OTTAWA/WASHINGTON — Before the United States government seized four websites operated by Iran’s intelligence ministry and dismantled a network that had directed the Jalisco New Generation Cartel to behead a former Ontario politician at her Ottawa home, two of those sites were registered through a Toronto company that enables website owners to cloak their identities.

Court documents unsealed by the U.S. Department of Justice on Thursday reveal that Goldie Ghamari, a prominent Iranian-Canadian activist and former Progressive Conservative member of the Ontario legislature, was targeted with a $250,000 bounty issued by Iran’s Ministry of Intelligence and Security and offered to cartel killers who, according to the threat itself, were already deployed in Canada.

New details in the underlying affidavit suggest that Canada’s technology community was also unwittingly involved in the FBI’s counter-terrorism investigation.

Two of the four domains seized by federal investigators as instruments of that operation were registered through Tucows, a company headquartered in Toronto, while a separate domain in the same conspiracy was financed through a chain of cryptocurrency transactions running from a Hong Kong-based exchange through Tehran directly to the Iranian state.

Taken together, the findings reveal that the Iranian Ministry of Intelligence and Security’s North American kill network was not merely a Tehran operation. Its infrastructure ran through Toronto and its money ran through Hong Kong.

Ghamari, who has become one of the most prominent Iranian-Canadian voices condemning the Islamic Republic since leaving office, responded directly to The Bureau’s reporting in a post she pinned to the top of her X profile. “Wow,” she wrote. “This is about me and the death threats/bounty on my head. Thank you DOJ. Thank you President Trump. God bless America.”

The new findings sharpen what Ghamari had already identified as a systemic failure.

The larger picture that emerged from Thursday’s reporting underlines a theme that critics such as Ghamari, across Iranian, Chinese, Indian, and other diasporas have complained of: that Mark Carney’s Liberal government, the RCMP, and Canada’s security and border control framework have not adequately protected Canadians from violent transnational repression threats.

The gap between what Washington established in court and what Ottawa has been prepared to acknowledge was thrown into sharp relief this week by Royal Canadian Mounted Police Commissioner Mike Duheme.

In an interview with CTV News journalist Vassy Kapelos, Duheme was pressed directly on whether foreign-directed activity poses any threat to public safety in Canada.

He said his force could not make the connection. “I’m saying that based on the totality of the files that we have on foreign interference or transnational repression, what we have in our holdings is we have people that are intimidating people, harassing people, but connecting the dots to a foreign entity, regardless of the country, we don’t have that,” Duheme told Kapelos.

The interview was reported this week. The DOJ affidavit establishing that Iran’s Ministry of Intelligence and Security had directed a Mexican drug cartel to target a Canadian politician at her Ottawa home was unsealed the same day.

According to the affidavit, the Handala Hack site that targeted Ghamari was also used to publish the names and confidential data of individuals it claimed worked for the Israeli Defense Force.

In one March 6, 2026 post cited by investigators, the site warned: “we even know your exact location....” and urged “People of the Axis of Resistance! See these names and respond to these Zionist pigs yourselves.”

In related postings, the affidavit says, Handala also circulated “wanted” style material, including photographs and reward amounts, while declaring that it would open “a new chapter in exposing those complicit in the machinery of the Zionist regime” through its Handala/Redwanted platform, underscoring that the network targeting Ghamari was part of a broader operational campaign of intimidation, exposure, and incitement.

The sworn FBI affidavit, filed in the District of Maryland, documents that Iran’s Ministry of Intelligence and Security used a network of cyber personas — operating under the names Handala Hack, Karma Below, and Homeland Justice — to orchestrate hacking campaigns, publish the stolen personal data of dissidents and Jewish community members, and infect journalists’ computers with remote-access malware.

The network also targeted an American medical technologies company whose hack disrupted emergency services at hospitals across Maryland.

