The landscape of internet access in Iran has entered a transformative and restrictive new phase, accelerated by the intersection of domestic unrest and international military conflict. While the country has historically relied on blanket filtering, recent developments—documented primarily through Filterwatch and technical network data—reveal a shift toward a systematic, tiered access model. This transition is no longer just about blocking content but about creating a "selective internet" where the National Information Network (NIN) serves as a primary tool for both service delivery and social control.
Central to this new reality is the institutionalization of privilege through programs like the "Stable Communication Network" and the "Pro Internet" plan. These initiatives have established a legal and commercial framework where unrestricted access is treated as a luxury service. By offering unfiltered connectivity at high prices to select groups and businesses, the state has effectively turned a fundamental right into a tiered commodity. This shift is supported by a strengthening legal foundation, specifically the "Strategic Document on Electronic Passive Defense" approved in February 2026, which formally mandates the capability to disconnect the domestic network from the global internet during crises.
As international connectivity became volatile following the military attacks of February 28, the authorities demonstrated a sophisticated ability to maintain essential domestic services while simultaneously silencing the broader public. This period was marked not only by infrastructure-level disruptions but also by a transition toward active digital deterrence. Through the use of mass SMS warnings, the targeted summons of ordinary users, and the compromise of popular domestic applications for state messaging, the mechanism of control has moved from the network core to the individual device. The following analysis details how these developments represent a long-term blueprint for the governance of cyberspace in Iran, moving away from temporary wartime measures toward a permanent structure of segregated digital access.
Key Policy Developments in February:
Access for the Privileged: From the “Stable Communication Network” to “Pro Internet”
As a continuation of the whitelist-based access policy implemented after the suppression of the public protests in December 2025 - January 2026 and the subsequent large-scale internet shutdown in January , information emerged about a program known as the “Stable Communication Network.”
On March 2, reports circulated indicating that within the MCI (Hamrah-e Aval) network, a USSD code had been promoted in some Telegram channels that sell VPN services. These channels claimed that users could dial the code to purchase unfiltered internet access at a price of roughly 40,000 tomans per gigabyte.
According to documents obtained by Filterwatch, this service—defined internally within MCI as part of a project called the “Stable Communication Network”—was implemented simultaneously with the start of military attacks on Iran and the disruption of international internet connectivity.
Information received by Filterwatch further suggests that some companies involved in Iran’s filtering infrastructure, including Douran Company—which is also active in the VPN market—may have played a role in leaking details of the project and publicizing the USSD codes. The exposure ultimately led to the deactivation of the published codes. However, sources told Filterwatch that the project continues to operate, now with new codes and under the coordination of MCI’s Network Security Directorate, in order to continue providing unrestricted internet access to select groups.
It is important to note that this initiative is not limited to MCI. As part of the broader effort to expand whitelist policies and selective access mechanisms, similar arrangements are also being implemented by other operators, including Irancell.
Pro Internet
The “Pro Internet” plan, reports about which first emerged on February 25, is another example of tiered internet access, introduced under the pretext of supporting businesses.
Under this plan, users can purchase a special SIM card priced at 2,178,000 tomans, which provides access to unfiltered internet with an international IP address. The cost of traffic in this plan is 8,000 tomans per gigabyte, while traffic used on blocked websites and services is priced at 40,000 tomans per gigabyte.
The scheme has been presented as an organizational solution intended to support commercial and international activities. It requires registration and formal identity verification in government systems, as well as a registered business license. In practice, however, there appears to be little strict enforcement to ensure that the service is used exclusively for organizational purposes. Anyone with a business license and the ability to pay the high costs can effectively obtain access to an unrestricted internet.
“Pro Internet” is advertised as offering features such as no disconnections, no filtering, and direct activation on the SIM card, and it is currently available through only one operator. The service is also capacity-limited, with access currently restricted to the first 500 registered users.
This combination of high pricing and limited availability effectively turns unrestricted internet access into a luxury service for a small, privileged group, while the vast majority of users continue to face restricted, expensive, and unstable internet connectivity.
Tariff Policy and Increasing Economic Pressure on Household Budgets
Alongside the creation of privileged access layers, restrictive policies have intensified within the general public layer of the network, aimed at managing consumption and increasing operators’ revenues.
The telecommunications regulator, which had authorized a 38% tariff increase in October 2025, structured the implementation in two phases in order to avoid strong public backlash: a 20% increase in December 2025 followed by an additional 18% increase in February 2026.
At the same time, operators have effectively reduced users’ choices by removing high-volume and cost-effective data packages from their offerings.
Although the regulator had conditioned the price increases on “improvements in service quality,” the continued network disruptions and the ongoing decline in international internet traffic have rendered this guarantee largely ineffective in practice.
Strategic Document on Electronic Passive Defense
The approval of this 10-year strategic document in February has strengthened the legal foundation for infrastructure-level control of communications networks. The document outlines the country’s security framework for managing and protecting digital infrastructure.
- Government obligations for the Ministry of Communications: Under this framework, the Ministry of Communications is tasked with continuous monitoring of the network and with implementing restrictive measures during crisis situations.
