State-sponsored hacking units, hacktivists, and cybercriminal syndicates repeatedly attacked Iranian computer networks between 2021 and 2026. Attackers aggressively targeted transportation systems, banking infrastructure, fuel distribution networks, state media broadcasts, and government servers. Hackers continuously exploited fundamental vulnerabilities within the national architecture. Intrusions evolved from simple equipment sabotage into advanced financial extortion and sophisticated psychological influence campaigns. Evidence confirms an almost certain escalation in electronic warfare directed against the Iranian government. Severe economic instability, intense domestic protests, and the 2026 war involving the United States and Israel fueled continuous network attacks. The government responded with extreme communication blackouts. Officials deliberately isolated the domestic population to suppress political dissent and obscure military actions. Current intelligence suggests an almost certain continuation of infrastructure sabotage and data weaponization.
Introduction
Intelligence analysts assess a highly likely state of continuous electronic warfare surrounding Iran. The period from July 2021 to May 2026 represents the most volatile era in modern Iranian history. Hackers systematically dismantled public services, exposed state secrets, and weaponized stolen financial databases. Attackers specifically designed operations to humiliate the political leadership, disrupt daily civilian life, and erode public trust. Opposing military forces launched simultaneous physical and electronic strikes.
Adversaries focused heavily on government entities and essential public services. Early hacking operations featured wiper malware designed exclusively to erase computer data and halt industrial operations. Later hacking campaigns shifted toward massive data exfiltration. Syndicates stole hundreds of millions of personal records from national insurance companies and private banks. Threat actors then manipulated the stolen information for public extortion and psychological warfare.
The Iranian government escalated offensive measures and defensive restrictions in response. Authorities engineered the longest nationwide internet blackout in recorded human history during the 2026 war. Intelligence analysts observe a clear pattern of physical retaliation mirroring electronic strikes. Cyber operations reflect the broader geopolitical conflict involving Israel, the United States, and domestic opposition groups. An examination of specific network incidents reveals the exact mechanisms driving the regional conflict.
Contextual Aggregation Analysis: Geopolitics and Domestic Unrest
Understanding the network intrusions requires a thorough examination of the surrounding geopolitical environment. The nation experienced total economic collapse, massive domestic rebellion, and direct foreign warfare.
The Economic Crisis and the 2025 Protests
A combination of severe economic mismanagement and foreign sanctions destroyed the national economy. The Iranian rial suffered extreme depreciation. Citizens faced record-high inflation, rising food costs, and surging gold prices. Widespread water and energy shortages led to major electricity disruptions across all provinces. The government struggled to maintain basic utility services.
Public anger exploded on December 28, 2025. Electronic goods shopkeepers and traditional merchants in the Grand Bazaar of Tehran initiated peaceful demonstrations. The merchants demanded the immediate stabilization of exchange rates to prevent total business failure. The demonstrations spread rapidly to major thoroughfares in Tehran, including Lalehzar and Jomhuri Street. Citizens in Zanjan, Hamadan, and Qeshm Island joined the uprising. Demonstrators shouted slogans demanding the overthrow of the Supreme Leader. Security forces immediately deployed tear gas to disperse the massive crowds.
The movement escalated dramatically following a public call for unified resistance by exiled Crown Prince Reza Pahlavi. An estimated 1.5 million people marched through Tehran on January 8, 2026. The nationwide participation numbers reached five million citizens the following day.
The January Massacres
The government responded to the civilian uprising with overwhelming lethal force. Long-term planning for the violent crackdowns reportedly began in 2022 under former interior officials. Officials modeled the suppression tactics on the 1989 Tiananmen Square events. Ali Larijani, the secretary of the Supreme National Security Council, operated as a central planner for the violence.
Supreme Leader Ali Khamenei issued a direct order commanding security forces to crush the protests using any necessary means. Security forces received explicit authorization to shoot civilians and show zero mercy. Agents armed with Kalashnikov rifles and handguns infiltrated the civilian crowds. The agents hunted demonstration leaders and shot them from behind.
The resulting violence caused the largest massacres in modern Iranian history. Independent estimates confirm that security forces killed up to 36,500 people during the crackdowns. Medical records showed 30,304 protest-related deaths registered in civilian hospitals on January 8 and 9 alone. Hospitals completely ran out of body bags. Medical workers resorted to using semi-trailer trucks to transport the dead bodies.
