Gen. Qasem Soleimani Avenged? Do not think Iran will give up an opportunity to avenge the Trump administration’s January 2020 killing of Gen. Qasem Soleimani, the very powerful and much revered commander of Iran’s Islamic Revolutionary Guard Corps (IRGC) Quds Force. Iran’s retaliation will come at the time and place of its choosing….

– From K. Campbell’s 2023 Global Risk & Intelligence Forecast

Immediately after his inauguration in January 2025, Donald Trump revoked the protective security details for all his former national security advisors who are on Iran’s hit list. Iranian leaders seek to avenge the previous Trump administration’s January 2020 assassination of Gen. Qasem Soleimani, who was the very powerful commander of Iran’s Islamic Revolutionary Guard Corps (IRGC) Quds Force. (At least four former aides reportedly on Iran’s hit list did not receive security protection prior to January 2025, according to news media reports).

Politico reporting and U.S. Department of Justice (DoJ) court documents claim that Trump and roughly a dozen of his former aides are on the rogue state’s hit list. Iran’s assassination planning appears to have occurred against at least a couple of these former officials. Politico reports that the U.S. Secret Service (USSS) team assigned to Robert O’Brien, one of Trump’s former national security advisers, detected two Middle Eastern individuals trailing him when he was in Paris in June 2022.

And between October 2021 and April 2022, IRGC uniformed member Shahram Poursafi attempted to have someone in the U.S. kill John Bolton, another of Trump’s former national security advisors, according to a U.S. DOJ August 2022 affidavit.

IRGC Quds Force (IRGC-QF)

Created following Iran’s 1979 revolution, the IRGC rivals and is independent of Iran’s regular military. The revolutionary guards’ main purpose is to defend the revolution, including preventing the regular military from mounting a coup against Iran’s theocracy. The IRGC reports directly to Supreme Leader Ayatollah Ali Khamenei.

The IRGC-QF, the elite paramilitary arm of the revolutionary guards, conducts external operations—to export Iran’s revolution (“Quds” is the Persian word for Jerusalem). It is roughly the combined equivalent of the Central Intelligence Agency, Defense Intelligence Agency (DIA), U.S. Army Special Forces (Airborne) (“Green Berets”), and U.S. Joint Special Operations Command. Officially subordinate to the IRGC alongside its sister components (IRGC navy, army, air force, intelligence, cyber, and the Basij paramilitary responsible for domestic security), the IRGC-QF is first among equals. In practice, the Quds Force reports directly to the supreme leader.

Soleimani led the Quds Force from the late 1990s. While the deceased IRGC-QF chief was by no means a universally venerated figure in Iran, he was one of the most powerful and high profile figures in Iran. Some Iranians even considered him a potential future candidate for political office.

Vulnerabilities

Protective Details

The former (and any current) U.S. officials on Iran’s hit list have had varying degrees of vulnerability. The best protected are any currently serving officials who have USSS or U.S. Department of State Diplomatic Security Service protection (According to Politico, protection for the former National Security Council (NSC) officials on Iran’s hit list cost the federal government a total of almost $150 million per year before this protection ended. A single protective team reportedly comprised roughly a half-dozen people). At the other extreme are the former officials on Iran’s hit list who do not have a government or private sector protective detail.

It is potentially even worse when those without protection travel overseas. If O’Brien did not have a protective detail during his June 2022 visit to Paris, it is unlikely he would have detected the alleged surveillance against him. Future travels overseas by him and his former colleagues without personal protection could be risky, especially for publicized trips.

Even for former officials who have hired nongovernment security details, their mileage will vary. Some executive protection teams are truly professional, with agents specifically trained in executive protection and who have previously trained or worked together. However, often protectors are hired simply because they are prior law enforcement officers or military special operators but lack any training in executive protection. And ideally, protective teams facing credible threats like Iran’s would include agents whose sole or primary purpose is surveillance detection. However, dedicated surveillance detection roles are a rarity in the private sector due to cost.

Location, Location, Location

These former national security officials are likely most vulnerable to Iran’s assassination attempts while at their residences, workplaces, and in and around their vehicles. The area between a building’s facade and the targeted individual’s vehicle or other destination—the distance that must be traversed on foot—is also vulnerable. Note President Gerald Ford’s locations during the two assassination attempts against him in 1975, and President Ronald Reagan’s activity during his assassination attempt in 1981.