- Preparedness for network separation: One of the most concerning technical provisions of the document is the requirement to establish the capability to disconnect the domestic network from external networks, along with the development of alternative communication routes. This provision effectively lays the groundwork for cutting off access to the global internet and replacing it entirely with the National Information Network.
- Article 19 of the Document and Legal Institutionalization: By establishing a statutory mandate for executive bodies, this article has transformed the Ministry of Communications' authority to impose restrictions during crises into a "structural requirement."
Content Governance and Increased Monitoring of Users
Although monitoring and surveillance of the online space in Iran has a long history and is officially referred to in policy documents as “governance of cyberspace” developments following the January protests indicate a shift toward a broader phase of direct control over individual users.
While in previous years enforcement efforts primarily targeted well-known public figures and high-profile influencers, since January the scope of enforcement has expanded to include ordinary public accounts. Even pages with relatively small audiences have been subjected to blocking, summons, or formal warnings.
Reports indicate that some users, after being summoned to judicial authorities, have been pressured to delete their posts and publish statements expressing “remorse.” These statements effectively function as public deterrence tools. In some cases, users have also been required to publish images stating that their page has been blocked by order of judicial authorities. The practice goes beyond simple content removal and carries a symbolic and intimidatory function: sending the message that any form of critical content may lead to legal and social consequences.
At the same time, monitoring has expanded beyond digital platforms to core communication tools themselves. Since the January protests, multiple cases have been reported in which the SIM cards of journalists and ordinary users were abruptly suspended, often without prior notice or official explanation. In many cases, individuals discovered upon contacting their mobile operator that they had been instructed to refer to judicial authorities. Some users were told that their online activity had been “flagged,” and that restoring their access required them to remove content or sign formal undertakings.
Taken together, these developments suggest that since January, content governance in Iran has shifted from a fragmented enforcement approach to a more systematic mechanism for monitoring, summoning, and exerting direct pressure on users.
Internet Disruptions and Shutdowns
From Partial Traffic Recovery to Another Nationwide Blackout
Technical network data indicate that the restoration of internet connectivity in Iran over the past month occurred in three distinct phases.
The first phase involved minimal and highly limited connectivity following the complete shutdown (approximately January 18 to January 23).
The second phase saw a relative increase in traffic, although connectivity remained unstable (approximately January 23 to January 27).
The third phase, beginning around January 27, showed a broader restoration of connectivity, though traffic levels still remained below those observed prior to the nationwide shutdown. Even during this third phase, when signs of stabilization began to appear, network traffic continued to experience fluctuations and disruptions.
Reports received on February 16, coinciding with memorial ceremonies marking the 40th day after those killed during the January 8–9 protests, indicated that internet access had been cut in several cities, leaving only the National Information Network (domestic intranet) operational. Such disruptions were reported in Qazvin and Ahvaz, while Qom, Mashhad, Najafabad, and Malekshahi also experienced significant connectivity disturbances.
These regional disruptions continued as student protests in universities began on February 20.
Finally, on February 28, while Iran’s internet had not yet fully recovered to normal conditions, the start of military attacks triggered another nationwide blackout, leaving only the domestic intranet and the National Information Network operational.
Limited Access for Whitelisted Users
Disruptions to international internet connectivity began in the early hours of February 28, immediately following the start of the attacks. However, unlike the nationwide blackout of January 2026, the National Information Network (NIN) remained operational from the outset.
Telephone calls and SMS services were also disrupted for several hours before returning to normal. At the same time, incoming international calls to Iran were blocked from the first hours of the attacks. However, outgoing international calls from inside Iran remained possible, primarily through roaming packages offered by mobile operators.
Internet monitoring charts from Kentik indicate that the shutdown unfolded in two distinct stages. Around 07:06 UTC, the country’s three main operators experienced a sudden and sharp drop in traffic. Later, at approximately 11:47 UTC, traffic volumes across all three major networks—AS197207 (MCI/Hamrah-e Aval), AS44244 (Irancell), and AS58224 (Telecommunication Company of Iran – TCI)—fell close to zero.
While public access to the global internet was cut off, certain entities, including media newsrooms, “whitelisted SIM cards,” and a number of government systems, continued to maintain internet connectivity from the very early hours of the international shutdown.
Technical data from IODA further indicate that BGP routes remained active, a pattern consistent with the whitelist-based selective access model.
Kentik data also show that limited but stable connectivity persisted through several networks, including Telecommunication Company of Iran (AS58224), Pishgaman Development Company (AS49100), and Asiatech (AS43754).
Traffic Fluctuations as Reflected in Technical Evidence
On the second day of the war (March 1), several networks became simultaneously unreachable, even within the already limited volume of remaining traffic. This pattern increases the likelihood of damage or disruption affecting parts of the underlying infrastructure, such as fiber-optic routes, power supply, or intercity network hubs.
Some of these networks stopped exchanging traffic at around 07:10 UTC, as illustrated in the chart below.
A second wave of disruptions occurred around 15:20 UTC, when additional networks also dropped offline.
