Crypto for Intel: How Iranian Intelligence Used Telegram to Recruit a US Citizen in Jerusalem

Table of Contents
A Digital Recruitment Pipeline
The boundary between a casual social media interaction and a national security breach has blurred into a dangerous grey area. According to a recent indictment from the Israel State Attorney’s Office, Eli Lavon, a 21-year-old American citizen and ultra-Orthodox student in Jerusalem, allegedly crossed that line after answering a job advertisement on Telegram.
The case highlights a growing trend in modern intelligence gathering: the use of encrypted messaging apps to identify and recruit low-level assets through what appear to be legitimate remote-work opportunities. Prosecutors allege that the recruitment began in November 2025 while Lavon was visiting family in the United States. By the time he returned to Israel, a foreign agent operating on behalf of Iranian intelligence had established a direct line of communication, pivoting from a generic job offer to specific intelligence tasks.
Low-Stakes Tasks, High-Stakes Consequences
The nature of the assignments Lavon allegedly performed suggests a strategy of ‘micro-tasking’—starting with low-risk requests to build trust and compromise the recruit before moving toward high-value targets. The indictment details requests that seem mundane on the surface but carry significant tactical value: recording video of an abandoned building in a religious neighborhood and filming the interior of a specific grocery store.
The operations also involved ‘dead drops,’ a classic espionage technique modernized for the digital age. In one instance, Lavon is accused of hiding a cigarette packet containing a note reading “The job is complete” in a bathroom trash can at the Hadar Mall. In another, he allegedly left a USB flash drive wrapped in a 50 shekel note (roughly $16.70) at a Jerusalem restaurant, confirming the drop with a selfie and a photo of his passport.
While these actions may seem disjointed, Israeli security officials note a chilling correlation: several of the sites filmed by recruits in similar cases have later been targeted in Iranian missile attacks. This suggests that these ‘low-level’ recruits are essentially providing the ground-level reconnaissance necessary for precision strikes.
The Crypto Connection
Payment for these services was handled entirely through cryptocurrency, providing the Iranian agents with a layer of financial anonymity and the recruit with an untraceable stream of income. In total, prosecutors claim Lavon received approximately $1,379 in crypto payments. To evade detection, the suspect allegedly utilized three different mobile phones and two separate Telegram accounts.
The digital trail, however, was not invisible. Lavon was arrested on June 9 and now faces two counts of contacting a foreign agent and 14 counts of communicating information to the enemy. The case marks a rare instance of an American citizen being prosecuted in Israel amid a broader wave of domestic espionage, where at least 60 Israelis have been indicted since 2023.
The Defense: Social Media vs. Espionage
The legal battle now centers on the definition of espionage in the era of the ‘gig economy.’ Raz Bar Tzvi, representing Lavon, has pushed back against the prosecution’s narrative, suggesting that the legal system is failing to adapt to technological realities. According to Bar Tzvi, making contact with a foreign actor via social media does not automatically transform a citizen into an “atomic spy.”
This defense touches on a critical vulnerability in modern cybersecurity: the ease with which foreign intelligence services can spoof identities and manipulate young, digitally native individuals who may not immediately perceive a Telegram ‘job offer’ as a security threat. Ronit Shentzer Yaakobi of the Jerusalem District Attorney’s Office emphasized that this case serves as a warning about how intelligence agencies exploit the digital sphere to identify and operate assets from within a target country.