In the span of a few days, pro‑Russian hacktivist personas tied to the “Cardinal”—now “Monarch”—brand have claimed deep, sustained access to nuclear facilities in Israel and France. Their Telegram posts describe two months of covert control at Israel’s Negev Nuclear Research Center near Dimona and “full control over the secondary coolant loop” at France’s Golfech Nuclear Power Plant.
Summary
In the span of a few days, pro‑Russian hacktivist personas tied to the “Cardinal”—now “Monarch”—brand have claimed deep, sustained access to nuclear facilities in Israel and France. Their Telegram posts describe two months of covert control at Israel’s Negev Nuclear Research Center near Dimona and “full control over the secondary coolant loop” at France’s Golfech Nuclear Power Plant. So far, none of these claims have been independently verified, and the weight of technical and geopolitical context suggests they are psychological operations (psyops), not proof that nuclear environments have been breached. Regardless these likely psyops campaigns have intensified in the immediate aftermath of the Iran conflict.
So far, none of these claims have been independently verified, and the weight of technical and geopolitical context suggests they are psychological operations (psyops), not proof that nuclear environments have been breached. Regardless these likely psyops campaigns have intensified in the immediate aftermath of the Iran conflict.
Key Points
- Pro-Russian Cardinal/Monarch hacktivists have claimed control of Israeli and French nuclear facilities, but there is no independent technical evidence supporting those assertions.
- The claims emerged immediately after U.S.- and Israel-led strikes on Iran, fitting a broader pattern of pro-Iran and pro-Russian hacktivist groups amplifying cyber operations for psychological and political impact.
- While nuclear claims remain unverified, groups linked to Iran have carried out disruptive attacks such as the destructive wiper operation against medical-device maker Stryker.
- Direct remote compromise of reactor safety systems is highly unlikely.
- The most realistic cyber pathway into nuclear environments remains portable media.
Retaliation After the Iran Strikes
On February 28, 2026, the United States and Israel launched coordinated strikes against targets in Iran, triggering large‑scale Iranian missile and drone attacks across the region.
According to Intel 471, those kinetic operations were followed within hours by a surge of pro‑Iran and pro‑Russian hacktivist activity aimed at the U.S., Israel, and their allies, with groups racing to claim “retaliatory” operations against governments, defense, and critical‑infrastructure targets.
Intel 471 notes that these actors “almost certainly are attempting to distract regional adversaries” and project perceived power through DDoS, data‑leak claims, and destructive attacks whose real‑world impact is often limited.
The unverified nuclear stories pushed by Cardinal/Monarch sit squarely inside that retaliatory narrative: a bid to show that Western and allied states are vulnerable at precisely the moment when public attention is fixed on Iran‑related escalation.
Threat Actor Background
Cardinal/Monarch operates inside the broader “Russian Legion” hacktivist alliance, a pro‑Russian ecosystem that blends politically motivated threats with noisy but mostly low‑impact disruption. Truesec reports that Russian Legion, led by Cardinal alongside groups like The White Pulse, Russian Partizan, and Inteid, first emerged in late January with the “OpDenmark” campaign, using DDoS attacks and screenshot‑driven information operations to pressure Denmark over military aid to Ukraine, while fixating on the energy sector as a target.
Recent threat‑intel reporting describes Russian Legion as state‑aligned but not state‑funded, focused on opportunistic operations that generate media attention rather than sophisticated, destructive attacks on critical infrastructure.
Cardinal/Monarch’s Nuclear Narrative
InfraShield threat intel analysts initially flagged Cardinal’s bellicose nuclear rhetoric when their official Telegram channel shared a statement from the group on March 8. In that “THE HEART OF DIMONA IS OURS” post, Cardinal claims that “for 2 months, we’ve been ghosts in your machines” and asserts “total control over 5 key sectors of the Negev Nuclear Research Center,” taunting operators that their recent “technical maintenance” was really “a desperate, failing struggle to lock a door we already control.”
