As protests in Iran escalate, the state's censorship tactics have shifted dramatically. While our previous report documented localized and layered disruptions, new data reveals a move toward a total nationwide blackout. This report analyzes user reports, social media data, and network traffic trends (IODA, Kentik, Cloudflare, ArvanCloud) to map this escalation. We examine the specific anatomy of the January 8 shutdown, the "ghost connectivity" and signal jamming experienced by users, the destabilization of domestic infrastructure, the correlation between protest peaks and network throttling, and the status of circumvention tools.
1. The Anatomy of a Shutdown: From Layered Restrictions to Total Blackout
Localized and Layered: From the onset of the protests through January 8, the pattern of internet disruptions can be characterized as localized, urban-centric, volatile, and layered.
Geographic Disparities: While total blackouts hit specific towns, neighboring cities often maintained connectivity. Within major hubs like Tehran, Shiraz, and Tabriz, outages were targeted at specific protest hotspots (e.g., Narmak, Molavi, and the Grand Bazaar in Tehran).
Layered Disconnections: Mobile and fixed-line internet did not behave uniformly. For instance, on January 6 in Mashhad, users reported that fixed-line internet was cut for several hours while mobile data remained active. In other regions, access to the National Information Network (NIN) was occasionally preserved while international gateway traffic was either severed or heavily throttled. Discrepancies were even noted among fixed-line providers: on January 7, Irancell’s TD-LTE and Asiatech services were severed in some areas while ADSL remained functional but severely throttled.
The Shift to Total Blackout: On January 8, the pattern shifted. Network monitoring charts (see below) revealed a synchronized collapse of connectivity:
- IPv6 Collapse: The first major signal of infrastructure failure appeared around 15:19 Iran Time (11:49 UTC). Both Cloudflare and Kentik recorded a massive drop in IPv6 traffic at this time, indicating that a significant portion of the routing infrastructure had been disabled.
- Infrastructure Instability (ArvanCloud): Following the IPv6 drop, domestic instability intensified. Starting around 18:00 Iran Time (14:30 UTC), ArvanCloud Radar displayed severe disruptions in Tehran-based datacenters hosted by major operators, including Hamrah-e Aval (MCI), Afranet, and HostIran. This level of domestic data center instability was a new development not previously observed with this intensity during the current protests.
- The "Digital Curfew": Coinciding with coordinated protests at 20:00 Iran Time (16:30 UTC), international internet access was effectively cut across most of the country. This was reflected in IODA charts as a sudden and sharp drop in the Active Probing index, and in Cloudflare charts as a precipitous collapse of national traffic starting shortly after 20:00 Iran Time (16:30 UTC).
- Total Shutdown: By 22:15 Iran time, Kentik data confirms the internet reached a state of total blackout, with traffic plummeting to near-zero.
Technical Note: On the previous day, January 7, IODA charts recorded the most significant decline in the Active Probing index since the protests began at 21:45 Iran Time (18:15 UTC). This sharp drop served as a foreshadowing of the total blackout that would be implemented 24 hours later.
Deepening Crisis: Infrastructure Collapse (Jan 8 Late Night – Jan 9): Events unfolding since approximately 10:00 PM on January 8 mirror the tactics employed during the June 2025 Twelve-Day War:
- Mobile Network Collapse: Cellular towers, SMS services, and mobile data have been completely disconnected.
- Fixed-line "Ghost" Connectivity: Home broadband lines remain technically "connected" but are severely crippled, mimicking the experience of connecting to a home router with no actual internet access.
- National Information Network (NIN) Disruption: The domestic network has been fully disrupted, resulting in a total blackout of both domestic and international internet services.
- GPS & Starlink Jamming: Efforts to jam GPS signals aimed at disrupting Starlink have been observed. Around 04:00 AM on January 9, reports surfaced of massive, intentional jamming across all communication platforms. The assault was so intense that charts indicated 30% packet loss on Starlink connections. Users described this interference as "living inside a microwave."
- Economic Impact: Reports indicate that POS terminals and ATMs have been disconnected and rendered inoperable.
- Status Update (Jan 9 Afternoon): As of Friday afternoon, updates from Tehran indicate that certain domestic platforms such as Snapp and Eitaa are intermittently accessible via the domestic intranet; however, the NIN remains functionally broken.
- International Isolation: International phone calls to Iran are blocked. Callers receive only a pre-recorded, nonsensical message in English—a situation identical to the isolation measures of the 12-Day War.