The 2026 War and Foreign Military Strikes
The civilian massacres triggered an immediate international military response. United States President Donald Trump threatened direct military action against the Iranian government. The United States initiated the largest military buildup in the Middle East since the 2003 invasion of Iraq. The military deployed multiple carrier strike groups and hundreds of combat aircraft to regional bases.
Israeli Prime Minister Benjamin Netanyahu lobbied the United States administration for a joint military strike. Israeli intelligence identified specific Iranian leadership targets. Hostilities officially erupted on February 28, 2026. The United States executed Operation Epic Fury. Israel executed Operation Roaring Lion.
American missiles, attack drones, and Israeli fighter jets struck locations throughout the entire country. The Israeli Air Force executed the largest combat sortie in its history. Israeli pilots dropped more than 1,200 bombs in a single 24-hour window to destroy 500 military targets. The coordinated airstrikes successfully assassinated Supreme Leader Ali Khamenei and killed thousands of Islamic Revolutionary Guard Corps personnel.
Iran immediately launched a retaliatory campaign codenamed Operation True Promise IV. The military fired hundreds of drones and ballistic missiles at Israel, United States military bases, and neighboring Arab nations. The Iranian navy effectively shut down the Strait of Hormuz, which disrupted the global energy economy severely. President Trump announced a strict naval blockade of Iran beginning on April 13, 2026. The physical warfare created an environment of total chaos. Hackers exploited the chaos to launch devastating electronic attacks against the government.
Technical and Anomaly Analysis: The Early Infrastructure Strikes
The initial wave of major network intrusions focused almost entirely on paralyzing physical infrastructure. Hackers sought to cause immediate public frustration. They intended to humiliate the government publicly.
The 2021 Railway Disruption
A previously unknown hacking syndicate named Predatory Sparrow attacked the national railway system in July 2021. The intrusion caused unprecedented nationwide disruptions. Train movements stopped entirely across the country. The electronic ticketing systems failed completely.
Station departure boards displayed highly unusual messages instead of normal train schedules. Attackers commanded the electronic boards to display the official contact number for the office of Supreme Leader Ali Khamenei. The message urged stranded passengers to call the Supreme Leader directly to demand answers for the delays.
Check Point Research investigated the attack tools recovered from the railway servers. Analysts discovered highly destructive wiper malware deployed specifically to destroy core system files. The wiper erased data completely, preventing quick restoration. Railway employees resorted to manual scheduling across all train stations to resume basic operations.
The website for the Ministry of Roads and Urban Development went completely offline the very next day. The coordinated timing indicates an almost certain pre-planned operational sequence. Israeli media and international intelligence analysts strongly suspect Predatory Sparrow maintains direct operational ties to the Israeli government. The deployment of custom wiper malware and precise operational timing supports the assessment of state-level military sponsorship.
The First Fuel Network Sabotage
Predatory Sparrow struck the smart fuel distribution network in October 2021. The network attack disabled electronic payment processing systems at gas stations nationwide. Long queues formed immediately across the country as drivers struggled to purchase essential fuel.
Hackers again manipulated electronic advertising billboards in major cities. The hijacked billboards displayed political messages challenging the supreme authority of the government. Two anonymous United States defense officials explicitly attributed the sophisticated attack to Israeli military intelligence. Disabling the national fuel network required deep, persistent access to isolated industrial control systems. Intelligence indicates an almost certain state-sponsored espionage operation facilitated the breach.
Semiotic and Stylometric Analysis: State Media and Prison Breaches
Opposing factions targeted highly symbolic government institutions to break the illusion of total state control. Hackers used stolen footage and hijacked broadcasts to wage psychological warfare against the civilian population.
Evin Prison Surveillance Penetration
A hacker group calling itself Edalat-e Ali successfully penetrated the security camera network at Evin Prison in August 2021. Evin Prison historically holds political prisoners, journalists, and government dissidents. Another hacktivist organization named Tapandegan released the stolen surveillance footage to the public internet.
The published videos showed prison guards harshly beating handcuffed inmates. The footage exposed severe human rights abuses and deplorable internal conditions inside the facility. Analysts assess the network operation as a highly successful psychological warfare campaign. Releasing the unedited footage directly undermined official government claims regarding humane prisoner treatment. The breach proved that highly secure government facilities remained completely vulnerable to external electronic intrusion.