Regarding the threats against Ghamari, Handala Hack is alleged to have directed the Jalisco New Generation Cartel to execute named individuals in North America. The cartel, according to the threat text reproduced verbatim in the federal filing, had already been given the home addresses of its targets. “Both of you will be executed soon,” the email to Ghamari read, “and we have offered a reward of $250,000 for the operatives who kill both of you.” The second target was Elica Le Bon, an Iranian-American lawyer and activist based in Los Angeles.

The affidavit identifies all three cyber personas — Handala Hack, Karma Below, and Homeland Justice — as a single MOIS conspiracy, tracked by commercial cybersecurity firms under the designations Void Manticore, Storm-0842, and Banished Kitten.

It is within that unified attribution that two separate Canadian threads emerge.

The first is infrastructure.

According to WHOIS domain name registration records cited in the affidavit, the domain justicehomeland.org — the primary platform of the Homeland Justice persona, which the FBI formally attributes to MOIS — was registered on or about February 1, 2023, through Tucows Domains Inc., headquartered at 96 Mowat Avenue, Toronto, Ontario. A second seized domain, karmabelow80.org, operated under the Karma Below persona and also formally attributed to the same MOIS conspiracy, was registered on or about February 4, 2025, through the same Toronto company. Tucows, the affidavit notes, provides services that allow website owners to keep their publicly viewable contact details private — a feature the affidavit implies was operative in this case. Iran’s intelligence ministry, in other words, built two instruments of its network using a Toronto registrar’s privacy protections.

The second thread is financial.

Blockchain analysis cited in the affidavit traces the Litecoin used to purchase a third seized domain — handala-hack.to, the primary platform of the Handala Hack persona — through a layered sequence of cryptocurrency conversions designed, investigators concluded, to obscure the money’s origin.

The funds were purchased through BitPay and deposited with Namecheap, the Arizona-based domain registrar.

Before reaching BitPay, the Litecoin originated from a cryptocurrency wallet attributed to an automated exchange service based in Hong Kong and registered in St. Kitts and Nevis in the Caribbean — a structure that facilitates cross-chain currency swaps without requiring users to maintain accounts on multiple platforms, maximizing operational anonymity.

That Hong Kong exchange, in turn, had received the funds from multiple virtual asset service providers, among them Ramzinex, the prominent Iranian cryptocurrency exchange headquartered in Tehran.

“Blockchain tracing therefore demonstrates that funds used to purchase the domain were sourced, through intermediary transactions, from an Iranian cryptocurrency exchange,” the affidavit states. “The deliberate use of multiple cryptocurrency conversions and intermediary transfers reflects an effort to obfuscate the original source of funds used to facilitate the underlying criminal scheme.”

The affidavit does not identify the Hong Kong exchange by name.

But the presence of a Hong Kong-based financial node at the center of an Iranian state intelligence financing chain is consistent with a pattern this reporter has documented across multiple investigations: Chinese financial infrastructure — whether through direct state direction or the structural opacity that Hong Kong’s financial environment provides to international actors — has repeatedly appeared as an intermediary layer in networks connecting Chinese, Iranian, Mexican cartel, and other state-aligned criminal financing and money laundering schemes.

A similar pattern of technological and financial connectivity linking Canada, Hong Kong, Iranian threat networks, and Mexican cartel actors was also exposed in the case of Royal Canadian Mounted Police intelligence mole Cameron Ortis.

Ortis leaked details of a U.S. government investigation to the principals of Phantom Secure, a Vancouver encryption technology company with direct ties to the Sinaloa Cartel and to major Hezbollah money-laundering networks operating from Toronto and through Dubai, Pakistan, and Iran.

Canadian former military intelligence analyst Scott McGregor has noted that Vancouver has become what he calls the “center of gravity” for transnational organized crime connected to hostile state activity from countries including China and Iran, as well as Mexican cartel partner networks. McGregor says Vancouver became known in Five Eyes intelligence circles for hosting up to 17 encryption technology companies used by these threat actors and run by Vancouver-based criminal networks.

The DOJ affidavit notes that the Handala threat stated that CJNG operatives were present in “a redacted foreign country” at the time the threat against the Ottawa-based Ghamari was issued. The country’s name is withheld in the unsealed document.