The Attack Was the Message: The DOJ Indictment and the Operational Model Behind HAYI

June 9, 2026

On May 28, 2026, the U.S. Department of Justice unsealed an eight-count indictment against Mohammad Baqer Saad Dawood Al-Saadi, a dual Iranian-Iraqi national charged with terrorism-related offenses for his alleged role as a senior operative of Kata’ib Hezbollah and Iran’s Islamic Revolutionary Guard Corps (IRGC). The indictment covers nearly 20 attacks and attempted attacks across Europe and the United States, all carried out in the name of Harakat Ashab al-Yamin al-Islamia (HAYI), a group that first emerged publicly in March 2026.

Figure 1: HAYI logo and branding; Source: Foundation for Defense or Democracies

The legal case matters on its own terms. But the more analytically interesting question is what the indictment reveals about how HAYI functioned: not as a standalone terrorist organization, but as a coordinated media-and-operations network allegedly directed by Iranian-aligned actors. DarkOwl began monitoring HAYI’s Telegram footprint in April 2026. Mapping that monitoring against the indictment’s allegations puts several patterns that were already observable at the time into a different light.

Analysis for this blog was conducted using DarkOwl Vision, through targeted tracking of Telegram channels associated with HAYI and the broader Iranian-aligned amplification network.

Who Is Al-Saadi?

Al-Saadi, 32, is a dual Iranian-Iraqi national with a career spanning more than a decade inside IRGC-aligned militia networks. According to the DOJ and a detailed CTC Sentinel profile published in May 2026 by Crispin Smith and Michael Knights of the Militia Spotlight platform, he reportedly fought in Syria around 2016 in support of Assad’s forces and returned to Iraq to participate in operations against the Islamic State. Open-source imagery from as early as 2015 shows him operating alongside Iraqi Shia Popular Mobilization Forces and, unusually for someone his age, photographed repeatedly with senior IRGC-Quds Force and militia leadership including Qassem Soleimani.

After his arrest, Al-Saadi waived his Miranda rights and spoke voluntarily to U.S. law enforcement. He described himself as a leader within “the resistance,” a term he used to refer to the IRGC, Kata’ib Hezbollah, Hezbollah, and the Houthis. He said he had been like a son to Soleimani and traveled with him constantly before Soleimani was killed in a U.S. airstrike in January 2020. He also stated he met with Iran’s then-Supreme Leader Khamenei approximately three days before the conflict with Iran began in February 2026.

The CTC authors describe his career as reflecting “rarified trust and access” within Iranian-aligned militant structures. That background matters for understanding how someone allegedly coordinated a multi-country attack-and-media campaign while based in Iraq.

The Indictment: A Coordinated Attack-and-Media System

The DOJ alleges Al-Saadi played a significant role in planning, coordinating, and amplifying approximately 18 attacks across Europe conducted in HAYI’s name, including arson attacks, rudimentary bombings, stabbings, and a claimed drone operation targeting the Israeli Embassy in London. Two additional attacks in Canada are also alleged. Prosecutors describe HAYI as “actually a front of Kata’ib Hizballah and other U.S. designated foreign terrorist organizations.”

This is not a standard material support case. The allegations describe a level of operational integration between the attacks themselves and the surrounding media operations that goes well beyond financing or inspiration from a distance. According to prosecutors, Al-Saadi participated in live FaceTime calls with attackers while operations were underway, recorded those attacks, helped produce propaganda videos, and coordinated dissemination in parallel with the attacks themselves.

A video from April 18, 2026, the day of an attack against a synagogue in London, shows Al-Saadi on a FaceTime call projected onto a large screen against the HAYI logo, recording the attack as it happened. A voice on the call directs the attacker to “take a lighter,” “light it,” and “throw the fourth one.”

After his arrest, Al-Saadi told U.S. law enforcement he was “in charge of media and psychological warfare, including against the United States, as well as strategy and military intelligence.” He said HAYI’s propaganda videos were part of the “psychological warfare” the resistance was waging against the United States, designed to “instill fear and terror in civilians.”

His instructions to a Kata’ib Hezbollah contact about distributing attack footage reflect the same logic. In one exchange cited in the indictment, Al-Saadi told the contact that “[t]he most important thing is that within the psychological warfare, they [HAYI’s messages] are useful,” and that “anything that distracts the enemy is useful.”

