SJ Investigates: Nima Salehi, The Long Overlooked Ashiyane Co-Founder

Over the past year, HRA’s Spreading Justice project has conducted a detailed investigation into Nima (Alireza) Salehi, identified as a central but long-overlooked actor in the Islamic Republic of Iran’s cyber repression architecture. Operating under the alias Q7X, Salehi co-founded and held a senior leadership role within the Ashiyane Digital Security Team, one of the most influential cyber groups aligned with Iran’s security apparatus.

Unlike Ashiyane’s founder, Behrooz Kamalian, who has been sanctioned by multiple jurisdictions for cyberattacks supporting state repression, Salehi has never faced comparable scrutiny or accountability. Despite his documented involvement in activities enabling surveillance, censorship, intimidation, and violations of numerous human rights, he continues to benefit from unrestricted global mobility, as evidenced by his extensive travel across Europe, the United States, Asia, and Africa.

By publicly exposing Salehi’s record, Spreading Justice urges states and implementing bodies to address this critical blind spot and to take immediate action to prevent individuals and entities that currently or previously facilitated digital repression from operating freely across borders.

WHAT IS ASHIYANE?

Ashiyane, meaning “nest” in Persian, is an Iranian hacking and security group founded in 2002 by Behrooz Kamalian. Initially, a small team of skilled hackers, it rapidly expanded into one of the most recognized and influential hacking groups in Iran. The group gained prominence through widespread website defacements, including attacks on foreign government sites, and by identifying vulnerabilities in Iranian websites, positioning itself as active in both black hat and white hat hacking.

Over time, Ashiyane built a broader cyber ecosystem, including a training center, a security company, and hosting services. Its hacking and security courses at Sharif University of Technology, later formalized into their own program, reflect the group’s role in cultivating a generation of Iranian cyber operators. Ashiyane achieved global visibility, ranking second worldwide for website defacements on Zone-H and being named “Best Hacking Team.”

HRA’s research confirms that the group maintained structural links with the IRGC and Iran’s Cyber Police (FATA). These ties shielded Ashiyane from restrictions imposed on other hacking groups. Both Kamalian (known as “Behrooz_Ice”) and Salehi (7XQ) appeared on Iranian state television as senior representatives of the Ashiyane Digital Security Team.

In interviews, including with Deutsche Welle Persian, Kamalian attempted to portray Ashiyane as an independent private group. Yet his own statements reveal deep integration with Iran’s cybersecurity and security infrastructure: Ashiyane collaborated routinely with state institutions, conducted large-scale political hacks later credited as victories of “Iran’s Cyber Army,” and provided training to authorities. Regardless of its formal status, the group functioned as an extension of the Islamic Republic’s security and propaganda apparatus.

Findings from Recorded Future and ARTICLE 19 show that Ashiyane’s cyberattacks, defacements, DDoS operations, and surveillance training were deliberate components of a broader strategy of digital repression, designed to block independent information, silence dissent, and intimidate activists and journalists. These activities directly undermined freedom of expression, privacy, access to information, and freedom of association and peaceful assembly, facilitating downstream abuses such as arbitrary arrest and ill-treatment.

A comprehensive analysis published in Insight Turkey reinforces Ashiyane’s foundational role in Iran’s cyber infrastructure. Far from signaling a decline, the group’s eventual closure highlighted how deeply embedded it had been within the state’s cyber apparatus and the broader system of digital repression it enabled.

The UK and EU, in their 2011 designations of Kamalian, captured this clearly: Ashiyane was “responsible for intensive cyber attacks both on domestic opponents and reformists and foreign institutions,” assisting the regime’s crackdown that involved numerous serious human rights violations.

WHO IS BEHROOZ KAMALIAN?

Behrooz Kamalian, known as “Behrooz_Ice,” is widely recognized as the leading figure behind the Ashiyane Digital Security Team. Rising to notoriety in the mid-2000s through high-profile website defacements, he played a central role in developing Iran’s offensive cyber capabilities. Although he publicly minimized Ashiyane’s size, he acknowledged participating in politically motivated cyberattacks against American, European, and Israeli targets and maintaining cooperation with Iranian governmental and military institutions.