Islamic Republic of Iran Broadcasting Hijack
Hackers aggressively targeted the Islamic Republic of Iran Broadcasting network on January 27, 2022. The attack interrupted live television broadcasts across 25 different channels for approximately ten seconds. Viewers suddenly saw broadcast images of exiled Crown Prince Reza Pahlavi and leaders of the People’s Mojahedin Organization of Iran. A recorded voiceover explicitly called for the immediate assassination of the Supreme Leader.
Check Point Research analyzed the specific malware deployed in the broadcast network breach. The attackers used custom backdoors, batch scripts, and automated screen-capturing tools. The hackers also deployed a destructive wiper malware to hinder engineering recovery efforts.
Hackers struck the network again on February 1, 2022. The attackers hijacked Telewebion, the web-based streaming platform of the broadcasting network, in the middle of a live soccer match between Iran and the United Arab Emirates. The hijacked stream broadcasted messages claiming the foundations of the regime were rattling.
Predatory Sparrow claimed direct financial support for the broadcast disruption. Iranian officials immediately blamed the People’s Mojahedin Organization of Iran for executing the operation. The ability to hijack national television indicates profound security failures within the state media apparatus. The operation demonstrated the opposition’s growing technical capability to project revolutionary messages directly into Iranian living rooms.
Pattern Analysis: The Transition to Financial Extortion
Network operations evolved significantly between 2021 and 2024. Attackers recognized the immense leverage provided by stolen financial data. Operations transitioned from pure industrial sabotage toward mass data theft and aggressive public extortion.
The Bank Mellat Data Exposure
The Arvin Club hacker group successfully breached Bank Mellat in May 2021. Hackers stole the personal identity and financial records of 32 million individual customers. The group offered the entire database for sale on underground cybercriminal forums.
Bank Mellat previously faced severe economic sanctions from the United States Treasury. The United States accused the bank of moving money secretly on behalf of the Islamic Revolutionary Guard Corps. The massive data leak caused widespread panic among ordinary citizens. People worried constantly about identity theft and total financial ruin. The incident highlighted severe structural vulnerabilities in the banking sector. The government completely failed to protect sensitive citizen data.
The Massive Insurance Sector Breach
A new threat actor named IRLeaks claimed responsibility for stealing 115 million records from 23 leading insurance companies in December 2023. The stolen information included full names, national identification numbers, birth dates, home addresses, and mobile phone numbers. IRLeaks offered the entire national database for sale on the dark web for roughly 75,000 United States dollars.
Threat intelligence firm Hudson Rock identified the highly likely initial intrusion vector. Hackers compromised a single employee at SnappFood using StealC malware. The malware extracted system credentials that allowed unauthorized access to the Fanavaran company infrastructure. Fanavaran provides central technology services to the entire insurance industry.
The devastating breach forced the immediate dismissal of Majid Behzadpour, the head of the Central Insurance Company. The Ministry of Economy replaced him rapidly with Ali Ostad-Hashemi. Iranian state media later suggested the government actively orchestrated the hacking narrative to justify firing Behzadpour. Regardless of internal political maneuvering, the permanent data loss represented a catastrophic failure of national data protection protocols.
The Tosan Supply Chain Catastrophe
IRLeaks executed a devastating supply chain attack in August 2024. The group breached Tosan, a major information technology vendor. Tosan provides core digital infrastructure to 45 percent of all Iranian banks.
The hackers bypassed individual bank security firewalls completely. They used Tosan’s central administrative systems to access 20 of the 29 active credit institutions operating in the country. Affected institutions included the Central Bank of Iran, Post Bank of Iran, Sarmayeh Bank, and Eghtesad Novin Bank.
Hackers exfiltrated account numbers, detailed transaction histories, and identity documents for millions of people. IRLeaks publicly demanded a 10 million dollar cryptocurrency ransom on their Telegram channel. The attackers threatened to publish the entire dataset if the banks refused payment.
Tosan’s chief executive officer negotiated secretly with the hackers through encrypted email. The company eventually paid 35 Bitcoin, valued at approximately three million dollars. The attackers received the funds through local cryptocurrency exchanges.