Limited Access to Circumvention Tools from Within the Domestic Network
With international internet connectivity cut off, users were able to reach the global internet only through very limited channels. Reports indicate that connections were sporadic, unstable, and short-lived, offering only brief and inconsistent access to the global internet.
The NIN in Wartime: From Whitelisting to Social Management
Activation of a Domestic Services Package
At the same time as the international internet shutdown, and unlike the January 2025 blackout, an official list of services accessible through the National Information Network (NIN) was published very quickly.
Domestic news agencies, including Tasnim, released a list of “essential websites” that covered nearly all basic daily functions, with the stated aim of making users independent from the global internet. These included:
- Official news agencies
- Domestic search engines
- Maps and navigation services
- Online translation tools
- Video and entertainment platforms
- Essential services (prayer times, road and transportation services, the Adl Iran judiciary system, etc.)
- Domestic messaging apps (Bale, Eitaa, Rubika, Soroush Plus)
- App download platforms
- Government portals (Smart Government, Civil Registration, Social Security, FATA Cyber Police, etc.)
Directing Users Toward Domestic Communication Platforms
Following the shutdown, channels affiliated with or close to the government circulated messages urging the public to subscribe to official news channels on the domestic messaging app Eitaa, in light of the internet blackout.
Some of the messages emphasized that if communication through state television, social media, or even telephone networks were disrupted, information would be delivered through mosques, and citizens should go to their local mosques to receive updates. This time, communication management relied on a combination of domestic digital infrastructure and traditional information channels through mosques.
Efforts to Maintain Essential Services During the Internet Shutdown
On the third day of the war, the Ministry of Health’s Crisis Management Headquarters announced that in the event of disruptions to electronic prescription systems or internet outages, medical services would continue without interruption and patients should not be concerned. The issuance of such a statement indicates that there were concerns at the decision-making level about the stability of the domestic network and systems built on the National Information Network, particularly in a scenario where damage to internal communication infrastructure could disrupt essential services.
At the same time, the head of the Digital Transformation Commission of the National Organization for Computer Trade Unions pointed to the significant losses faced by online businesses and emphasized that, in emergency conditions, the government should allocate differentiated bandwidth and access for digital economic actors. Unlike during the 12-day war and the January 2025 shutdown, this time the demand for privileged and segregated access was publicly raised by private-sector representatives from the very first days of the blackout, a demand that effectively aligns with the logic of tiered internet access.
The Rise of Cyberattacks Amid Iran’s Internet Shutdown
Breaches of Information Infrastructure
In the early hours of the attacks, reports emerged of cyber operations targeting the country’s media. On Saturday, February 28, the news agencies ISNA and IRNA were reportedly hacked and temporarily taken offline. On the homepage of the state-affiliated IRNA, a headline appeared reading: “Terrifying hours for the security forces of the Ayatollah regime: The IRGC and Basij have suffered a paralyzing blow.”
Shortly after the attacks began, the widely used Bade Saba application, a prayer times app with more than 30 million installs in Iranian app stores, was also compromised. Through the app, push notifications were sent to users. The messages, which appeared to primarily target members of the armed forces, urged recipients to surrender and join the people in order to save their lives.
The choice of this application is notable given its large user base. Bade Saba is mainly used by religious users, increasing the likelihood that individuals affiliated with or supportive of the government, including members of the military, are among its users.
The screenshots below show examples of push notifications sent through the Bade Saba app after it was reportedly compromised.
The notification, titled “Help has arrived!”, urges members of the security forces to reconsider their actions, stating that the time for retaliation has come and that those who surrender and join the people will be forgiven. The message frames the situation as an opportunity for security personnel to distance themselves from the government and align with the public.
These notifications appeared directly on users’ mobile devices, indicating that the app’s push notification system was used to distribute psychologically targeted messaging during the early hours of the conflict.
Attacks on Communication and Media Symbols
On the second day of the war, at around 18:30 UTC (22:00 local time), videos circulated on social media claiming that the satellite broadcast of Iran’s state television (IRIB) had been disrupted. According to these reports, for several minutes, speeches by Donald Trump and Benjamin Netanyahu were aired instead of regular programming, along with footage of attacks on several locations, including the office of Ali Khamenei.
Following this disruption, an SMS message with the sender ID “KHABAR” was sent to some residents in Tehran. As illustrated in the screenshot below, the message instructs recipients that if they experience disruptions in receiving television channels, they should perform a “channel re-scan” to restore service.
Threats and Preemptive Control Through SMS During the Internet Shutdown
On Monday, March 2, some users in Tehran received an SMS message (as shown in the image below) titled “Warning,” stating that the recipient had been identified as an individual intending to participate in “illegal unrest” and urging them not to attend such gatherings.
At the same time, the Intelligence Organization of the Islamic Revolutionary Guard Corps (IRGC) also circulated similar warnings via mass SMS messages sent to citizens, stating that “any movement disturbing security would be considered direct cooperation with the enemy.”
These messages indicate that domestic mechanisms were actively being used to implement digital deterrence policies and to prevent potential internal protests.