Iranian state-affiliated outlets attributed to him the hacking of hundreds to thousands of foreign websites in various campaigns. Cyber intelligence firms outside Iran consistently identify Kamalian as a pivotal actor in Iran’s hacker ecosystem.

In June 2018, his forum was permanently shut down, and reports surfaced of his potential arrest or the closure of Ashiyane’s office. Kamalian was sanctioned by the European Union on October 10, 2011, for his leading role in cyberattacks aimed at suppressing dissent during the post-election unrest, and was subsequently added to the United Kingdom’s consolidated sanctions list.

WHO IS NIMA (ALIREZA) SALEHI?

Nima Salehi, born November 24, year unknown, also known as Alireza Salehi, is an Iranian hacker and computer engineer who co-founded and served as the deputy leader of the Ashiyane Digital Security Team. A Blogfa post dated August 21, 2011, confirms he has used multiple names for more than a decade. Salehi studied computer security at the Alborz Technical and Engineering Institute.

Although he appeared openly in state media alongside Kamalian, Salehi has managed to avoid public scrutiny, sanctions designations, and accountability measures that targeted others in the same network. He remains a key figure who has operated in plain sight, bypassing the consequences faced by his counterparts.

OPEN SOURCE PROFILES AND DIGITAL FOOTPRINT

HRA’s research identifies several active or traceable online profiles associated with Salehi that illustrate his continued visibility and transnational movement. Despite his role in a group tied to state repression, he maintains accessible accounts on at least Instagram, LinkedIn, Facebook, and Telegram.

His personal profiles show extensive international travel. His LinkedIn profile reflects efforts to build a professional identity within international networks, while his Facebook account remains linked to Ashiyane’s broader digital presence. A Telegram channel associated with him, while unverified, aligns with common platforms used within Iran’s cyber ecosystem.

Together, these profiles reinforce a consistent picture: Salehi remains publicly active, connected, and unimpeded, despite his documented involvement in cyber activities that facilitated state repression.

HOW IS SALEHI ASSOCIATED WITH ASHIYANE AND BEHROOZ KAMALIAN?

HRA’s research confirms that Nima Salehi was not a peripheral operator but a central actor in Ashiyane. As co-founder, senior administrator, and Kamalian’s close operational partner, Salehi shaped both the group’s cyber activities and its extensive training programs.

Under the alias 7XQ, his name appears repeatedly in defacement logs and hacker community records linked to Ashiyane’s operations. ARTICLE 19 documents that both Kamalian and Salehi taught “Hacking and Security” courses at Sharif University of Technology and later directed broader training programs, contributing directly to the development of Iran’s cyber capabilities.

Salehi’s public appearances with Kamalian on Iranian state television further confirm his senior role. Despite this visibility, he has managed to avoid the sanctions and accountability measures imposed on other actors in the same network across multiple jurisdictions.

Given his documented role within Ashiyane and his partnership with Kamalian, HRA calls on implementing bodies to take immediate action to ensure that Salehi is no longer able to move freely across borders while benefiting from complete impunity.

TRAVEL HISTORY OF NIMA (AlIREZA) SALEHI AS CONFIRMED BY SPREADING JUSTICE; March 2017 – May 2025 

*Note, a larger pin denotes more frequent travel to the given location

For more information on Salehi, Ashiyane, or the documented association, please contact Spreading Justice directly via the Contact Us form at https://spreadingjustice.org/contact-us/