Figure 2: Arrested senior officer of Kata’ib Hezbollah (December 2019 Facebook post accusing al-Saadi of assassination against protesters, reposting an image shared by al-Saadi himself in May 2018); Source: CTC West Point

The U.S. Targeting Dimension

Most public attention has focused on the European attack campaign, but the indictment also documents Al-Saadi’s alleged efforts to bring the campaign to the United States.

Prosecutors allege that in March and April 2026, Al-Saadi worked to arrange attacks in the United States, including against a synagogue in New York City. On April 30, 2026, the day before his detention while traveling in Turkey, he called an individual in the United States and asked whether that person knew “someone who could ‘attack’ in the United States, including by ‘burning, . . . or whatever he can,’ including ‘killing.’” He was detained the next day.

That attempted expansion fits with what Al-Saadi told investigators about his broader objectives. He described “the resistance” as waging psychological warfare specifically against the United States, and the geographic scope of HAYI’s claimed attacks had been moving steadily from Europe toward North America over the course of the operation.

What DarkOwl Observed in Parallel Telegram Activity

DarkOwl began monitoring HAYI-linked activity in April 2026 as attack claims circulated across Telegram. Our April 16 analysis raised the question of whether HAYI was a distinct organization or a node within a broader network. Several findings from that monitoring connect directly to what the indictment now alleges.

Al Faqaar as a structured amplification node. DarkOwl identified the Al Faqaar Telegram channel as consistently publishing HAYI-attributed content before or alongside the group’s own channels. At the time, we noted it functioned “similarly to established IRGC-aligned media outlets such as Sabereen News, acting as an early dissemination node.” The indictment now alleges that Al-Saadi instructed his Kata’ib Hezbollah (KH) contact to post attack footage “in the news, important” and coordinated directly on which channels to use and when. The distribution pattern DarkOwl tracked was not organic reposting. It fits the picture of structured, upstream direction.
The Sabereen News watermark. Our April 16 analysis also found Sabereen News branding within video content reposted by HAYI-affiliated channels, pointing to “participation in a shared media pipeline where content is reused and redistributed across channels.” The indictment’s allegations about Al-Saadi coordinating directly with KH propagandists on media timing and channel selection offer a plausible account of how that pipeline worked.
April 29, London. In our April 29 post, DarkOwl documented Al Faqaar’s near-real-time coverage of the London stabbing of two Jewish men, including a dual U.S.-British citizen. Al Faqaar published a text-only alert at 0500 MST, followed by attack footage, arrest footage, and a final branded video by 0830 MST. We noted at the time that the speed and structure of the media response suggested the incident was “either anticipated or quickly incorporated into a broader narrative framework.” The indictment shows what was allegedly happening on the other end: that same day, Al-Saadi told his KH contact to post the attack footage (“post it in the news, important”) and sent a message about a planned restaurant shooting for that evening. He was detained the following morning. DarkOwl was tracking the media operation in near-real time while Al-Saadi was allegedly running it.
A note on Russian-linked amplification. DarkOwl’s monitoring of the Axis of Resistance channel network identified that two of the four primary Telegram channels distributing HAYI content appear to have ties to sanctioned Russian networks. Whether this reflects deliberate coordination between Iranian and Russian information operations infrastructure, or parallel amplification by actors pursuing compatible objectives, remains an open question. It is a thread that warrants continued monitoring given the broader context of Iranian-Russian strategic convergence since February 2022.
The “lone wolves” framing reconsidered. The April 29 analysis noted that the final video from the London stabbing framed the attackers as “lone wolves” and observed that this language “may reflect a deliberate strategy that allows groups to claim or amplify attacks while maintaining plausible deniability.” The indictment supports that reading. According to prosecutors, the deniability language in HAYI’s public messaging ran alongside direct tactical coordination, including real-time FaceTime calls during attacks. The two were not in tension. They were apparently by design.

HAYI as a Facade Operation

The analysis in CTC Sentinel characterizes HAYI as bearing “all the hallmarks of a muqawama ‘façade group’ operation, in which an online brand is used to partially conceal the real-world identity of an Iranian-aligned attacker.” The authors document that Al-Saadi sent HAYI’s launch statement and associated iconography via his Snapchat account more than four hours before it circulated publicly, indicating, as they put it, “his advanced and insider knowledge of HAYI’s operations.”

