Behind the Army of Justice: Mapping Jaish al-Adl’s Online Ecosystem

September 21, 2025

Jaish al-Adl, also known as the Army of Justice, is a Sunni militant group based in Iran’s Sistan and Baluchestan province. Emerging in the early 2010s as a successor to earlier Baloch insurgent groups, Jaish al-Adl has positioned itself as both a regional insurgency and a propaganda-driven movement. While its operations are largely concentrated along Iran’s volatile southeastern frontier, its media and messaging strategies extend far beyond the battlefield.

The group’s online ecosystem plays a central role in sustaining its identity. Telegram channels, affiliated websites, and cryptocurrency-based donation systems allow Jaish al-Adl to project influence, recruit sympathizers, and maintain operational resilience. These digital components are not isolated, they connect into a wider network of amplifiers, support channels, and even adversarial actors who track or disrupt the group’s messaging.

This report examines the framework of Jaish al-Adl’s digital presence using StealthMole. By mapping its infrastructure and observing how it adapts to external pressure, the investigation sheds light on the group’s ability to remain active and visible in the online space despite persistent counter-measures.

Background

Jaish al-Adl (Army of Justice) is a Sunni extremist group active in Iran’s southeastern Sistan and Baluchestan province, a region characterized by a large ethnic Baloch population and chronic unrest. Formed in 2012 after the decline of Jundallah, Jaish al-Adl inherited both the separatist and sectarian agendas of its predecessor. The group positions itself as a defender of Sunni Baloch identity against Iranian state security forces, frequently framing its violence in terms of both religious and ethnic struggle.

Geographically, Jaish al-Adl operates along the Iran–Pakistan border, exploiting the rugged terrain and porous frontiers to stage ambushes, kidnappings, and bombings. Over the years, its attacks have primarily targeted Iranian security personnel, including the Revolutionary Guard (IRGC), border police, and local law enforcement. Civilian casualties have also been reported, often when the group strikes government convoys or infrastructure.

Tactically, Jaish al-Adl relies on hit-and-run attacks, targeted assassinations, and roadside bombings. It has also carried out suicide bombings and cross-border raids, demonstrating both mobility and access to weapons. Its propaganda often highlights successful strikes against Iranian commanders, emphasizing its narrative of resistance.

While its membership base is relatively small compared to larger militant organizations, Jaish al-Adl has sustained its relevance by leveraging local grievances, maintaining cross-border sanctuaries, and aligning itself with transnational jihadist rhetoric. This combination of regional insurgency and ideological framing ensures the group remains both a security threat within Iran and a symbolic player in the broader Sunni extremist landscape.

Incident Trigger & Initial Investigation

On 16 September 2025, a targeted attack struck Iran’s Sistan and Baluchestan province, killing the FARAJA Commander of Sib and Suran while he was traveling along the Zahedan–Khash road. Shortly after the incident, Jaish al-Adl (Army of Justice) issued a public claim of responsibility through its propaganda channels, reinforcing its role in the attack.

This claim created an opportunity to assess how the group leverages its online infrastructure during and after high-profile operations. By monitoring the channels and domains through which Jaish al-Adl circulates its announcements, the investigation sought to establish which platforms are central to the group’s communications and how those assets are connected to its broader ecosystem.

Initial searches conducted with the StealthMole Telegram tracker confirmed the group’s official media presence through the channel t.me/m****l. From this starting point, additional linked accounts, support channels, and web domains were uncovered, providing the foundation for a wider mapping effort. These early findings revealed not only the group’s official outlets but also auxiliary channels that amplify its narratives and extend its reach.

Infrastructure Mapping: Telegram Presence

Investigations conducted through StealthMole confirmed that Telegram serves as Jaish al-Adl’s primary media ecosystem, with multiple interconnected channels forming the backbone of its propaganda distribution. The central hub of this network is the official channel t.me/m*****l, which publishes operational claims, propaganda materials, and financial solicitation posts. Notably, this channel has pinned messages containing cryptocurrency donation addresses and links to affiliated domains, reinforcing its role as the group’s authoritative outlet.

From this starting point, the StealthMole Telegram tracker identified additional associated channels:

  • t.me/e******s – frequently mirrors posts from the main outlet and is presented as an auxiliary information channel.
  • t.me/a***l_b****h – another outlet that replicates or republishes official materials, strengthening reach across Telegram’s ecosystem.
  • t.me/j*******l_s******t – dedicated to support content, reinforcing messaging and acting as a rallying point for sympathizers.
  • t.me/P*_A***y_of_j******e – a parallel channel presenting itself explicitly as a public-relations outlet for the group.

Alongside these official or semi-official nodes, several amplifier channels play a role in re-broadcasting Jaish al-Adl content, though they lack evidence of direct organizational control. These include t.me/H******n and t.me/D****7, both of which frequently forward posts from m******l. An additional invite-only link (t.me/+u*************0) has surfaced, but as with most ephemeral Telegram invites, attribution remains uncertain.