Adding to the risks for those on Iran’s hit list would be the absence of a trained security driver and an armored vehicle. The aforementioned locations where these former U.S. officials presumably spend most of their time are where they must get in and out of their vehicle. Varying their “pattern of life” would also mitigate the risks.

Pattern of Life

The former NSC officials are increasingly vulnerable if they do not vary their routines. Non-random activities such as taking the same route to destinations every day, or going for walks in the same park at the same time daily can result in Iran and its proxies establishing their targets’ pattern of life.

• According to the DOJ’s affidavit, IRGC member Poursafi told the FBI’s confidential human source that killing Bolton was easy and indicated that he took walks in the park alone. The IRGC also claimed to know that Bolton walked or was driven to work.
• Poursafi claimed to know that Bolton’s pattern of life had not changed in mid-January 2022.
• An Iran-based IRGC asset claimed to his New York-based co-conspirator that journalist and activist Masih Alinejad, who the regime has tried to kidnap and kill, spends most of her time in her Brooklyn residence’s third-floor study and in its second-floor recording studio, according to a DoJ criminal complaint in November 2024 (Alinejad revealed to the news media that she is “Victim-1” in the criminal complaint). The IRGC asset also appeared to have information about her activities and travel.

Cyber Vulnerabilities

Iran ranks among America’s most capable cyber adversaries. In addition to hacking former officials’ emails to seek embarrassing information, Iran could hack to facilitate assassination planning. For example, airline ticket and hotel reservation confirmations sitting in an email account’s inbox would betray otherwise good operational security and privacy controls. Victoria Coates and Robert Greenway, both of whom oversaw the Iran portfolio at the NSC, told Politico that Iran hacked their emails at least once since the Soleimani strike.

Indirect approaches in intelligence collection can be effective. Hacking the emails of the co-workers, assistants, and family members of these former NSC officials could yield useful information and can also serve as a phishing vector to hack the primary targets.

• Poursafi appears to have had inside knowledge of Bolton’s schedule. He claimed that Bolton spent the 2021 to 2022 Christmas and New Year holidays at home, and that contrary to public information, Bolton was not traveling in mid-January 2020. A few days later, Poursafi claimed that Bolton had not yet finalized travel plans.
• According to Coates, the email accounts of her two children were also hacked at the same time.

For everyone on Iran’s hit list, cyber hygiene would be critical for trips, especially outside of the U.S.—particularly to the Middle East.

Lebanese Hezbollah and other Proxies of Iran

Iran played a key role in establishing Lebanese Hezbollah, a political party and the world’s most lethal militant group, in 1982. Iran still provides substantial support to Hezbollah, spending as much as an estimated $700 million annually on the group in recent years.

If Hezbollah were to once again support the assassination of U.S. citizens, it could activate U.S.-based affiliates of the terrorist group. Since 1997, at least 128 Hezbollah-affiliated individuals have operated in the U.S., according to open source research. Nineteen of these individuals were charged with providing operational support to Hezbollah, including weapons procurement and pre-operational surveillance. These figures are based solely on public records such as court documents; the actual number of Hezbollah-linked operatives in the U.S. could be significantly higher.

However, Hezbollah support to Iranian assassination attempts against current or former U.S. officials is unlikely unless the U.S. is drawn into a war with Hezbollah in Lebanon (U.S. interests overseas could become collateral damage in any Israeli-Hezbollah conflict). Regardless, pre-operational surveillance by Hezbollah and other Iranian proxies is possible.

• On Feb 1, 2022, Poursafi claimed to the FBI confidential source that the Iranians had someone check the area around Bolton’s home and found there was no security presence.

In addition to Hezbollah, Iran supports roughly a dozen other militant groups throughout the Middle East. This Iran Threat Network, as it is referred to within the U.S. government and some think tanks, provides Iran with potent resources to support lethal activities—including assassination attempts.

