This site uses cookies for analytics and to improve your experience. By clicking Accept, you consent to our use of cookies. Learn more in our privacy policy.

New group claims London attack as Iran-style tactics spread across Europe

March 31, 2026

IRAN

Low-tech attacks and use of recently radicalised, off-radar recruits point to a scalable model with growing impact across Europe, including the UK

A PREVIOUSLY unknown Islamist group has claimed responsibility for an arson attack in north London, in what analysts say signals a shift towards low-tech tactics designed to maximise psychological impact across Europe, according to a new report by Sibylline.

Harakat Ashab al-Yamin al-Islamia (HAYI) says it was behind the attack in Golders Green, where vehicles linked to a Jewish aid service were set on fire. The claim remains unverified, but it marks the first time the group has directly linked itself to an incident in the UK.

Crucially, analysts believe the model behind the attacks relies on recruiting young individuals online – often teenagers only recently exposed to extremist content and with little or no intelligence footprint.

The group has also claimed a series of attacks on Jewish institutions and US-linked targets across Europe, including incidents in the Netherlands, Belgium and the Czech Republic, involving small explosive devices and arson.

The emergence of HAYI comes against a backdrop of rising antisemitic incidents across Europe and the UK, underscoring how conflict in the Middle East is increasingly translating into domestic security risks.

While little is known about the group, its messaging, targets and methods suggest alignment with Iranian proxy tactics, even if direct links remain unconfirmed.

“This group was completely unknown before the first attack it claimed,” says Annabelle Walker, associate analyst for Europe. “But its tactics and targeting align with known Iranian playbooks.”

What is clearer is the model being deployed – one that prioritises impact over sophistication.

Rather than relying on trained operatives, the attacks use rudimentary methods, including arson and small explosive devices, causing limited physical damage but generating disproportionate psychological effect.

By operating below the threshold of mass-casualty terrorism, such attacks are harder to detect and disrupt, while still achieving their intended effect: spreading fear, signalling reach, and reinforcing the sense that conflict abroad is spilling into European cities.

Explosions and arson attacks claimed by HAYI; source: Sibylline

“It’s an intimidation campaign,” Walker says. “It’s designed to use low-impact events to create an outsized psychological effect.

“It’s low enough under the threshold for a serious attack that they can carry it out without it being thwarted.”

European investigators believe the model increasingly relies on online recruitment, particularly of minors, to carry out attacks in exchange for relatively small payments.

In one recent case in Paris, a suspect allegedly told police he had been recruited via Snapchat and offered around EUR 600 to carry out an attack on a US-linked financial target.

Many of those detained in connection with recent incidents have been minors, underscoring both the accessibility of recruitment channels and the vulnerability of younger individuals exposed to extremist content online.

“Minors are particularly vulnerable,” Walker says. “They become easy picking.”

Unlike established extremist networks, these individuals may only have been radicalised over a short period, leaving little time for authorities to detect or disrupt plots.

The approach mirrors a “violence-as-a-service” model, in which loosely connected – often young – recruits with little or no intelligence footprint are mobilised quickly and cheaply.

This allows actors to generate repeated, low-level incidents at minimal cost while maintaining plausible deniability, creating a cumulative sense of instability that is difficult to contain.

The group’s propaganda, distributed via Telegram channels linked to pro-Iran networks, reinforces that strategy.

Videos claim responsibility for attacks and outline future targets, including US financial institutions operating in Europe.

However, analysts have identified inconsistencies in the content, including language errors and irregular structures, raising questions about whether the material is amateur in origin or generated using artificial intelligence.

That uncertainty extends to the group itself.

It remains unclear whether HAYI represents a coherent organisation, a front for proxy activity, or simply a label used to claim and amplify attacks carried out by disparate actors.

In some cases, the group has claimed responsibility for incidents days after they occurred, further complicating attribution.

Despite that ambiguity, the pattern is becoming harder to ignore.

The attacks have so far caused limited material damage and no reported casualties. But their frequency, geographic spread and target selection – focusing on Jewish communities and US-linked institutions – point to a deliberate attempt to generate fear and signal reach.

Financial institutions have emerged as a particular focus, with HAYI propaganda referencing major US banks operating in Europe. A recent foiled plot targeting a financial site in Paris has reinforced concerns about the sector’s exposure.

Analysts warn that even low-level attacks can carry significant operational and reputational consequences, particularly when combined with sustained online amplification.

The risk of copycat attacks is also increasing, as HAYI-linked content gains traction across pro-Iran social media networks.

Individuals with no formal connection to organised groups may be inspired to carry out similar attacks using easily accessible methods, including arson or improvised devices.

European counterterrorism agencies have historically been effective in disrupting more sophisticated plots linked to Iranian or Hezbollah networks.

In 2018 intelligence agencies in France, Belgium and Germany thwarted a terror plot to bomb a Free Iran rally in Paris. That operation was led by Iran’s Ministry of Intelligence (MOIS) and coordinated by the regime’s European spy chief Assadollah Assadi, who served as a diplomatic attache to its embassy in Vienna.

But the decentralised nature of this newer model presents a different challenge.

Small-scale attacks carried out by loosely connected individuals – particularly those recently radicalised and off the radar of intelligence agencies – are inherently harder to predict and prevent.

“This is a very easy and low-cost way to conduct attacks,” says Annabelle Walker. “It’s decentralised, dispersed and much harder to monitor – increasing the risk across Europe, including the UK.”

Stay ahead of emerging risk. Get notified whenever Sibylline publishes a new report.