2. Correlation Between Internet Shutdowns and Escalating Protests
Prior to the total blackout on January 8, data confirms that internet throttling was explicitly time-bound to synchronize with peak protest hours. User reports indicate that outages intensified during evening demonstrations and occasionally returned to a relative, unstable state as gatherings subsided.
This pattern is explicitly corroborated by network monitoring tools, as illustrated in the Kentik charts below:
Nighttime Disruption (Jan 6): Kentik charts show a simultaneous traffic drop across the Telecommunication Company of Iran (TCI) (AS58224), MCI (AS197207), and Irancell (AS44244) between 23:30 – 01:30 Iran Time (20:00 – 22:00 UTC). This window directly coincided with overnight protests in bazaars and central urban districts.
Midday Economic Strikes (Jan 5): Between 11:30 – 13:30 Iran Time (08:00 – 10:00 UTC), Kentik data registers a significant reduction in traffic for MCI and Irancell. This drop synchronized with strikes by bazaar merchants and public gatherings in major economic hubs.
Protest Escalation (Jan 8): Just before the total blackout, Kentik charts reveal a synchronized decline in traffic volume for MCI and Irancell starting at 18:45 Iran Time (15:15 UTC). This disruption occurred precisely as protests and assemblies began to escalate across the country.
3. Domestic vs. International Internet Disruption
Prior to January 7, internet shutdowns did not follow a uniform pattern, creating confusion regarding access to domestic versus international networks.
Inconsistent Access: Users in Tehran reported that "at night, the internet effectively reverts to an intranet-only mode" (NIN), while others noted that in certain neighborhoods connectivity was first cut entirely, then restored only for domestic sites.
Quality Degradation: In Tabriz, reports emerged that even "domestic websites were barely loading," signaling a simultaneous degradation in overall quality. Conversely, other users emphasized that "both international and domestic speeds have plummeted" or that "Wi-Fi has been 'nationalized,'" making the distinction nearly imperceptible to the average user.
Warning Signs of "Domestic-Only" Switch: On January 7, reports on social media circulated that major corporations were internally notified to prepare for a complete switch to domestic-only connectivity. Following this, domestic cryptocurrency exchanges issued advisories warning users to avoid high-risk trades due to impending outages.
The Final Shift: By late evening on January 7, user reports indicated that international access in parts of Tehran and other cities was severely throttled or rendered completely unreachable. Starting around 20:00 on January 8, the disruption pattern shifted toward a total blackout of both domestic and international internet services.
4. Status of Censorship Circumvention Tools
Important Note on Data Visibility (Post-January 8): It is crucial to distinguish between the degradation of tools observed earlier in the week and the current status. Since the onset of the total blackout on January 8, Filterwatch has not received verifiable reports regarding the performance of circumvention tools. This silence is a direct consequence of the shutdown’s severity.
Pre-Blackout Performance: Before the total blackout on January 8, users were intermittently able to use certain circumvention tools. However, a vast majority of mainstream tools—including well-known VPNs such as Proton, Express, Nord, and Windscribe (across most protocols), as well as free VPNs and tools based on Shadowsocks, UDP-over-TCP, and custom configurations—have either ceased functioning entirely or faced extreme instability. Users frequently reported that even when a connection was established, upload speeds were near zero, connections were "pulsing" (connecting and disconnecting repeatedly), and communication tunnels remained too unstable for practical use.
Other VPNs such as Psiphon, nthLink, BeePass, and Lantern were reportedly able to connect, but either failed to pass traffic or were restricted to unfiltered segments of the internet, rendering them ineffective. Furthermore, in some regions, VPNs used on mobile data were reported to be completely blocked, while the same tools maintained limited but slightly better performance on fixed-line broadband.
In this context, numerous reports indicated that Telegram proxies would technically show a "green" status and respond to pings, but fail to transmit data, leaving messages and channels unable to load.
Among the various options tested, some users noted that Hiddify and Shadowrocket performed relatively better compared to other tools, though their stability was inconsistent. Constantly switching VPNs or servers occasionally resulted only in short-lived, unstable improvements. Limited reports suggested that Windscribe using the IKEv2 protocol managed to connect at acceptable speeds on a handful of servers without special configurations, but this access was described as temporary with no guarantee of stability. In instances where international access was almost entirely severed, some users reported that Tor was the only remaining gateway for minimal connectivity.
Overall, the common pattern across these reports involves unstable connectivity, pulsing outages, severe difficulty or inability to upload, and "ghost" connections where pings are successful but no data is actually transmitted. This pattern demonstrates that the disruptions were specifically and purposefully engineered to neutralize censorship circumvention tools.