Since the night of January 11, Starlink internet in Iran has once again been subjected to intense jamming. According to research by Filterwatch, the transmission of interference varies depending on the hour and the specific neighborhood. While some areas remain unaffected, others experience packet loss ranging from 10% to 40% in Starlink communications. This situation is primarily observed in Tehran, with fewer reports of jamming coming from other cities. Despite the interference, Starlink connectivity remains functional. The jamming patterns appear to follow a model similar to what Russia deployed in Ukraine.
Simultaneously, reports have surfaced indicating that security forces in certain parts of Tehran have identified and confiscated Starlink dishes.
Field reports from network specialists suggest that the disruption is likely being carried out using mobile equipment (vehicle-mounted or portable) rather than solely through fixed towers or systems. This reinforces the hypothesis of mobile jammers being deployed.
In addition to field reports of jamming and increased packet loss, an analytical article published on Substack by a policy and technology analyst noted packet loss rates between 30% and 80% during the crackdown on Starlink. The analysis emphasizes that a severe drop in connection quality does not necessarily mean a "total shutdown." At the level of transport protocols like TCP/IP, low-volume messages can eventually reach their destination through packet retransmission, message queuing, and utilizing intermittent connectivity windows, even if high-bandwidth applications like video calls or web browsing become effectively unusable.
The Near-Total Communication Blackout
In this current round of protests, the internet disruption and shutdown from the evening of January 8 until today, January 12, has targeted not only international traffic but nearly all communication channels.
Reports received by Filterwatch indicate that a significant portion of "White SIM cards" (privileged/unrestricted SIMs) have been disconnected, signaling that the blackout is affecting even previously exempt tiers of access. This signals that the crackdown is so severe that the state is stripping access even from its own trusted insiders to prevent any leaks, prioritizing a total information quarantine over the operational needs of its bureaucracy. In this environment, Starlink remains one of the few remaining windows for Iranians to access global communications.
During this period, beyond the internet shutdown, SMS services have been completely cut off. Cellular and landline calls have only been available for limited hours a day—usually in the early morning before protests peak.
The disruptions have extended beyond websites and messaging apps to target the IMAP protocol. As a primary protocol for receiving and syncing emails on clients like Outlook, Thunderbird, and Apple Mail, the throttling or blocking of IMAP causes email exchanges to stall. Users experience connection errors, severe delays, or total service outages. This move effectively cripples professional email access, targeting one of the users' last stable communication paths.
In the initial days, even the NIN was inaccessible. Messaging features within domestic apps were disabled, and government websites and systems faced disruptions. However, around 3:00 PM on January 9, as indicated by the Kentik graph below, partial international connectivity was restored for specific Iranian universities (including the University of Tehran, Tarbiat Modares, Sharif University of Technology, and Tehran University of Medical Sciences). This is viewed as the start of the government’s "Whitelisting" policy, restricting internet access to a select group of institutions.
The Rise of the "Whitelist" Policy
On the morning of January 12, the IRIB News Agency published a list titled "Essential Websites Accessible via the National Internet." This list includes domestic search engines, navigation maps, local news agencies, video services, and domestic messengers such as Eitaa, Rubika, Soroush+, and Bale.
While there are no credible reports of the domestic network functioning without disruption, the publication of such a list clearly signals the government’s intent to solidify a "Whitelist" policy. This approach seeks to transform the internet from an open, public platform into a controlled network based on pre-defined access. The following chart is the list provided by IRIB:
Reflecting this shift, domestic media reported that the healthcare sector has reverted to paper prescriptions due to internet outages. Mohammad Mehdi Nasehi, CEO of the Health Insurance Organization, told Tasnim News regarding the acceptance of prescriptions during outages:
"Necessary measures have been taken. We have a directive, previously issued across the country during the 12-day conflict, which allows individuals to receive paper prescriptions. Insurance-contracted institutions are obligated to accept and cover these prescriptions."
Simultaneously, reports emerged regarding the restoration of the Shad system for virtual education. Collectively, these developments indicate that the government is seriously preparing the technical infrastructure for the National Information Network, and internet conditions are unlikely to return to their pre-protest state.
Total International Shutdown and Cyber Threats
Network monitoring data confirms that as of January 12, Iran is still facing a "total shutdown" of international internet. All data packets in both directions (ingress/egress) are being dropped, and even data centers within Iran have become inaccessible from the outside. Network specialists observed that in this round of disruptions, even state-run news agencies like IRNA and ISNA are inaccessible from outside Iran—a situation unprecedented in previous shutdowns, suggesting restrictions at a higher level of international routing.
Beyond the domestic network events, a report by the Miaan Digital Security Helpdesk reveals that while access to domestic media is restricted for users outside Iran, certain third-party websites offering live Iranian TV streams have been turned into tools for data collection and digital espionage. Miaan’s investigation shows that several of these websites are infected with malicious JavaScript code that activates as soon as a user lands on the page, requiring no downloads or clicks. These are Drive-by Attacks, meaning the user's browser is hijacked simply by opening the page. The objectives include tracking online activities, Device Fingerprinting, Session Hijacking to access sensitive accounts, and laying the groundwork for subsequent phishing attacks.