Do Iranian “Sleeper Cells” Pose A Terrorist Threat To Ukraine?

Iran’s hybrid-war assassins

In early March 2026, a report appeared in the American media that at first looked like a routine leak from the security authorities. US intelligence, it was said, had intercepted an encrypted radio transmission that may have originated in Iran. The signal was allegedly relayed through international communications channels and addressed to recipients capable of decoding the message.

It was assumed that this may have been a signal to agents outside Iran, prompting US law-enforcement agencies to move to a heightened monitoring regime. The story quickly spread through international media. Donald Trump eventually commented on it. On 9 March, he said his administration had the matter fully under control, and on 11 March he added: “We know where most of them are. We are watching them all. I think.”

Iran did not publicly confirm the American reports about the intercepted signal. A few days later, the atmosphere was further inflamed by Ebrahim Azizi, head of the Iranian parliament’s committee on national security and foreign policy, who said that Iran regarded Ukraine as a “legitimate target”—as though it had not already shot down a Ukrainian passenger plane and as though Iranian drones had not already attacked Ukrainian territory as part of Russia’s war.

The idea that Iran could activate networks abroad did not emerge suddenly after that signal. Tehran had hinted at such a possibility before, especially during crises with the West, when the question of revenge or asymmetrical retaliation became part of the political rhetoric. The real question is how far Iran’s capabilities extend beyond information campaigns.

Iranian “sleeper cells”

In June 2025, the US Department of Homeland Security issued a bulletin through the National Terrorism Advisory System (NTAS). It referred to a “heightened threat environment” for the United States because of the escalation in the Middle East. The document noted that Iran had for many years sought to build networks of influence and operational capabilities beyond its own territory, while also supporting proxy structures capable of acting against American interests. The warning came after a series of US strikes on Iranian nuclear infrastructure.

At the same time, thinktanks around the world began discussing Tehran’s possible asymmetrical response—cyberattacks, sabotage on maritime routes and operations through proxy groups in the Middle East. But there was also speculation about covert networks abroad. Iran warned that any attack on its territory would be met with “a response in places where it is not expected”. Concealing the form that response might take is typical of asymmetrical action, whose power lies partly in uncertainty.

As for specifically Iranian “sleeper cells,” assessments of their strike capacity remained cautious. The assumption was that, if they existed, their core functions were not as dramatic as terrorism or political assassination. They were more likely created for surveillance, intelligence-gathering, financial operations, maintaining contacts with diasporas, or liaising with proxy organisations.

In other words, a year before the current signal, Western security services were already speaking of the possibility that Iran had some kind of infrastructure of influence abroad. So when reports of the intercepted signal emerged in March 2026, they landed on already prepared informational ground and generated considerable resonance.

What do we know about Iranian “sleeper cells”? They are generally thought to be linked to the Quds Force, a special unit of the Islamic Revolutionary Guard Corps in the Islamic Republic established in 1979. It is responsible for overseas operations, work with proxy groups and the building of networks of influence. Through it, Iran coordinated the activities of Hezbollah, Shia formations in Iraq, its Syrian allies and a number of other structures.

This model of overseas coordination across the different instruments of Iranian influence is now described as “sleeper cells.” These are not necessarily strike units, but rather a logistical network—contacts, financial channels, stockpiles, cover documents. The operatives themselves may have been outsourced.

In the 1990s, this model became visible to international security services. In 1992, leaders of the Iranian Kurdish opposition were murdered in Berlin. The German investigation concluded that the operation had been organized with the involvement of Iranian state structures. Two years later, a bombing struck a Jewish cultural center in Buenos Aires, which Argentine investigators linked to Hezbollah and Iranian intelligence. In 1996, an explosion hit the Khobar Towers US military housing complex in Saudi Arabia. The US investigation concluded that the attack had been carried out by militants tied to pro-Iranian structures.

These cases shared a common feature: the networks used to prepare the operations had existed long before the attacks themselves. They involved people who could live for years in a country as ordinary residents until a specific task from Tehran came up. That corresponds to the definition of “sleeper cells.” But in reality these cells are unlikely to “sleep.” They constantly perform minor functions—observing, maintaining contacts, moving money and building infrastructure.

In other words, this is not about Iranians abroad who “sleep” for years in everyday life, but about a system that can remain unnoticed for a long time precisely because its coercive activity is limited.

It is believed that Iranian networks abroad almost never consist solely of Iranians. More often, they are a combination of members of the diaspora, friendly organizations, local radicals or even criminal actors. Their scale, like their operational capacity, is difficult to assess. They exist, but their dangerousness has manifested itself in only a handful of terrorist episodes. That may represent either something close to their maximum capability or merely a minimal test mode.

If the truth lies somewhere in the middle, then Iranian “sleeper cells” may indeed pose a threat—but it is unlikely to become critical without an association with Russian terrorist technologies and Chinese logistics.

The sense of threat

On 14 March 2026, Ebrahim Azizi, head of the Iranian parliament’s committee on national security and foreign policy, wrote on X that Ukraine had become a “legitimate target” for his country. He cited Ukraine’s help to US allies in countering Iranian drones. Tehran claimed that, by assisting Israel and the Gulf states in combating drones, Ukraine had “effectively entered the war” and therefore, the argument went, fell within the right of self-defense under Article 51 of the UN Charter.

The argument is the same as in Russian claims that Western countries are supposedly participating in the war against Russia by helping Ukraine defend itself from Russian aggression. By that logic, the shooting down by Iranian forces of a Ukrainian passenger plane near Tehran airport in 2020—which happened shortly after Iranian missile strikes on US bases in Iraq, carried out in revenge for the killing of Quds Force commander Qassem Soleimani—could itself be called an act of armed aggression against Ukraine. Iran then went on to assist Russia’s war effort against Ukraine, including by supplying Shahed drones.

Iran’s statement can be read as implying either that earlier Russian attacks with Iranian drones were unlawful and have now become lawful, or that Ukraine is becoming a “legitimate target” for Iranian terrorism. At that point, the subject of “sleeper cells” takes on a new dimension.

If such networks do indeed exist in different countries, their role is not to conduct large-scale military operations. Their logic is asymmetrical action: sabotage, attacks on infrastructure, cyberattacks and pinpoint operations against diplomatic or military targets. In other words, this is not an army. It is an instrument of political pressure.

In such cases, the perception of threat may prove more important than the threat itself. Iran’s “sleeper cells” are unlikely to possess capabilities as destructive as those of Iranian proxies—Hezbollah, Hamas and the Houthi forces, all of which have suffered heavy losses in the war with Israel. These “sleeper cells” are more like the outward-facing rear infrastructure of those proxies. If those proxies lack resources, Iran may try to make use of its “terrorist infrastructure” abroad.

Even so, if used asymmetrically for terrorist purposes, the capabilities of Iranian “sleeper cells” are unlikely to be substantial. They seem configured more to support terrorist operations using external resources. Russia could provide the operational content; China, the resources. That may be where the greatest danger lies.

At present, there is no evidence of direct coordination among covert networks of influence involving Iran, Russia and China. But through its encrypted activation commands for “sleeper cells,” Iran is likely seeking to prove that such coordination does exist. That is precisely how hybrid warfare works.