That finding tracks with what DarkOwl observed. In our April 16 analysis, we described HAYI as “best understood as part of a broader ecosystem in which content is circulated, repurposed, and reinforced across multiple actors” and noted that “attribution becomes less about identifying a single origin point and more about understanding how narratives move across channels.” HAYI’s primary Telegram channel was removed or banned by early April, but content continued moving through Al Faqaar, Safee al-Deen, and affiliated channels. The indictment suggests that continuity was structural from the beginning, with centralized direction continuing regardless of which channel was carrying the content at any given time.

HAYI was not, according to prosecutors, a spontaneous movement that KH later amplified. The branding, messaging, and distribution were managed upstream from the start.

The Operational Model: Attacks and Propaganda as a Single System

In Al-Saadi’s own account, as alleged by prosecutors, propaganda was not something that happened after an attack. It was part of the attack. “Psychological warfare” was described as a strategic objective, sitting alongside kinetic operations. Attack footage was reviewed, curated, timed, and sent to specific channels. The same person allegedly directing FaceTime calls during attacks was also coordinating which Telegram accounts received the footage and when.

The Institute for Strategic Dialogue (ISD) has characterized this type of approach as consistent with a potential “violence as a service” model, where individuals may be recruited, inspired, or financially incentivized to conduct attacks that are then amplified through a broader media network. The DOJ allegations add specificity to that framework: recruitment of local criminals (frequently minors, according to court documents, with at least one recruit offered €600 via Snapchat), real-time tactical coordination via video call, payments made via cryptocurrency and ZainCash, and propaganda production and distribution run through the same command structure as the attacks themselves.

This creates real problems for attribution and disruption. A decentralized channel network built around a disposable front brand lets organizing actors benefit from the psychological effects of violence while keeping distance from the individuals carrying out attacks. The deniability framing visible in HAYI’s public messaging was not a gap in the model. According to the indictment’s allegations, it was part of the design.

Implications for Threat Intelligence Analysis

Tracking the amplification network matters as much as tracking the primary brand. HAYI’s own channel was banned in early April. Its operational footprint stayed visible through Al Faqaar, Safee al-Deen, Sabereen News, and affiliated channels. In this model, monitoring the distribution layer is as important as monitoring the group itself.
Rapid media response can be a signal, not just noise. HAYI’s near-real-time output after attacks could be read as unsophisticated or opportunistic. The indictment points in the other direction: that speed reflected upstream coordination.
The “Lone wolf” framing should be treated as a narrative choice, not an analytical conclusion. The deniability language in HAYI’s messaging was visible before the indictment. Prosecutors now allege it ran alongside direct tactical direction of attacks in real time.
Propaganda channels and attack planning may share a command structure. Al-Saadi is alleged to have managed both simultaneously. Monitoring media production and distribution may provide as much operationally relevant signal as monitoring attack planning activity directly.
The model is transferable. Front branding, recruited or inspired attackers, real-time coordination, and rapid media amplification require fewer resources and expose fewer operatives than traditional terrorist infrastructure, while potentially generating outsized psychological impact. If it continues to prove effective, other actors are likely to adopt it.

Conclusion

The indictment offers a rare look inside a structure where violence and media amplification were apparently run as a single operation. The question it raises is not just who carried out a given attack, but how the surrounding channel network was built to turn that violence into narrative impact.

Much of what the indictment now alleges as fact was already partially visible in HAYI’s Telegram footprint: in Al Faqaar’s distribution patterns, in the Sabereen News watermarks embedded in attack footage, in the speed and coherence of the media response to the London stabbing on April 29. The indictment adds prosecutorial detail to patterns that DarkOwl’s monitoring had already flagged.

Recent academic research on HAYI, including work cited by the Combating Terrorism Center at West Point, has drawn on DarkOwl’s prior analysis of the group’s Telegram footprint and its relationship to the broader Iranian-aligned network. The Al-Saadi case makes clear why that kind of monitoring matters, and why the channel networks surrounding these operations deserve as much analytical attention as the operations themselves.

DarkOwl continues to monitor how this model evolves and whether it inspires adoption by other state-aligned actors or extremist networks. The case against Al-Saadi is one data point in what may be a longer trend toward operational structures that treat media amplification and physical violence as inseparable. How other groups respond to that example, and whether the model proves durable after a high-profile arrest, will be worth watching closely.