The government officially denied the breach entirely. Authorities called international news reports fake news. However, the attack forced banking officials to shut down automated teller machines nationwide. Citizens could not withdraw cash for daily expenses. Security agencies later raided Tosan’s corporate offices and violently interrogated the staff. The incident proved the extreme fragility of the national electronic economy.
Tendency Analysis: Escalating Sabotage in 2023 and 2024
Network operations intensified significantly as regional proxy conflicts escalated. Hackers began targeting parliamentary systems and specific civilian infrastructure repeatedly.
The Second Fuel Network Sabotage
Predatory Sparrow attacked the fuel distribution network again on December 18, 2023. The intrusion disabled 70 percent of gas stations across the entire nation. The group announced the successful attack publicly on the social media platform X. Hackers explicitly warned the Supreme Leader that military aggression carried a high price.
The group stated the sabotage functioned as a direct response to hostile actions by Iranian proxy forces in the Middle East. The attackers published internal schematics of the gas station payment systems to prove their deep network access. The operation demonstrated an almost certain capability to penetrate secured government networks at will.
The Parliamentary Network Breach
A group named Uprising till Overthrow hacked the national parliament in February 2024. The group aligns strongly with the exiled People’s Mojahedin Organization of Iran. Hackers took down 600 government servers simultaneously.
The attack destroyed the electronic voting system inside the main legislative chamber. Lawmakers had to stand up or sit down manually to cast their votes during official proceedings. The live television broadcast of the parliamentary session also failed due to the severe server damage.
The attackers leaked hundreds of pages of highly sensitive documents. The files exposed secret strategies used by the Supreme National Security Council to evade international economic sanctions. The group also published the exact monthly salaries of parliament members.
Documents showed lawmakers earned between 3,200 and 5,000 United States dollars. The average factory worker earned a tiny fraction of that amount amid 50 percent national inflation. The leak fueled massive public outrage right before the scheduled March parliamentary elections. Analysts assess the timing as a calculated move to depress voter turnout and highlight systemic government corruption.
Anomaly Analysis: The 2025 Financial Extortion Campaigns
The behavior of hacker groups shifted toward highly anomalous extortion tactics in early 2025. Attackers executed massive financial breaches but behaved unlike traditional cybercriminals. The evidence strongly points toward sophisticated state-sponsored influence operations disguised as financial heists.
The Codebreakers and Bank Sepah
A hacker collective calling itself Codebreakers breached Bank Sepah in March 2025. Bank Sepah operates as the oldest financial institution in the country. The United States Treasury previously designated the bank for facilitating weapons programs. The bank holds deep institutional ties to the armed forces and the ballistic missile program.
Hackers extracted 12 terabytes of compressed data from the banking servers. The database contained 42 million individual customer records. Codebreakers demanded a 42 million dollar Bitcoin ransom. The bank refused to pay the massive sum. The hackers immediately released large portions of the stolen data on the internet.
Intelligence analysis indicates the operation functioned primarily as a targeted influence campaign rather than a simple financial heist. The 42 million dollar demand was completely unrealistic for a quick settlement. The attackers exclusively used the Persian language for all public communication.
They distributed the leaked files through Instagram and WhatsApp, which are highly popular applications among ordinary citizens. Financially motivated criminals almost never use WhatsApp because law enforcement frequently monitors the platform and requires linked phone numbers. The group also launched a public video competition offering cryptocurrency prizes for short videos highlighting the hack.
The group specifically highlighted the massive bank accounts of senior military officials. Leaked documents showed Hassan Palarak, the former head of the Reconstruction Headquarters of Holy Shrines, held deposits worth 6.12 million United States dollars. Ordinary people suffered from extreme poverty and hyperinflation while the military elite hoarded immense wealth. The operation successfully amplified domestic outrage against the government. State-affiliated media attempted to downplay the leaks by claiming the accounts belonged to organizational entities rather than private individuals.
The Nobitex Exchange Subversion
Predatory Sparrow targeted the Nobitex cryptocurrency exchange on June 18, 2025. Nobitex is the largest virtual asset trading platform in the country. The exchange processes billions of dollars in daily transactions. Evidence shows the government frequently uses Nobitex to evade international sanctions and fund military proxies like Hamas and Hezbollah.
