During the Iran-Israel war, the Islamic Republic of Iran escalated its crackdown in cyberspace, launching a new front of digital repression. This includes enacting repressive laws and criminalizing tools that enable free access to information.
This 12-day war ushered in one of the most oppressive eras for internet access in Iran. Beyond outright disconnection, internet service was discriminatorily restored, with availability tied to user classification and political loyalty. The government invoked “cybersecurity” – citing potential threats from satellite drones, cyberattacks, and the dissemination of information to foreign media – to rationalize its stringent grip on public communications. However, analysis of available data and conflicting official statements exposes the underlying agenda: to suppress the free exchange of information within Iran and across its borders.
The following are key highlights from this month:
- Iran approved a new bill intensifying punishments for technological cooperation with hostile governments, criminalizing tools like Starlink under “corruption on earth” charges that can carry the death penalty.
- Widespread International Internet Disruption: A major international internet blackout began on June 17th (28th Khordad) and lasted for about three days, with gradual restoration starting around June 20th (31st Khordad). While some fixed-line providers regained connectivity sooner, mobile operators like Hamrahe Aval and Irancell remained disconnected.
- Complete Isolation of Domestic Data Centers: Iranian hosting companies lost the ability to connect to, update software for, or even sell foreign servers, indicating a full segregation of domestic data centers from the global internet.
- Blocked International OTPs: One-time password (OTP) SMS messages from international services such as WhatsApp and Google were blocked, with no explanation or support provided by operators to users.
- Advancement of Tiered Internet Schemes: Under the guise of “emergency internet” and “whitelisting of SIM cards and websites,” plans for tiered internet access for specific groups were pushed forward.
- Unsubstantiated Justifications for Outages: Officials and state-affiliated media attributed the internet outages to counter-drone measures, disruption of drone networks, and thwarting DDoS attacks. However, no evidence was provided to substantiate these claims.
- Forcing Users to use Domestic Messaging Apps: The internet shutdown pushed users toward domestic messaging applications, though their weak infrastructure proved unable to handle the increased user demand.
- Escalated Executions and Detentions: Iran witnessed a surge in executions and arrests on charges of spying for Israel, alongside a heightened anti-immigrant and anti-Afghan discourse in official media and online spaces.
1-New Parliamentary Bill Escalates Digital Repression with Death Penalty Risks
A pivotal moment in Iran’s cybersecurity policies is the approval of a new parliamentary bill entitled “Intensifying Punishment for Cooperation with Hostile Regimes.” This bill, in certain cases, considers the use of satellite internet services like Starlink as “corruption on earth” (Mofsed-e-Fel-Arz)—a charge that could carry the death penalty under Iranian law. This development marks a significant escalation in the Islamic Republic’s efforts to control internet access and information flow.
This new bill represents a significant escalation, imposing the harshest penalties—including long-term imprisonment, permanent dismissal from government service, and even execution—for any technological or media activity, or even personal use of communication equipment without a license, if linked to “hostile governments.” This comes alongside a broader strategy of digital authoritarianism that includes widespread restrictions on accessing the international internet, and the blocking of international identity verification SMS messages. Together, these measures paint a grim picture of escalating digital repression under the pretext of wartime security.
Key Provisions of the Bill and Legal Ramifications:
- Expanded Scope of “Corruption on Earth” to include Technological and Media Activities: Any informational, technological, media, or even cultural activity interpreted as being undertaken with “knowledge and awareness” in the interest of the “Zionist regime” or “hostile governments” will be considered “corruption on earth.”
Examples include:
- Cyber warfare, computer attacks, digital sabotage.
- Use of drones, smart robots, and specialized equipment.
- Dissemination of news or images that “weaken public morale” or “harm national security.”
This expansion effectively exposes many independent technological and media activities to the most severe criminal penalties.
- Criminalization of Unauthorized Internet Tools, Including Starlink: The use, purchase, sale, or import of satellite internet equipment like Starlink is prohibited under this law and can lead to imprisonment of up to two years (Discretionary Imprisonment, Grade 6). If these activities are carried out extensively and with “anti-establishment” intent, the penalty increases to two to ten years of imprisonment (Grade 4).
- Aggravated Punishments in Times of War or Security Crisis: When the country is in a state of war or security crisis (as determined by the Supreme National Security Council), the penalties outlined in this law can be increased by up to three degrees. This could even lead to the application of “corruption on earth” for minor infractions.