The distribution pattern suggests a tiered communication structure:

  • m******8l operates as the origin point, producing original content.
  • Channels like e*****s and a***l_b****h serve as official mirrors.
  • Support and PR outlets (ja******l_s*****t, PR_A***y_of_j******e) provide auxiliary reinforcement.
  • Amplifier channels (H********n, D****7, etc.) extend the message further but cannot be definitively tied to group operators.

This layered approach enhances both resilience and reach. Should one channel be removed or suspended, others continue to circulate content, ensuring continuity of messaging. By documenting the forwarding chains and timing patterns in StealthMole, the investigation establishes m******l as the authoritative source from which most messaging flows outward.

Infrastructure Mapping: Web Assets & Domains

Jaish al-Adl maintains an identifiable online presence beyond Telegram through a set of branded websites that reinforce its “S******e A*l” (Network of Justice) identity. These domains function as extensions of the group’s propaganda ecosystem and are often promoted within official Telegram posts.

The most prominent active domains identified through StealthMole are:

  • s********l.org – Referenced in pinned messages on t.me/m*****l alongside donation addresses. Its inclusion in official propaganda confirms its role as a core media outlet.
  • s********dl.com – Discovered during investigation of linked resources. Metadata shows registration through GoDaddy nameservers (ns11.d************l.com, ns12.d**********l.com) and hosting on the shared IP 3*.**.**.*0 (United States). This IP hosts numerous unrelated domains, indicating the group is using shared hosting infrastructure rather than a dedicated server.

Both domains reflect deliberate redundancy: when one becomes inaccessible due to takedown or disruption, another can be promoted through Telegram to ensure continuity. Evidence from adversarial monitoring groups such as Cyber Fattah Team further confirms the contested nature of these sites. On 3 April 2024, Cyber Fattah highlighted that s********l.org was down and circulated uptime check results. Similarly, the hostile channel t.me/H********n mocked the suspension of Jaish’s Twitter presence (@sh*******g) in late 2023. These references, though adversarial in tone, corroborate the domains’ authenticity as official assets.

By mapping these domains, the investigation shows that Jaish al-Adl relies on a low-cost, shared hosting model rather than bespoke infrastructure. This strategy enables easy re-registration and relaunch under new names if domains are seized, at the expense of exposing assets to adversarial monitoring.

Infrastructure Mapping: Financial Infrastructure

Alongside its propaganda channels and websites, Jaish al-Adl openly promotes cryptocurrency wallets for fundraising. These addresses were found pinned on its official Telegram channel, leaving little ambiguity about their authenticity.

The investigation identified the following:

  • Bitcoin (BTC): bc1******************************************w
  • Tether (USDT – Tron TRC20): TU**********************************************c
  • Ethereum (ETH): 0x0***********************************************7

Blockchain records confirm that the Bitcoin address was operational in April 2024. On 15 April 2024, it received 0.0155 BTC (approximately USD 1,000 at the time). Two days later, on 17 April, the funds were dispersed in two outgoing transactions totaling the same amount, leaving the balance at zero. At the time of transfer, BTC price fluctuations led to a net recorded loss of roughly USD 50 on the funds moved. This transactional pattern indicates that the wallet functioned as a pass-through address, where received donations were quickly moved onward rather than stored for long-term use.

By contrast, the Ethereum address appears to have been set up but remained unused. Data from Etherscan shows a zero balance and no inbound or outbound transactions. The absence of activity suggests it may have been intended for future collection or as a backup option to display multiple avenues for potential donors.

The presence of multiple wallets across Bitcoin, Ethereum, and Tether demonstrates an attempt to broaden the group’s donor base. Stablecoins like USDT are particularly attractive for their relative price stability and speed of transfer, while Bitcoin remains a recognizable gateway for sympathizers familiar with cryptocurrency. By combining these options, Jaish al-Adl increases the likelihood of securing contributions from different types of supporters across varying jurisdictions.

Notably, the group chose to promote these wallets openly in pinned Telegram posts, often alongside its official domains. This suggests an emphasis on visibility and accessibility over secrecy. Instead of attempting to obscure its financial pipelines, Jaish al-Adl appears to rely on the resilience of its media channels and the global reach of cryptocurrency networks to ensure continuity of funding opportunities, even when other assets face disruption.

Infrastructure Mapping: Social Media Footprint

Beyond Telegram and dedicated domains, Jaish al-Adl has attempted to extend its visibility into broader social media ecosystems. These accounts, though often short-lived, illustrate how the group seeks to reach audiences outside encrypted platforms.

The most prominent example was the Twitter handle twitter.com/s************g. The account reflected the branding of the group’s official website sh******l.org and operated as an auxiliary propaganda outlet until it was suspended. Although inactive today, its existence provided additional validation of the “S*******e A*l” network as Jaish al-Adl’s digital identity.

