LOS ANGELES — With U.S. and Israeli forces continuing offensive strikes on Iran, federal counterterrorism authorites are warning that the desperate theocracy could launch retaliatory strikes on American soil using sleeper cells, affiliated Iranian terrorist groups, lone wolf sympathizers or targeted cyberattacks.
Within days of the killing of Iranian Supreme Leader Ayatollah Ali Khamenei on Feb. 28, cryptic messages were broadcast globally on a new shortwave radio frequency.
“Tavajjoh! Tavajjoh!” the message began, using the Persian word for “attention.” The eerie male voice then read a seemingly random string of numbers.
The monotone transmission recalled the manner in which deep-cover Cold War spies for the KGB and CIA once received orders. Using a special encryption code, the operatives could translate the numerals into a readable message. Although messages from so-called number stations have been broadcast for decades, they are now less prevalent in the digital encryption age.
Still, federal authorities warned local law enforcement that they had detected a new broadcast of a likely encoded sequence that could be “an operational trigger” for “sleeper assets” potentially on U.S. soil.
Although counterterrorism investigators have so far found no credible specific threat, a memo to police agencies, first reported by ABC News, calls for local law enforcement to be on heightened watch. The alert describes the “preliminary signals analysis” of the transmission, “likely of Iranian origin,” that was relayed across multiple countries and intended for “clandestine recipients” who possess the encryption key.
“Sleeper cells have always been a concern when it comes to Iranians and their proxies,” said Horace Frank, former head of counterterrorism for the Los Angeles police and a retired assistant chief. “This isn’t new, but given the situation, some of their proxies are feeling a lot more desperate.”
The FBI and the Department of Homeland Security have been on a war footing since Operation Epic Fury launched Feb. 28.
During President Joe Biden’s term, the Department of Homeland Security issued a threat assessment saying, “Iran relies on individuals with pre-existing access to the United States for surveillance and lethal plotting.”
Beyond the idea of a deep-cover sleeper cell threat, Iran has repeatedly tried to hire assassins to kill U.S. officials.
After a U.S. airstrike against Iranian Gen. Qassem Suleimani in 2020, Iran sought to kill former Secretary of State Mike Pompeo and former national security advisor John Bolton to avenge the general’s death. The Department of Justice charged Shahram Poursafi, a member of Iran’s Islamic Revolutionary Guard Corps, with trying to hire people to assassinate Bolton, a former top official in the Trump White House, between October 2021 and April 2022 in Washington and Maryland in exchange for $300,000. He remains a fugitive.
On Friday, Asif Raza Merchant was convicted in a 2024 murder-for-hire plot targeting President Donald Trump and others, and attempting to commit an act of terrorism transcending national boundaries. Pakistani native Merchant was recruited in Karachi in 2022 or early 2023, when he received training in tradecraft, including countersurveillance by the Islamic Revolutionary Guard Corps, prosecutors said. Merchant testified that in 2024, he was sent to recruit “Mafia” members to steal documents, stage a protest and arrange the murders, but the hit men turned out to be federal agents.
In November 2024, the Justice Department charged Farhad Shakeri — an Afghan national residing in Tehran — in a separate plot. Authorities said he had also been tasked by the Revolutionary Guard with hiring someone to assassinate Trump.
Since the Sept. 11 terrorist attacks, the Los Angeles Police Department has attempted to prepare for all manner of threats — machine gun-based street attacks; fuel bombs with secondary explosives intended to kill first responders, and even radiation-laced dirty bombs. Using security lessons learned in the Middle East, the LAPD even makes vehicles carrying Hollywood stars to the Oscars zigzag around concrete barriers, while snipers with .50-caliber rifles keep their eyes peeled for potential threats.
“We are at a heightened level of awareness,” Chief Jim McDonnell said. “Lone wolves in our experience have been our concern.” Such attackers may be inspired by talk in the Middle East, and see themselves as acting for the cause.
“We have some great partnerships with our local and federal agencies,” when it comes to counterterrorism, McDonnell said. But historically, as much as intelligence pays off, the chief said it is the eyes and ears of the public that often deliver the vital tip.
Those of Iranian descent number more than 700,000 in Southern California, the largest single population outside Iran. McDonnell said that brings heightened awareness.
Even as the LAPD and other agencies have thwarted several lone wolf plots, the nation’s worst terrorist attack since 9/11 unfolded in San Bernardino. Restaurant inspector Syed Rizwan Farook, a U.S. citizen, and his Pakistani-born wife, Tashfeen Malik, walked into his San Bernardino County employee holiday party with military-style assault rifles and shot more than 30 people, killing 14 in 2015.
The extreme violence, apparently inspired by jihadi propaganda online, thrust the city of San Bernardino into the global spotlight.
For homeland security analysts, the San Bernardino attack was a wake-up call. At the time, they were still intensely focused on preventing terrorists trained in foreign lands from infiltrating America’s porous borders — as the 9/11 hijackers had. Now they were confronted with the grave threat that American citizens were being radicalized online.
Farook was raised in Riverside. Malik was born in Pakistan and had lived most of her life in Saudi Arabia. They met online, married, had a 6-month-old girl, and lived in Redlands. They had no apparent links to international terrorist networks — until Malik pledged allegiance to the leader of the extremist group Islamic State on Facebook shortly before the attack.
Within a day of the Iranian leadership being targeted and killed, 53-year-old Ndiaga Diagne donned a hoodie emblazoned with the words “Property of Allah” and a T-shirt stamped with an Iranian flag design and set about killing three people and wounding 13 on Austin’s popular bar strip before being fatally shot by police in Texas. Investigators are still looking into the motive, including a “nexus to terrorism.”
Counterterrorism experts also warn there is a threat from so-called proxies — those associated with the Iranian government, including militants linked to Hezbollah in Lebanon and the Houthi movement in Yemen. A Rand report, Hezbollah’s Networks in Latin America, found that the militant group had a considerable network that was active in the Southern Hemisphere.
Frank, the former police official, said those proxies have traditionally used California as a fertile base for financing and have avoided other activities here. However, given the military threat Iran now faces, that could change.
In 2023, two Iranian nationals on a U.S. security watch list were apprehended at the Texas-Mexico border, stoking security concerns. After U.S.-Israeli strikes on Iran’s nuclear infrastructure last year, Customs & Border Patrol Commissioner Rodney Scott warned that “thousands of Iranian nationals have been documented entering the United States illegally” between 2022 and 2025. Countless more were probably “got-a-ways,” he said.
But some experts say Iranians with government ties don’t need to risk border crossings and have access to fake identities. They note that authorities in São Paulo unmasked a hub for Iranian document-forging networks.
U.S. counterterrorism authorities have long watched the cyber threat from Iranian-backed hackers. In recent years, those tied to the government have been seen testing vulnerabilities in U.S. systems and targeting water supply facilities. But cybersecurity experts say that beginning the morning of Feb. 28, when the strikes began, Iran’s available internet connectivity dropped to between 1% and 4%.
Joint Chiefs of Staff Chairman Gen. Dan Caine said U.S. Cyber Command was involved in “coordinated space and cyber operations [that] effectively disrupted communications and sensor networks … leaving the adversary without the ability to see, coordinate or respond effectively.”