- Expedited Proceedings in Revolutionary Courts: All crimes covered by this law will be processed extraordinarily and out of turn in special branches of the Revolutionary Court, based on “judicial authorization” from the Supreme Leader of the Islamic Republic. This mechanism severely limits public oversight or the possibility of a fair defense.
- Retroactive Application and Limited Opportunity for Self-Declaration: Contrary to the principle of legality of punishments in criminal law, this law states that in some cases, even crimes committed before its approval can be prosecuted, unless the individual reports themselves to the authorities within three days of the bill’s approval.
2. Internet Access and Disruptions
Widespread Outage and Limited Recovery:
As of June 17, Cloudflare data unequivocally confirmed a complete shutdown of international internet access in Iran, showing total traffic volume, HTTP traffic, and the number of requests plummeting to near zero. After approximately three days, starting on the morning of June 20, the restoration process gradually began, with signs of partial internet connectivity returning in some areas. However, as illustrated in the IODA chart (which is mentioned in the original text, but not provided here), many routes remained blocked.
While some fixed-line providers like Telecommunication Company of Iran (TCI) and Pars Online saw connectivity restored on June 20, major mobile operators such as Irancell, Hamrahe Aval, and Rightel remained offline. Similarly, some local servers, including Tehran Server, Abr Arvan, Respina, Tebyan, and Amin Data Center, experienced only partial restoration.
From June 20 to June 23, the traffic recovery was primarily observed among fixed-line infrastructure providers, with Hamrahe Aval and Irancell largely staying offline. This pattern persisted until June 24, when a significant surge in traffic began in the early hours of the morning, reaching the maximum recorded capacity on the charts.
Digital Iron Curtain: Impact on Businesses and Infrastructure:
The comprehensive internet shutdown during this period dealt a crippling blow, severing a vital link for countless professional users, developers, and businesses across Iran. Domestic data centers, previously a crucial workaround for filtering by offering local access to the global internet, suddenly found themselves completely cut off. This immediate and widespread loss of international connectivity left many hosting companies unable to provide even essential services. They could no longer receive critical software updates, perform system backups, or conduct vital server monitoring and security maintenance. The crisis was so profound that some companies ceased selling foreign servers altogether due to overwhelming demand and a severe resource shortage. Effectively, the disconnection of these data centers from the international internet sealed the last remaining channels of communication, amidst an already restrictive environment. This devastating move not only crippled the nation’s digital infrastructure but also transformed Iran’s internal digital landscape into an isolated island, completely cut off from the global network.
Continued Disruptions to VPNs and IPv6 Protocol
According to Cloudflare’s protocol traffic distribution chart, the share of IPv6 in Iran’s internet traffic drastically decreased starting from June 12, coinciding with the beginning of the war. Despite a partial return of internet access since the ceasefire on June 23, the share of IPv6 in Iran’s internet traffic remains at only 0.4%. This figure effectively signifies the complete deactivation of IPv6 in the country’s infrastructure. This sudden decline aligns with user reports on social media, indicating ongoing IPv6 disruptions, a situation likely resulting from infrastructural issues or deliberate restrictions on communication pathways.
Disruption to Roaming and International Calls:
Iranian SIM cards abroad became unusable from June 18 to June 20 due to a nationwide roaming outage. Following this disruption, reports emerged of identity theft targeting Iranian users abroad, with fake accounts being used on social media to gain trust and acquire sensitive information.
While outgoing international calls from within Iran were possible, incoming international calls were impossible. Users also reported strange occurrences with international calls to Iran, such as callers being connected to a different person instead of their family, or calls being transferred to an unknown automated voice responder with AI-generated sounds or a Chinese accent. These phenomena raised significant concerns among users, with some interpreting them as an attempt to intercept calls made by Iranians outside the country.
Disruptions to OTP SMS: Restricting User Access to International Services
Beginning in late June , social media users, in particular, reported a serious issue with receiving one-time password (OTP) SMS messages from foreign platforms and services. This problem, affecting applications such as WhatsApp, Telegram, Signal, Google, and other international platforms, was widely reported. . Operators refused to provide a clear answer and denied the existence of the problem, yet this disruption effectively eliminated users’ ability to log in or recover their accounts. This move is indicative of a new security policy aimed at restricting the use of secure communication tools.