On Instagram, Jaish al-Adl-linked messaging was identified through a Telegram post dated 25 June 2024. The post advertised a “live Instagram discussion” with figures described as senior commanders or affiliated leaders. The following accounts were explicitly mentioned:

  • instagram.com/h****i_i*******_b*****h
  • instagram.com/o***d_m****k_r****i
  • instagram.com/a****l_r*****n_b*******0
  • instagram.com/n**********i_h*****z
  • instagram.com/j**a_j********h

The inclusion of these profiles highlights an attempt to link Jaish al-Adl propaganda with a broader activist and religious community. However, the evidence does not confirm whether these accounts are operated by the group itself, by affiliated personalities, or by sympathetic actors amplifying its message. They should therefore be treated as possible affiliates rather than confirmed official infrastructure.

The strategy across social media appears to emphasize network extension and legitimacy-building. By projecting its brand into mainstream platforms such as Twitter and Instagram, Jaish al-Adl sought to increase its visibility, connect with diaspora audiences, and frame its operations in both ideological and local activist contexts. At the same time, the rapid suspension of such accounts shows the fragility of these efforts compared to the more resilient Telegram ecosystem.

Adversarial Pressure Against Jaish al-Adl Infrastructure

While Jaish al-Adl has built a layered digital ecosystem across Telegram, domains, and cryptocurrency wallets, these assets have also been subject to persistent monitoring and disruption by adversarial actors. Two groups in particular, Cyber Fattah Team and Haghjoyan, provide insight into the contested nature of the group’s online presence.

On 3 April 2024, the pro-Iranian collective Cyber Fattah Team reported that the group’s official website sh********l.org was inaccessible. In its Telegram channel t.me/f******h_ir, Cyber Fattah highlighted the downtime and circulated a check-host.net report to document the outage. The post framed the disruption as evidence of Jaish al-Adl’s vulnerability, amplifying the perception that its online propaganda outlets were being actively targeted.

A similar pattern emerged in December 2023 from the channel t.me/H**********n. Under the title Haghjoyan (later seized by the FBI and European cyber police in February 2024), the channel mocked Jaish al-Adl’s suspended Twitter presence, referencing twitter.com/sh************g in a sarcastic post that ridiculed the group’s loss of an online asset. The mocking tone underscored how adversarial collectives exploit takedowns to delegitimize extremist messaging.

These hostile mentions confirm two important dynamics. First, Jaish al-Adl’s domains and social media handles were sufficiently visible to attract direct targeting and monitoring from external actors. Second, the group’s online identity is not only a tool for propaganda but also a battleground in itself, where adversaries publicly track and attempt to undermine its legitimacy. The interplay between Jaish’s resilient infrastructure and its active challengers illustrates the ongoing contest over digital influence in the group’s conflict environment.

Conclusion

The attack on 15 September 2025 and the subsequent claim of responsibility provided a clear opportunity to examine Jaish al-Adl’s digital infrastructure. What emerged is a network that combines resilient propaganda channels, redundant web domains, and accessible fundraising mechanisms, all designed to ensure the group’s voice persists despite disruptions.

The investigation showed how Telegram remains the cornerstone of Jaish al-Adl’s communications, with t.me/m******l serving as the authoritative hub. From there, the group directs audiences to auxiliary channels, websites and cryptocurrency wallets for donations. These assets are consistently cross-promoted, creating a tightly woven ecosystem that is difficult to fully dismantle.

At the same time, the group’s online presence exists in a contested environment. Adversarial collectives, pro-Iranian cyber units, and law enforcement actions have all targeted Jaish al-Adl’s accounts and domains, seizing or mocking them when disruptions occur. This constant push and pull underscores both the fragility and adaptability of the group’s infrastructure.

Ultimately, Jaish al-Adl’s digital footprint reflects its position as a regional insurgent group with transnational ambitions. Its infrastructure is inexpensive, replaceable, and designed for endurance rather than sophistication. While each takedown demonstrates the vulnerabilities of its online ecosystem, the group’s ability to reconstitute channels and rebrand domains highlights a degree of resilience that ensures its messaging continues to circulate.

Editorial Note

While every effort has been made to ensure the accuracy of this report, it is important to acknowledge that attribution in cyber investigations can never be guaranteed with complete certainty. The connections drawn are based on available open-source intelligence and StealthMole platform data. However, attribution remains probabilistic and subject to change as new information emerges.

The primary goal of this report is not just attribution, but also to showcase how StealthMole’s platform enables comprehensive, efficient, and intuitive profiling of threat actors through integrated tools such as Dark Web & Telegram Trackers, ULP Binder, the Compromised Data Set and others. These tools allow even independent researchers to connect dots across aliases, infrastructure, and behavioral patterns, transforming fragmented data into actionable intelligence.

Labels:

Learn more about StealthMole

Talk to our team of experts today to learn how you can manage your dark web exposure.
Request demo More Reports

Share this report