Situated near Dimona in Israel’s Negev desert, the Negev Nuclear Research Center is widely seen by analysts as the heart of Israel’s secretive nuclear weapons program, hosting its most sensitive reactor and plutonium‑production activities.
The accompanying screenshots purport to show reactor‑control interfaces and alarms as Cardinal tells staff, “Look at your screens. Those aren’t glitches,” before listing “ROD Deviations – we move your core rods like chess pieces,” “P‑03 Failure – your cooling is screaming under our command,” and warning that Reactor #2 is “no longer yours to manage.”
It’s important to note that these materials originate solely from the group’s own propaganda channels and have not been confirmed by Israeli authorities or independent responders.
A follow‑on Dimona post published in the group’s Telegram channel on March 10 leans even harder into psychological pressure, warning, “You have 84 minutes of logs you can’t explain. You have four rods that moved by themselves. You have a valve that opened itself,” and insisting investigators will never find IPs, tools, or names—only “paranoia, doubt, [and] the uncomfortable certainty that someone was inside your most protected facility, and you didn’t feel a thing.”
On March 12 (Israeli time), Cardinal/Monarch published a follow-up Telegram announcement describing a breach of “Israeli Nuclear Power Plant (NPP) infrastructure.” The Telegram post includes screenshots the group said came from internal systems and emails, presented as proof that they had penetrated Israel’s nuclear sector. Again, it’s important to note that these screenshots could have easily been fabricated, and have not been independently verified.
Monarch’s posting states that the “screenshot you see is the internal panic at an Israeli Nuclear Power Plant (NPP) infrastructure after the Cardinal breach. While the world thinks everything is "normal", the "Dear CEO" and his puppets are trying to erase the traces of a nuclear-grade disaster.”
“Instead of notifying the IAEA or the public, they are coordinating a "Unified Denial" and ordering the deletion of logs from SRV-TLV-DC3 and SRV-BEER-01. They are more afraid of a PR scandal than a meltdown,” continues the post.
Monarch goes on to claim that their “virus is still breathing inside the control systems and the network.” The threat actors also give the Israeli NPP a deadline of “6 hours to admit the truth” or they will leak the technical schematics of the cooling systems and the personal data of every specialist on shift.”
Shortly afterwards, the same personas published allegations regarding a breach of France’s Golfech Nuclear Power Plant. Notably, while France has denied advance knowledge or involvement in the February 28 strikes that killed Iran’s Supreme Leader Ali Khamenei, the country has deployed Rafale fighters, air‑defense systems, and ordered the carrier Charles‑de‑Gaulle and its escort to the Mediterranean to help defend allied airspace and secure energy shipping lanes in the region.
In a Telegram post titled “GOLFECH NPP: THE ARCHITECTS OF YOUR DARKNESS” published on March 12, a Monarch operator using the handle “Apollon” tells France, “This is Unit 2 of the Golfech Nuclear Power Plant. We have bypassed your ‘elite’ security and gained full control over the secondary coolant loop.”
The post claims, “We had the power to trigger a meltdown. We could have erased this plant from the map. We chose not to… for now,” and a follow‑up message warns: “One wrong move by your government, and we will turn your nuclear pride into your eternal nightmare.”
At the time of writing, there are no public statements from French or Israeli nuclear regulators confirming any compromise of safety‑critical systems, nor reports of reactor incidents consistent with the level of control Monarch describes. Open‑source coverage and vendor reporting treat these as hacktivist claims that have yet to be substantiated.
Meanwhile, Real Damage from Handala and the Stryker Wiper
While Cardinal/Monarch are using nuclear fears to amplify their psychological impact through social media, other Iran‑nexus groups are delivering tangible and potentially life threatening, if still largely IT‑focused, damage.
On March 10–11, 2026, medical‑device giant Stryker suffered a global outage after a destructive wiper-based cyberattack. Pro‑Iran hacktivist group Handala claimed responsibility, describing the operation as retaliation for a deadly strike on a school in Iran and asserting that it wiped or disrupted systems across dozens of countries.
