Intelligence on Iran’s digital operations.
Digital Impact Lab is a Washington-based intelligence operation focused on Iran’s digital operations. We have been doing this work since 2018. We produce research and analysis on the Iranian state’s activities online: its cyber capabilities, its influence networks, its sanctions evasion infrastructure, and the conditions on the networks that connect Iranian society to the wider internet. Our work draws on native Persian-language capability, proprietary technology, and a focus that goes deeper than generalist firms can on this region.
Four domains of Iranian state activity online.
Cyber Operations
Iranian state-aligned threat actors, their infrastructure, and their operations against targets inside and outside the country.
Information Operations
State media ecosystems, IRGC-linked information networks, coordinated inauthentic behavior, and the narratives Tehran promotes online.
Sanctions & Procurement
Front companies, financial evasion, beneficial ownership structures, and the procurement networks that sustain sanctioned activity.
Network Infrastructure
Iranian internet architecture, censorship and surveillance systems, connectivity patterns, and the AI-driven analysis we use to monitor conditions on Iranian networks at scale.
Recent research and analysis.
Traffic Laundering: Iran's Azerbaijani Proxy and the Architecture of Controlled Access
Following Iran's May 26, 2026 internet restoration after a three-month blackout, Cloudflare data revealed Iranian traffic masquerading as Azerbaijani through AS29049 (Delta Telecom Ltd.), enabling both sanctions bypass and granular filtering of Cloudflare-hosted content. MTN Irancell routes connections through two paths: DNS spoofing directing traffic through Hetzner servers in Germany, and SNI proxying through Delta Telecom's Azerbaijani network for users with custom DNS. A formal April 2025 agreement between Iran's state backbone operator TIC and Delta Telecom provides government-level structure for this proxy architecture, which grants whitelisted access to sanctioned platforms like OpenAI while enabling connection-level detection of circumvention tools.
Read on Digital Impact Lab Substack →Iran Digital Pulse: Intranet to Filternet
After 88 days of near-total internet blackout, Iranian officials announced partial restoration on May 26, 2026, with Cloudflare Radar showing traffic reaching only 40% of pre-shutdown levels and 91.6% of restored HTTP requests originating from Tehran. The regime abandoned its failed Internet Pro monetization scheme but maintained the underlying filtering infrastructure blocking Telegram, YouTube, Instagram, and WhatsApp for the general population, while most data centers remained isolated from international peers. Iranian voices rejected official framing of the restoration as a concession, identifying it instead as a tactical shift from intranet to filternet that reset public expectations so heavily filtered connectivity now registers as relief rather than ongoing control.
Read on Digital Impact Lab Substack →Iran Digital Pulse: Code Against the Blackout
Iranian developers inside the country built dozens of circumvention tools between February 28 and May 25, 2026, exploiting the government's exemption of Google services from its nationwide internet blackout. Tools disguise traffic as Google requests, tunnel through Google Apps Script and Drive, or use DNS queries as data channels, distributed freely on GitHub with no commercial backing. One project bypasses the internet entirely, broadcasting VPN configs and news via satellite as QR codes readable by any Android phone, funded by direct donations and accessible to tens of millions with existing satellite dishes.
Read on Digital Impact Lab Substack →