Hackers stole 90 million dollars in cryptocurrency directly from the exchange. They siphoned the digital funds across the TRON, Ethereum, and Bitcoin blockchain networks. The attackers did not keep the money for themselves. They systematically destroyed the funds by sending them to inaccessible vanity addresses. The blockchain addresses contained the explicit phrase “F*ckiRGCTerrorists”.
TRM Labs analyzed the blockchain activity following the breach. Analysts discovered the internal infrastructure of Nobitex contained special modules designed explicitly to evade detection by the United States Treasury Department. The exchange used stealth addresses and obfuscated transactions to hide money laundering.
The attack occurred exactly five days after the Israeli military bombed nuclear facilities inside the country. Predatory Sparrow publicly [claimed](https://www.trmlabs.com/resources/blog/irans-largest-crypto-exchange-targeted-in-90m-hack) full responsibility for the Nobitex theft. The group explicitly targeted the primary financial tool used by the state to finance regional terrorism. The operation successfully crippled a major financial artery for the military.
Threat Actor Aggregation: Iranian Operations Abroad
The government aggressively expanded its own offensive network operations against foreign adversaries. Security researchers documented a massive surge in hostile activity directed at Israel, the United States, and European nations between 2023 and 2024.
Attacks on Civilian Water Infrastructure
A state-sponsored group known as CyberAv3ngers attacked water and wastewater utilities in the United States during 2023. The hackers specifically compromised programmable logic controllers manufactured in Israel. They left threatening messages on the computer screens claiming every piece of equipment made in Israel was a legal military target.
The group initially disguised itself as an independent hacktivist collective. Investigators quickly traced the network activity back to military intelligence operators. The operation highlighted a strong willingness to target critical civilian infrastructure to achieve geopolitical goals.
Election Interference and Information Warfare
Government hackers launched extensive influence operations to disrupt the 2024 United States presidential election. The Microsoft Threat Analysis Center reported a sharp, noticeable increase in hostile activity. State actors launched fake websites disguised cleverly as legitimate American news organizations.
Operators employed artificial intelligence tools to generate fake news anchors. In December 2023, hackers interrupted streaming television services in the United Kingdom, Canada, and the United Arab Emirates. The hijacked broadcast showed an artificial intelligence anchor delivering state propaganda.
Another widespread campaign involved password spraying and push-bombing multifactor authentication systems. Hackers overwhelmed network users with continuous login approval requests until the frustrated victims accidentally granted system access. The attackers stole high-level credentials and sold them on criminal forums. Security agencies advised organizations to enforce strict phishing-resistant authentication to counter the growing threat. The operations demonstrate an almost certain strategic effort to sow international political discord.
Technical Analysis: The 2026 Absolute Digital Isolation
The ultimate climax of electronic control occurred during the first half of 2026. The government engineered the longest nationwide internet blackout in modern history. Authorities completely severed the domestic population from the global web for four months and 18 days.
Engineering the Disconnection
The government initiated the absolute network blackout on January 8, 2026, to hide the violent civilian massacres. They extended the blackout aggressively in February to obscure the devastating military conflict with the United States. Officials physically disconnected the National Information Network from the global internet.
Telecommunication providers disabled mobile network antennas in specific protest zones, including the Grand Bazaar in Tehran. Authorities completely blocked virtual private network connections. The intelligence chief of the Islamic Revolutionary Guard Corps publicly confirmed plans to permanently block all foreign social media platforms.
The shutdown relied on highly sophisticated application filtering and rigid whitelist architectures. Engineers isolated the core routing tables. Internet Protocol version 6 traffic dropped completely to zero. Internet Protocol version 4 remained seemingly stable on monitoring charts but actually transmitted no user data.
An internet monitoring organization named Filterwatch exposed a confidential plan named Absolute Digital Isolation. Officials Mohammad Amin Aghamiri, Mehdi SeifAbadi, and Ali Hakim-Javadi designed a new “Barracks Internet” system. The restrictive architecture limited internet access exclusively to approved individuals holding special white subscriber identity module cards. The state effectively reclassified internet access as a strict government privilege rather than a standard public utility.