Endnotes

1. Spreading Justice, “Ashiyane Digital Security Team,” Spreading Justice – Human Rights Violators Database, https://spreadingjustice.org/group-violator/sj55990/
2. Poppy Jeffery and Michael Seymour, “Iranian hacker uploads dead baby image onto Bournemouth University servers,” The Independent, 18 March 2014, https://www.independent.co.uk/student/news/iranian-hacker-uploads-dead-baby-image-onto-bournemouth-university-servers-9199261.html.
3. ARTICLE 19, The Soft War and Cyber Tactics in Iran, ARTICLE 19 (2017), https://www.article19.org/data/files/medialibrary/38619/Iran_report_part_2-FINAL.pdf.
4. International Institute for Counter-Terrorism, *Cyber-Terrorism Activities Report No. 4* (Oct. 1, 2013), pp. 24–31, JSTOR, https://www.jstor.org/stable/resrep09471.5.
5.  ARTICLE 19. (2017). Tightening the net: Part 2 – The soft war and cyber tactics in Iran (33 pp.). Retrieved from https://www.article19.org/data/files/medialibrary/38619/Iran_report_part_2-FINAL.pdf
6. Techrato, “Best hacking groups in Iran and the world,” Techrato, June 9, 2021, https://techrato.com/2021/06/09/best-hacking-groups-in-iran-and-the-world/.
7. The MEMRI Cyber Jihad Lab, “Assessing the Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran – A Study Review” (June 24, 2015), MEMRI, https://www.memri.org/reports/assessing-computer-network-operation-cno-capabilities-islamic-republic-iran-%E2%80%93-study-review-0.
8. DW Persian, “گروه امنیتی آشیانه یا ارتش سایبری ایران؟”, (17 September 2010) DW, https://www.dw.com/fa-ir/گروه-امنیتی-آشیانه-یا-ارتش-سایبری-ایران/a-6016017.
9. Insikt Group, “The History of Ashiyane: Iran’s First Security Forum,” Recorded Future (January 16, 2019), https://www.recordedfuture.com/research/ashiyane-forum-history.
10.  Ersin Çahmutoğlu, *Iran’s Cyber Power* (Ankara: Center for Iranian Studies in Ankara [İRAM], April 2021), 40 pp., https://iramcenter.org/uploads/files/irans-cyber-power_1.pdf.
11. The MEMRI Cyber Jihad Lab, “Assessing the Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran – A Study Review” (June 24, 2015), MEMRI, https://www.memri.org/reports/assessing-computer-network-operation-cno-capabilities-islamic-republic-iran-%E2%80%93-study-review-0.
12. Gerdab.ir, “هک 1000 سایت توسط گروه آشیانه” (9 شهریور ۱۳۸۹ / 31 August 2010), https://gerdab.ir/fa/news/1956/هک-1000سایت-توسط-گروه-آشیانه.
13.  خبرگزاری جمهوری اسلامی ایران (ایرنا), “سایت‌های رژیم صهیونیستی توسط یک گروه ایرانی هک شد” (۲۷ شهریور ۱۳۸۸)، ایرنا، https://www.irna.ir/news/7365500/.
14.  گرداب، «هک ۱۰۰۰ سایت توسط گروه آشیانه» (۹ شهریور ۱۳۸۹)، گرداب، https://gerdab.ir/fa/news/1956/هک-1000سایت-توسط-گروه-آشیانه.
15.  بولتن‌نیوز، «بهروز کمالیان؛ از هک ناسا و سایت‌های اسرائیلی تا جذب فالوور برای سلبریتی‌های دوزاری» (۱۶ آبان ۱۳۹۸)، بولتن‌نیوز، https://www.bultannews.com/fa/news/638760/.
16.  خبرگزاری جمهوری اسلامی ایران (ایرنا), “سایت‌های رژیم صهیونیستی توسط یک گروه ایرانی هک شد” (۲۷ شهریور ۱۳۸۸)، ایرنا، https://www.irna.ir/news/7365500/.
17. European Commission, “Behrouz KAMALIAN,” EU Sanctions Tracker, designated under the Iran regime on 10 October 2011, EU financial sanctions (Regulation 2025/689), data.europa.eu, https://data.europa.eu/apps/eusanctionstracker/subjects/6594.
18. Middle East Media Research Institute (MEMRI), “Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran – A Study Review” (24 June 2015), MEMRI, https://www.memri.org/reports/assessing-computer-network-operation-cno-capabilities-islamic-republic-iran-%E2%80%93-study-review-0.
19. “Council Regulation (EU) No 359/2011 of 12 April 2011 — Annexes (as in force on 31 December 2020),” *Legislation.gov.uk*, accessed 17 August 2025, https://www.legislation.gov.uk/eur/2011/359/annexes/2020-01-31.
20. Council Implementing Regulation (EU) 2025/689 of 4 April 2025 implementing Regulation (EU) No 359/2011 concerning restrictive measures directed against certain persons, entities and bodies in view of the situation in Iran, *Official Journal of the European Union* L 2025/689 (7 April 2025), accessed 24 August 2025, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202500689.
21. https://www.instagram.com/stories/highlights/18133348774262759/,
22. https://www.instagram.com/stories/highlights/17908216216300778/