3- Government Policies and Justifications
Security Justifications for Internet Disruption:
Officials and state-affiliated media largely cited security threats as the primary reason for the internet outage. Government spokesperson Fatemeh Mohajerani stated that many drones were controlled via the internet. Given the cyberattacks on essential infrastructure and disruptions to banking operations, she claimed the government was compelled to impose restrictions on the global internet and move towards a national internet. She then urged the public to refer to national media and domestic messaging apps for news.
However, Ehsan Chitsaz, the Deputy Minister of Communications, challenged the government’s narrative in an Instagram post. While mentioning the downing of a drone in Qom, he explained that this drone was equipped with an advanced Iridium satellite modem and used communication infrastructures independent of the domestic internet. He emphasized that this drone had access to stable, fast, and secure communication via the global Iridium satellite network. The release of this information by a senior official from the Ministry of Communications discredited the government’s claim that internet disruption was linked to countering drones. Experts concluded that such restrictions had no impact on reducing drone attacks and only disrupted the lives and violated the rights of ordinary citizens.
Discriminatory Tiered Internet Schemes
Amidst widespread internet outages, a troubling trend of tiered and discriminatory internet access has emerged in Iran.
On June 22, the Tehran Province Computer and IT Guild Organization initiated a process to grant its member companies access to international internet. While framed as “ensuring the continuity of professional activities in emergency situations,” this move is a clear example of tiered internet, allowing IT companies global internet access while millions of citizens remain deprived.
A week later, on June 29, Nasim Tavakol, Chairman of Arsh Gostar company, proposed an “emergency internet” idea, suggesting that instead of a complete shutdown, dedicated internet lines be provided for critical sectors of the country. Despite her emphasis on the temporary nature of the proposal, Filterwatch considers “emergency internet” to be simply tiered internet under a new name.
Earlier, on May 24, the “Cyber Free Zone” plan, proposed by Ehsan Chitsaz, aimed to provide free internet access only for specific regions and companies.
Another instance of discriminatory internet access during the international internet blackout was the “whitelisting” of certain websites and mobile numbers, which allowed privileged groups to connect to the global internet. A similar event occurred during the 2019 protests, when a letter with the Ministry of Communications letterhead was circulated on Twitter, instructing all executive agencies to provide information about their systems, including websites, emails, online operational systems, and reliance on foreign services, in an Excel file to the National Information Network Monitoring and Surveillance Center.
Collectively, these initiatives, instead of upholding the right to equal and free internet access, have institutionalized digital discrimination, marking another step towards the discriminatory management of bandwidth and the restriction of ordinary users.
4- Impact of Deliberate Internet Disruption on Users and Online Services
Forced Use of Domestic Messaging Apps:
With the widespread international internet outage, people were coerced into using domestic messaging apps like Rubika, SoroushPlus, Eitaa, and Bale to maintain even minimal communication, despite concerns about their security. This led to a several-fold increase in users for local messaging apps, with SoroushPlus reaching over 10 million active users.
However, even these domestic messaging apps experienced disruptions as user numbers surged, lacking the necessary stability under pressure. Users reported extreme slowness, failure to send messages, and inability to make voice calls on these platforms.
Disruption of Google Services and Filtering Circumvention Tools:
During the period of international internet disconnection in Iran, access to Google search results remained possible, while other Google services, including Gmail, were often blocked or severely disrupted. It is presumed that this decision was made to assist users in finding domestic websites within the National Information Network.
Data revealed that due to the increased demand for Psiphon, it became impossible to download its Windows version, indicating the pressure on the distribution channels for anti-filtering tools during that time. However, according to Psiphon’s report, despite the severe internet censorship in Iran during this period, this tool managed to maintain access to free internet for over 1.5 million Iranian users, and currently supports over 4.5 million users again.
It is noteworthy that before the recent disruptions, Psiphon served 4 to 7 million Iranian users daily, and at the peak of the Mahsa Jina Amini protests in 2022, this number reached 9.2 million users per day (more than 10% of Iran’s population). These statistics indicate that with the rise of digital authoritarianism in Iran, the need for resilient and reliable tools for free access to information is becoming increasingly vital.
5- Cybersecurity Threats
Infrastructure Vulnerabilities and Increased Hacker Claims:
On June 22, a hacking group claimed to have infiltrated 73 million bank accounts of Bank Melli Iran customers and released files containing this data. Bank Melli and Sadad Informatics Company, in response, denied the data breach, stating that the published files were not authentic and that the group’s main objective was to distribute malware and steal user or network administrator passwords by infecting systems.