Economic Hemorrhage and Social Devastation
The disconnection caused catastrophic, irreversible economic damage. Minister of Communications Sattar Hashemi admitted the internet shutdown cost the economy 35.7 million dollars daily. Independent economic analysts estimated the true direct and indirect costs reached up to 80 million dollars per day. Total economic losses surpassed 1.8 billion dollars by mid-April.
Online commercial sales dropped by 80 percent immediately. Essential business software, including Skype and Google Meet, completely stopped functioning. Small tech startups went bankrupt rapidly. The national stock exchange collapsed entirely, losing 130 trillion tomans every single day during the initial market panic.
Citizens desperately sought alternative methods to communicate with the outside world. The United States government covertly smuggled thousands of Starlink satellite terminals into the country to restore connectivity. Authorities launched aggressive police operations to raid homes and confiscate satellite dishes. President Masoud Pezeshkian finally ordered a partial restoration of service on May 26, 2026, though connection speeds remained heavily restricted.
Conclusion
The electronic domain surrounding Iran remains extremely hostile and volatile. Over five continuous years, the nation endured a relentless barrage of network assaults. Adversaries successfully degraded essential public services, humiliated the political leadership, and caused billions of dollars in severe economic damage.
Groups like Predatory Sparrow and IRLeaks operate with near absolute impunity. They continuously expose the fundamental incompetence of state cybersecurity programs. The prominent shift toward massive data extortion and sophisticated influence operations successfully weaponized existing public anger. Leaking the massive private bank accounts of military leaders during an acute economic crisis fueled the exact violent protests the government desperately sought to crush.
The 2026 internet blackout represents the ultimate structural admission of failure. The state effectively destroyed its own domestic economy to silence its citizens and hide catastrophic military defeats. Relying on massive internet blackouts proves the state completely lacks the technical capability to defend targeted networks selectively. Shutting down the entire digital economy to stop data leaks represents a crude and highly unsustainable defense mechanism.
The extreme vulnerability of the technology supply chain requires urgent attention. The Tosan software breach proved definitively that securing individual banks remains meaningless if the central vendor remains completely exposed. Single points of catastrophic failure exist throughout the entire national architecture.
The successful deployment of wiper malware and the permanent destruction of funds at Nobitex sets a dangerous new precedent for electronic warfare. Attackers are highly likely to continue targeting the specific financial networks used to fund proxy militias. The permanent destruction of virtual assets eliminates the possibility of economic recovery. Evidence confirms an almost certain continuation of these highly destructive attack cycles. Offensive network operations will run parallel to kinetic military warfare indefinitely. The national infrastructure remains highly vulnerable to future subversion.
Works cited
1. 2026 Internet blackout in Iran – Wikipedia, https://en.wikipedia.org/wiki/2026_Internet_blackout_in_Iran 2. Predatory Sparrow – Wikipedia, https://en.wikipedia.org/wiki/Predatory_Sparrow 3. EvilPlayout: Attack Against Iran’s State Broadcaster – Check Point Research, https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/ 4. Iran Government Website Hacked By Opposition Group, https://www.iranintl.com/en/202203146632 5. Iran TV Taken Over: Reza Pahlavi’s Call For Uprising Airs Nationwide | NewsX – YouTube, https://www.youtube.com/watch?v=B66fgKAeQGc 6. Microsoft investigates Iranian attacks against the Albanian government, https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ 7. bankmellat.ir Data Breach in 2021 – Breachsense, https://www.breachsense.com/breaches/bankmellat-ir/ 8. Ransomware Group Profile: Arvin Club | Threat Intelligence – CloudSEK, https://www.cloudsek.com/threatintelligence/ransomware-group-profile-arvin-club 