Intelligence on Iran’s digital operations.
Digital Impact Lab is a Washington-based intelligence operation focused on Iran’s digital operations. We have been doing this work since 2018. We produce research and analysis on the Iranian state’s activities online: its cyber capabilities, its influence networks, its sanctions evasion infrastructure, and the conditions on the networks that connect Iranian society to the wider internet. Our work draws on native Persian-language capability, proprietary technology, and a focus that goes deeper than generalist firms can on this region.
Four domains of Iranian state activity online.
Cyber Operations
Iranian state-aligned threat actors, their infrastructure, and their operations against targets inside and outside the country.
Information Operations
State media ecosystems, IRGC-linked information networks, coordinated inauthentic behavior, and the narratives Tehran promotes online.
Sanctions & Procurement
Front companies, financial evasion, beneficial ownership structures, and the procurement networks that sustain sanctioned activity.
Network Infrastructure
Iranian internet architecture, censorship and surveillance systems, connectivity patterns, and the AI-driven analysis we use to monitor conditions on Iranian networks at scale.
Recent research and analysis.
Security Alert: Telegram & WhatsApp “Session-Grabber” Phishing Targeting Iranian Journalists
CERTFA documents a real-time session-hijacking campaign targeting Iranian journalists and civil-society figures using a homoglyph domain (teiegram[.]site, capital “I” for lowercase “l”) to relay live Telegram login codes and harvest 2FA cloud passwords. The operator delivers lures via WhatsApp impersonating known contacts with a “new number,” proposing collaboration or interviews, then relays victims’ one-time codes to Telegram’s authentication system to seize accounts within seconds. CERTFA assesses with moderate-to-high confidence that the operation is conducted by the MOIS-linked Banished Kitten cluster (Storm-0842 / “Dune”), operated via contractor Parsian Afzar Rayan Borna, based on victimology, tradecraft, and native Persian social engineering.
Read on CERTFA Radar →Traffic Laundering, Part II: How Iran Made Azerbaijan Third in the World for ChatGPT Usage
This analysis extends DIL’s June 2 reporting on Iran’s proxy routing through Delta Telecom (AS29049) in Azerbaijan, documenting four phases of operation correlated with Iranian internet blackouts and restorations from January through May 2026. OpenAI’s Q4 2025 data shows Azerbaijan ranked third globally in per-capita ChatGPT usage, climbing 41 ranking positions over five quarters coinciding with the TIC-Delta Telecom agreement, while OpenAI simultaneously banned hundreds of IRGC-linked accounts, including CyberAv3ngers operators. The routing architecture defeats IP-based sanctions compliance for AI tools explicitly excluded from OFAC General License D-2, presenting Iranian state traffic as Azerbaijani and bypassing geographic blocks that companies like OpenAI and GitHub implement for Iran.
Read on Digital Impact Lab Substack →Traffic Laundering: Iran’s Azerbaijani Proxy and the Architecture of Controlled Access
Following Iran’s May 26, 2026 internet restoration after a three-month blackout, Cloudflare data revealed Iranian traffic masquerading as Azerbaijani through AS29049 (Delta Telecom Ltd.), enabling both sanctions bypass and granular filtering of Cloudflare-hosted content. MTN Irancell routes connections through two paths: DNS spoofing directing traffic through Hetzner servers in Germany, and SNI proxying through Delta Telecom’s Azerbaijani network for users with custom DNS. A formal April 2025 agreement between Iran’s state backbone operator TIC and Delta Telecom provides government-level structure for this proxy architecture, which grants whitelisted access to sanctioned platforms like OpenAI while enabling connection-level detection of circumvention tools.
Read on Digital Impact Lab Substack →