However, cybersecurity experts warned that even if this data is not real, the recurrence of such claims indicates infrastructure vulnerabilities and the risk of APT attacks (Advanced Persistent Threats) or continuous cyber threats against the country’s banking system. In this regard, FATA Police (Iranian Cyber Police) also issued warnings about malicious SMS messages and links related to activating internet banking services.
Increase in DDoS Attacks and Infrastructure Communication Company’s Disavowal of Responsibility
On June 25, Behzad Akbari, the CEO of Infrastructure Communication Company, stated in a tweet that DDoS attacks on the country’s infrastructure had intensified during the period of cyber warfare.
As user criticism mounted regarding the continued internet restrictions and the argument that cutting internet access is not a solution for DDoS attacks, Akbari emphasized in a second tweet:
“The continuation of some internet restrictions has no connection to the Infrastructure Communication Company or DDoS attacks. It is appropriate for the responsible authorities to clarify the real reasons and the prolonged nature of these restrictions for the people.”
However, these remarks once again garnered widespread reactions on social media, with users questioning: if the Ministry of Communications and the Infrastructure Communication Company are not accountable, then which entity is responsible for the internet outages?
In response, some experts stated in various media interviews that cutting internet access is not a solution for DDoS attacks. A clear example of this is the continued attacks on banking systems in Iran, which persisted even with the international internet cut off. They identified the principled solutions for countering these attacks as strengthening network security, using updated firewalls, training technical personnel, and employing strong encryption technologies.
On the other hand, the Infrastructure Communication Company, as the sole importer of Iran’s internet bandwidth and the executor of the country’s main telecommunications network management, cannot absolve itself of responsibility for internet disruptions. With its monopoly, this company is effectively the primary determinant of internet’s technical and executive policies in Iran.
Cyber Attacks Originating from Iran Surged by 1200%; Primary Target: USA
While the CEO of Infrastructure Communication Company reported an increase in DDoS attacks against Iran’s infrastructure coinciding with the start of the Israeli attack on Iran, data from Cloudflare’s security dashboard also indicates that during the same period, a significant volume of cyberattacks originated from Iran targeting other countries, especially at the application layer (Layer 7).
According to charts extracted from Cloudflare, attacks originating from Iran, particularly at the application layer, increased sharply, experiencing up to a 1200% growth compared to the previous period at certain points.
From June 17 to June 19, coinciding with the international internet shutdown in Iran, these attacks nearly ceased, only to immediately surge again from June 20.
The vast majority of these attacks, 93.8%, were identified as DDoS, with only a small fraction, 5.6%, detected by Web Application Firewalls (WAF).
The primary origin of these attacks was predominantly linked to Iranian providers: TCI (32%), Irancell (27%), and Hamrahe Aval (22%). The main destination for these cyber offensives significantly shifted, with the United States becoming the top target at 47% (a sharp increase from 14% in the previous month). France followed with 10%, while Turkey, at 9%, saw a significant decrease from its 39% share in the preceding period.
6- Human Rights Violations and Social Consequences
Increased Executions and Detentions:
The number of individuals executed on charges of spying for Israel in Iran has reached six in the past two weeks. On June 24, the Ahvaz prosecutor announced the indictment of 23 individuals accused of spying for Israel. These individuals have been charged with sabotage, information gathering, psychological operations, and disrupting national security, with some accusations including sending information via WhatsApp.
Pressure on Journalists working for Foreign Media:
The pressure from security agencies on journalists working for Persian-language media outside the country (such as Iran International, BBC, and Manoto) and their families inside Iran has intensified. Families have been threatened, summoned, and subjected to psychological pressures, warning them of severe security restrictions if their children continue their activities abroad.
Rising Anti-Immigrant Sentiment:
With the onset of the Israeli attack on Iran, a wave of anti-Afghan sentiment surged within Iran. Certain media outlets and channels affiliated with official bodies intensified divisive rhetoric against Afghan immigrants in the online sphere. They accused Afghans of collaboration with Israel and called for their expulsion, and even execution. This trend, which lacks official documentation, not only violates human rights principles but also risks undermining national cohesion during a critical period.
Conclusion: Iran’s Intensifying Digital Control Post-Conflict
An examination of how different branches of the Iranian government—the administration, judiciary, and parliament—approached the 12-day war with Israel reveals a clear and consistent strategy. The Islamic Republic not only views free access to information as a fundamental security threat but is also actively working to tighten its digital control day by day, leveraging the atmosphere that has prevailed in the country since the conflict and ceasefire.