According to reporting from various cybersecurity news outlets, investigators believe Handala deployed wiper malware against Stryker employee endpoints, erasing data on Windows and Linux devices managed through tools like Microsoft Intune.
Additionally, KrebsOnSecurity obtained a March 11 memo from the state of Maryland’s Institute for Emergency Medical Services Systems, indicating that a number of hospitals opted to disconnect from Stryker’s various online services in response to the attack. Stryker systems that some hospitals have disconnected from include LifeNet, which “allows paramedics to transmit EKGs to emergency physicians so that heart attack patients can expedite their treatment when they arrive at the hospital.”
Why Monarch’s Nuclear Claims Are Unlikely
InfraShield President and CEO Mark Rorabaugh said that “based on what we know today, Monarch’s campaign against nuclear plants looks far more like a psyop than a credible takeover of reactor systems. This is a group that has already claimed everything from deep access to Israeli’s National Infrastructure Management System to their Iron Dome air‑defense network, yet those stories have consistently lacked independent technical validation.”
Rorabaugh pointed to the fundamentals of nuclear plant safety design to further assert the implausibility of Monarch’s claims. “Safety‑critical control systems for reactor protection, coolant management, and emergency shutdown are typically housed on dedicated OT networks that are physically and logically separated from business IT and the public internet,” said Rorabaugh. “In many architectures, data can leave those environments through one‑way gateways or tightly controlled DMZs, but external traffic cannot flow back in,” he added.
For a remote attacker working only from the outside, the path to “full control over the secondary coolant loop” runs through multiple layers of segmentation, authentication, and physical safeguards. It also requires deep knowledge of plant‑specific configurations and access to engineering workstations that are normally subject to stringent physical and logical controls.
That kind of campaign is characteristic of long‑term, highly resourced nation‑state operations, not the rapid‑fire hacktivist behavior Intel 471 and others describe for Russian Legion and its affiliates.
Given this, Rorabaugh assesses that Monarch’s nuclear boasts are best understood as information operations: stories designed to scare citizens, pressure policymakers, and increase the group’s profile during a period of heightened geopolitical tension. “Until regulators, operators, or independent OT responders publish technical findings that show otherwise, the responsible stance is to treat these claims as unverified psyops, not as proof of compromised reactors,” Rorabaugh said.
The Real Nuclear Weak Spot: Portable/Removable Media
The outlandishness of Monarch’s claims doesn’t give nuclear facilities a license to be complacent. “While internet‑routed attacks have a hard time reaching reactor safety systems, one channel still has a devastatingly successful track record in industrial environments: portable and removable media,” Rorabaugh said.
USB drives, external hard disks, contractor laptops, and other portable devices routinely cross network boundaries, and threat‑intel reporting continues to document how attackers use phishing, fake update packages, and impersonated security tools to plant malware that then rides in on those devices.
For nuclear operators, that makes removable‑media governance one of the most critical lines of defense.
Effective programs include:
- Controlled staging environments for media and tools, where files can be inspected or executed in isolated virtual environments before reaching operational systems.
- Clear policies that strictly limit which devices may connect to OT assets, backed by inventories and ownership records.
- Mandatory validation of all removable media on dedicated transfer stations, where files are verified against allow-listed “known-good” artifacts before any connection to plant networks.
- Enforcement controls that technically block unauthorized USB devices and alert on suspicious device insertions.
- Logging and monitoring of file transfers and media use within OT, so that anomalies stand out and can be investigated quickly.
- Automated chain-of-custody tracking for portable media, ensuring every checkout, transfer, and return is associated with a specific user, device, and session for auditability.
These controls are not as headline‑grabbing as a Telegram post about hackers “breathing inside the control systems,” but they directly address the one route that can realistically bridge otherwise isolated nuclear networks.
“Nuclear cyber events rarely, if ever, arise through some dramatic remote takeover,” said Rorabaugh. “They usually walk through the door on a device someone trusted.”