Mass casualty events to which the Iran Threat Network have been linked include:

• At least 603, or 17%, of U.S. personnel killed in Iraq between May 2003 and January 2019, for which Iran-backed Shia militants probably were responsible, according to DIA. During the war (which ended in August 2010) another 534 U.S. personnel suffered major amputations from improvised explosive devices, which the Quds Force specialized in developing and providing to Iran-backed Shia militants.
• 1996 bombing of Khobar Towers, the U.S. Air Force housing in Saudi Arabia, that killed 19 service members;
• Bombing of the Israeli Embassy in Buenos Aires, Argentina in 1992 that killed 29 people;
• 1994 bombing of a Jewish center in Buenos Aires that killed 85; and
• 1983 bombings of the U.S. Marine and French paratrooper barracks in Lebanon that killed 305 people. The same year, a bombing at the U.S. embassy in Lebanon killed 63.

Iran’s Weakness: Covert Action Amateur Hour

Iran’s troubling tapestry of overseas operations is peppered with incompetence. As exemplified by Iranian failed plots in Sweden in 2021, near Paris in 2018, and in Thailand in 2012 (a bomb plot in which one of the plotters lost both of his legs as he tried to evade arrest), Iran’s tradecraft can be amateurish.

Iran’s recent assassination attempts have also succumbed to incompetence. In the Bolton case, the FBI identified several occasions in which an online account in Poursafi’s name searched for “the address and zip code of [Bolton’s] office building and the surrounding area.” Another online account also in Poursafi’s name had screenshots from a map application that showed Bolton’s office building.

And according to a DoJ superseding indictment, the IRGC team that plotted to kidnap journalist and activist Masih Alinejad in 2022 used Google internet searches to search for exchange rates (presumably to inform payments to their hired assassins in New York); to search time zone differences; to search for a business located several hundred feet from Alinejad’s residence; and to search for Alinejad’s name.

According to the aforementioned DoJ criminal complaint related to Alinejad, a year later when Iran tried to murder her, the Iran-based IRGC asset used a cloud account that identified him as its user. This account held photographs of himself, his communications with other individuals, and other personal information about him. The cloud account also stored an image of Alinejad’s biographical information such as her home address, date of birth, social security number, her professional background and activities, and pictures and video of her residence.

The IRGC asset’s co-conspirators in New York also had cloud accounts that stored images of their numerous firearms, texts between them coordinating plot-related financing, and texts between them and the Iran-based IRGC asset.

In essence, the Iranians and their U.S.-based hired help who were plotting kidnappings and assassinations not only used cloud accounts for their incriminating open source intelligence collection and communications, they did so from accounts registered in their names or accounts that were obviously associated with them. This despite the availability of more secure search engines like DuckDuckGo and Startpage, the existence of highly encrypted cloud storage services, the availability of various email alias services and encrypted email providers, and the existence of encrypted messaging apps.

This surprisingly amateurish tradecraft works to the benefit of U.S. intelligence and law enforcement agencies, their foreign partner agencies, and those on Iran’s target list.

Outlook

Iran will almost certainly continue to seek retribution for Soleimani’s assassination, including keeping the former U.S. national security officials in its crosshairs for the foreseeable future. It will likely forgo retaliation for Soleimani’s killing under only three scenarios that are currently unlikely:

1. Overthrow of Iran’s theocracy;
2. Complete normalization of relations with the U.S. (unlikely without the previous scenario);
3. A negotiated agreement, such as a new nuclear deal, that requires Iran cease attempts at Soleimani-related retaliation—and Iran abiding by that section of the agreement.

Complacency will arguably be the most significant risk to the former NSC officials on Iran’s hit list. Complacency was clearly a factor in the near-fatal attack on Nobel Prize-winning author Salman Rushdie in 2022, onstage at an event in New York. An American and Lebanese dual citizen lone actor, Hadi Mattar, attacked Rushdie 33 years after Iran’s supreme leader issued a fatwa (a religious ruling) calling for Rushdie’s murder over his novel “The Satanic Verses”. Rushdie’s security at the event was insufficient by any measure, and arguably even nonexistent.

Overall, reasonable physical and online vigilance—including security risk assessments, travel risk management plans, and cost effective personal security measures—could mitigate the risk to people on Iran’s hit list.

Iran would likely also be satisfied with a mass casualty attack against U.S. (or even Israeli) interests overseas to avenge Soleimani.