operations.

Q: How do you recruit or vet new members for your operations?
A: We welcome anyone who shares our goals and has the will and determination to contribute. If they have hacking skills, that’s excellent. If not, we can utilize their abilities in other ways.

Capabilities & TTPs (Tools, Techniques, and Procedures)

Q: Does Toufan develop its own custom malware and tools, or do you mainly reuse publicly available malware and exploits from other actors?
A: No restricitions to develop/reuse any tool or method which can achieve our goals.

Q: Which programming languages or frameworks do your developers most frequently rely on?
A: We rely on people not on programming languages.

Q: What are your preferred intrusion vectors (e.g., phishing, supply-chain attacks, web exploitation, insider access)?
A: We have utilized everything mentioned above and more in our operations against him. We are surprised daily by the technical weaknesses of our enemy, who boasts about their defensive projects such as CyberDome, CyberBall, PDNS, CyberShield, NISMO, TEHILA, OFEK, and others. However, in reality, we discover new vulnerabilities in these systems every day. They are nothing more than names and a facade presented to the world.

Q: How do you maintain persistence inside a compromised network once initial access is gained?
A: Most of the traditional methods are just like what hackers do. We have maintained access to certain targets for years, and we still hold onto the rest to this day.

Q: Do you employ data encryption or wipers in your campaigns, or is your focus primarily on espionage and disruption?
A: We operate in both directions. Part of our work is showcased on our channels, but much of it is not revealed immediately, and a lot never sees the light of day, benefiting us in other ways.

Infrastructure & Operational Security

Q: What techniques did you use to gain initial access? Vulnerabilities? Phishing? Infostealers?
A: Even insiders.

Q: What infrastructure do you rely on for command-and-control (C2) — bulletproof hosting, compromised servers, TOR networks, or legitimate cloud platforms?
A: INCD (Israel National Cyber Directorate) know few of them. we keep the others private.

Q: How do you fund your operations — is it state-sponsored support, donations, or cybercrime-based revenue?
A: While Israeli media outlets have repeatedly labeled us as an Iran-sponsored group, we want to make it clear that we are a multinational, self-sponsored organization. They continuously push this narrative for two main reasons: 1. To conceal their own weaknesses against individual groups, and 2. To shift the blame for their failures onto Iran.

Q: Do you maintain your own infrastructure, or do you outsource to other groups and service providers?
A: I appreciate your understanding, but I won’t be answering that question.

Victimology & Targeting

Q: What sectors or industries are you most interested in targeting (e.g., defense, finance, energy, telecommunications)?
A: While we concetrate on defense and infrastucture, we’ve no issues to target any zionist intitustion supporting the Israeli occupation and genocide.

Q: Are your operations limited to Israeli organizations, or do you also conduct campaigns against companies in other countries?
A: LIMITED to Israeli organizations not the jewish. Targeting companies outside of Israel that support the Zionists is under consideration.

Q: How do you select your targets — opportunistically (whoever is vulnerable) or strategically (aligned with political/ideological objectives)?
A: To respond to the events occurring in the Gaza arena, we sometimes resort to what is available and quick. However, we do not overlook the strategic objectives.

Ecosystem & Collaboration

Q: Does Toufan collaborate with or take inspiration from other threat actor groups (e.g., Hamas-linked cyber units, Iranian groups, or criminal collectives)?
A: We admire Hamas’s cyber capabilities, which were clearly demonstrated in Gaza on October 7th, particularly in terms of planning, information breaches, and penetrating security systems, radars, cameras, and more. This effectiveness has made their operation successful, as acknowledged by the world.

Q: On which underground forums, social media platforms, or encrypted channels does Toufan usually operate or communicate?
A: I won’t be answering that question.

Q: Do you share tools, exploits, or intelligence with allied groups, or do you prefer to work independently?
A: Sometimes.

Strategic Outlook

Q: What is your group’s long-term objective — sustained disruption, financial gain, or influence operations?
A: October 7 was a driving force and inspiration for our group, even though we were supposed to be working against the occupation long before that. We have made a vow to ourselves not to stop until the occupation of Gaza, all of Palestine, and the Golan Heights is lifted, and the Zionist occupier is driven back to their original homeland.

Q: How do you measure the success of your campaigns?
A: We have achieved significant successes, but they are not commensurate with the challenges we face. Despite these successes, the enemy consistently conceals its losses and lies to its own people; even the INCD itself deceives the government. Everyone is lying to everyone.