On Friday, U.S. authorities accused three Iranian men of stealing and leaking files from former President Donald Trump’s 2024 campaign, the largest “hack and leak” election influence operation since Russia’s breach of Hillary Clinton’s campaign and Democratic organizations in 2016.

Iran’s influence efforts using hacked material from the Trump campaign follow what the U.S. says was a series of brazen influence operations in 2020, all authorized by Tehran’s senior leadership. Iran has consistently denied such allegations.

Iran, like China and Russia, constantly creates fake accounts on U.S. social media platforms in attempts to shift Americans’ opinion, U.S. intelligence officials say. It’s unclear that such operations have had much effect.

But Iran’s 2020 election interference efforts stand apart from what have become well-recognized interference patterns, according to an indictment from the Justice Department, Treasury Department sanctions, researchers and media reporting, and comments from current and former U.S. officials. Experts say that the 2020 operations were the first time Iran seriously targeted U.S. elections and that the efforts reflect Iran’s desire to find ways to worsen discord in American society around partisan politics and free elections.

“The thing that runs through both their activities in 2020 and in 2024 is the focus on trying to sow distrust within our political system,” said Brandon Wales, who was the executive director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in 2020 and now is the vice president for cybersecurity strategy at SentinelOne, a cybersecurity company.

“We have not seen very aggressive action to actually target our election infrastructure,” which is largely disconnected from the internet and extremely difficult to directly target remotely, he said. “Instead, it’s trying to use what access they can to undermine American confidence in our systems and in each other.” 

Access to a local election night reporting system 

The date of the first Iranian interference attempt of 2020 isn’t public; it happened in the late summer, a former U.S. official who worked on the issue at the time told NBC News. The official asked not to be named and declined to share specific details about the incident, citing the government practice of not naming victims of cyberattacks unless they come forward.

An Iranian hacker group linked to contractors working for Tehran broke into a local government website, the official said. That gave them access to election night reporting (ENR) systems, which provide live updates on unofficial results on Election Day. They were quickly removed and unable to cause harm, a Cyber Command senior official, Army Maj. Gen. William J. Hartman, said at the RSA Conference in San Francisco last year, when some details about the incident were declassified. The location and exact date haven’t been made public.

Those hackers never had the ability to change the vote count, but they could have appeared to tinker with it in real time to sow doubts about the election, Hartman said. It’s not clear what the hackers planned to do with the access, but they were aware they had access to the ENR systems, the U.S. official familiar with the incident said.

The operation mirrored one of the earliest known attempts by one country directing its hackers to interfere in another’s elections: a 2014 incident in which Russian hackers were alleged to have broken into Ukraine’s national election reporting system to make it appear that an unpopular pro-Russia candidate had somehow won the presidency.

Fake Proud Boys campaign

In the most bizarre and elaborate foreign influence campaign of 2020, Iranian hackers staged an entirely fictional cyber-enabled fraud and harassment campaign, the Justice Department alleged in a detailed 2021 indictment. In October of that year, they tried to make it appear that the Proud Boys, a pro-Trump militia group, had hacked multiple states, were using stolen voter information to conduct mass voter fraud by mailing ballots in their names and were harassing Democratic voters across Florida.

The Iranian hackers did successfully steal some voter data from Alaska’s Online Voter Registration System, but otherwise none of it was true. The hackers, who the Justice Department said worked for Emennet Pasargad, an Iranian cybersecurity and information operations company that does work for the country’s government, staged a video that purports to show the operation, set to the Metallica song “Master of Puppets.” 

The video doesn’t actually depict a way to successfully commit voter fraud, and an analysis of its technical “hacking” scenes actually show the hackers trying to break into a server in Moldova, according to an analysis by the Election Integrity Partnership, a Stanford University-backed election research group that has since disbanded.

The hackers tried to post it to various platforms online, but it gained little traction. A Google spokesperson said in 2020 that it was uploaded to YouTube but that it had fewer than 30 views by the time Google removed it.

Around the same time, the indictment says, the Emennet Pasargad hackers also sent tens of thousands of harassing emails to registered Democrats in Florida, where such voter information is free to the public, and Alaska. The emails varied, but they generally called recipients by name, claimed to have hacked their states’ voting infrastructure and demanded the voters change their registration to Republican. The emails came from at least two spoofed Proud Boys email addresses and said, “You will vote for Trump on Election Day or we will come after you.” A Google spokesperson said in 2020 that the hackers tried to send about 25,000 threatening emails through Gmail but that around 90% of them were sent to spam filters.

Some voters alerted authorities to the emails, and on Oct. 21, FBI Director Christopher Wray and then-Director of National Intelligence John Ratcliffe accused Iran of the operation at a news conference.

Alireza Miryousefi, at the time a spokesman for the Iranian Mission to the United Nations, denied that Iran had done anything to try to influence the U.S. election.

Compromise of news system used by dozens of outlets

Around September or October, the Emennet Pasargad hackers gained access to an American media company that serves dozens of news publications in an apparent attempt to produce mass disinformation about election results, according to the Justice Department’s 2021 indictment. The hackers successfully tested that their access let them change content on news sites.

The Wall Street Journal has reported that the hacked company is Omaha, Nebraska-based Lee Enterprises, which owns nearly 100 small news companies across the country. NBC News has not independently verified that Lee Enterprises is the media company that was hacked, and it didn’t respond to a request for comment.

On Nov. 5, the day after the election, the hackers tried to log back in to the media company with previously stolen credentials, only to realize they had been changed, the indictment says.

‘Enemies of the people’ kill list

At least as early as Dec. 7, 2020 — after the election but before Joe Biden was sworn in or pro-Trump rioters stormed the U.S. Capitol — Iran allegedly tried another campaign to imitate right-wing radicals to divide the U.S. 

On various websites, it circulated a hit list, titled “Enemies of the People,” that listed American political figures who either helped secure or administer the election or had tried to counter Trump’s false claims that he had won it.

“The following individuals have aided and abetted the fraudulent election against Trump,” it said. “Changing votes and working against the President is treason and patriotic Americans should never forget those who helped overthrow our democracy!”

The site showed photos of them in crosshairs, described their work and in some cases provided personal information like their home or email addresses. People on the list included employees of Dominion Voting Systems, Michigan Gov. Gretchen Whitmer and former CISA Director Chris Krebs.

On Dec. 23, the FBI and CISA announced that Iran was behind the campaign, though the agencies didn’t specify any individuals or agency or the company. As of that date, the campaign appears to be inactive.

“The post-election creation of the Enemies of the People website demonstrates an ongoing Iranian intent to create divisions and mistrust in the United States and undermine public confidence in the U.S. electoral process,” the agencies said in a public alert.

Miryousefi denied that Iran was behind that campaign.