9. Hackers hit Iran’s Bank Mellat, leak data on millions, https://www.iranintl.com/en/202506245683 10. Iran Banks Burned, Then Customer Accounts Were Exposed Online – Glenbrook Partners, https://glenbrook.com/payments_news/iran-banks-burned-then-customer-accounts-were-exposed-online/ 11. Intel Brief: Irleaks’ Massive Cyber Campaign In Iran Highlights Fragility Of Data Economy, https://www.dyami.services/post/intel-brief-irleaks-massive-cyber-campaign-in-iran-highlights-fragility-of-data-economy 12. Troves Of Iranian Hacked Insurance Customer Data On Sale | Iran International, https://www.iranintl.com/en/202312264629 13. Exploring the Motives behind the Dismissal of Iran’s Central Insurance Chief – NCRI, https://www.ncr-iran.org/en/news/economy/exploring-the-motives-behind-the-dismissal-of-irans-central-insurance-chief/ 14. Irleaks Data Breach: What Happened, Impact, and Lessons | Huntress, https://www.huntress.com/threat-library/data-breach/irleaks-data-breach 15. IRLeaks attack on Iranian banks – Wikipedia, https://en.wikipedia.org/wiki/IRLeaks_attack_on_Iranian_banks 16. Iran points at Israeli-linked group as cyberattack disrupts fuel network | News – Al Jazeera, https://www.aljazeera.com/news/2023/12/18/iran-says-cyberattack-disrupts-petrol-stations-across-country 17. Iran Update, December 18, 2023 | ISW, https://understandingwar.org/research/middle-east/iran-update-december-18-2023/ 18. Predatory Sparrow Hacker Group Strikes Iran Again, Inflicting Widespread Damage to Gas Station Services, https://ti.qianxin.com/blog/articles/Predatory-Sparrow-Hacker-Group-Strikes-Iran-Again-Inflicting-Widespread-Damage-to-Gas-Station-Services-EN/ 19. Iran parliament websites hit by cyberattacks: State media, https://english.alarabiya.net/News/middle-east/2024/02/13/Iran-parliament-websites-hit-by-cyberattacks-State-media- 20. Iran’s Parliamentary Voting System Disrupted After Cyber Attack | Iran International, https://www.iranintl.com/en/202402148408 21. Hacked Documents Reveal Iran’s Strategies To Bypass Sanctions – ایران اینترنشنال, https://www.iranintl.com/en/202402137504 22. Iran News: Bank Sepah Hacking Scandal Exposes Regime’s Incompetence and Paranoia, https://www.ncr-iran.org/en/news/iran-news-bank-sepah-hacking-scandal-exposes-regimes-incompetence-and-paranoia/ 23. Codebreakers Hack Sepah Bank: Financial Motive or Influence …, https://www.cyfluence-research.org/post/codebreakers-hack-sepah-bank-financial-motive-or-influence-operation 24. Top 10 cybersecurity breaches of 2025: Lessons for compliance, https://www.int-comp.org/insight/top-10-cybersecurity-breaches-of-2025-lessons-for-compliance/ 25. Everything You Need to Know About Cyber Risks in 2025’s Second Half – Metricstream, https://www.metricstream.com/blog/cyber-risks-in-2025s-second-half.html 26. Iran’s Largest Crypto Exchange Targeted in $90M Hack | TRM Labs, https://www.trmlabs.com/resources/blog/irans-largest-crypto-exchange-targeted-in-90m-hack 27. Hackers targeted officials active on Iranian crypto exchange, source says | Iran International, https://www.iranintl.com/en/202508299204 28. Cyber fallout from the Iran war: What to have on your radar | | ESET, https://www.eset.com/me/about/newsroom/press-releases/press-releases/cyber-fallout-from-the-iran-war-what-to-have-on-your-radar-1/ 29. ESET Research releases latest APT Activity Report, highlighting cyber warfare of Russia-, China-, and Iran-aligned groups, https://www.eset.com/gr-en/about/newsroom/press-releases-1/eset-research-releases-latest-apt-activity-report-highlighting-cyber-warfare-of-russia-china-and-iran-aligned-groups-2/ 30. Iran’s Cyber Influence on the 2024 US Election | Security Insider – Microsoft, https://www.microsoft.com/en-us/security/security-insider/threat-landscape/iran-steps-into-us-election-2024-with-cyber-enabled-influence-operations 31. Iran accelerates cyber ops against Israel from chaotic start – Microsoft On the Issues, https://blogs.microsoft.com/on-the-issues/2024/02/06/iran-accelerates-cyber-ops-against-israel/ 32. Iran Internet Shutdown Reporting (January 2026 – ), https://filter.watch/wp-content/uploads/sites/2/2026/03/Resilience-Amid-Isolation-in-Irans-2026-Shutdown.pdf 33. Iran’s Internet is partially restored, Cloudflare Radar data shows, https://blog.cloudflare.com/iran-internet-partially-restored-may-2026/
