Iran experienced a near-total internet blackout affecting roughly 90 million people, with monitoring indicating about a 99% drop in outbound traffic and only limited, likely whitelisted connectivity remaining for government, military, and select elites. Reporting indicated the shutdown followed US and Israeli strikes on February 28 that killed Iran’s Supreme Leader Ali Khamenei, and that the state continued to route domestic activity through its National Information Network (NIN), keeping access to local services while cutting off most access to the global internet; common circumvention methods (e.g., VPNs/proxies) were described as largely ineffective during a full shutdown, with a small number of external links reportedly available via Starlink gateways.
Separate open-source reporting using Planet Labs PlanetScope satellite imagery documented damage consistent with strikes on Iranian police stations, alongside broader attacks on military infrastructure and significant reported casualties. The combined picture is of escalating kinetic conflict and internal security pressure coinciding with severe communications restrictions that constrain independent reporting, disrupt civilian and business connectivity, and centralize information flow through state-controlled networks.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
During the conflict and nationwide internet blackout, Holistic Resilience developed the Mahsa Alert app to help civilians identify threats and find hospitals, shelters, blood banks, and checkpoints. The group reportedly validated alerts using crowdsourced reports, open-source intelligence, Telegram messages, social media, and CCTV footage while facing hacking, misinformation, and accusations from Iranian authorities.
By March 20, NetBlocks characterized Iran's connectivity loss as a near-total blackout that had continued for 20 straight days. Reports said some Iranians were relying on Starlink, black-market VPNs, and custom circumvention tools, while authorities increased warnings, enforcement, and arrests tied to bypass services.
By March 6, Iran's nationwide outage had lasted more than six days, with researchers warning that both deliberate restrictions and wartime damage to power or internet infrastructure were likely contributing to the disruption. Observers also reported selective or tiered access for government and elite users while most of the public remained cut off from the global internet.
Open-source analysis and corroborating imagery indicate that multiple police stations in Tehran were hit between March 1 and March 3, including sites near Ferdowsi Square and the Grand Bazaar. The strikes appeared to extend beyond widely reported military targets, though satellite imagery alone could not attribute responsibility.
After the February 28 strikes, Iranian authorities sharply restricted internet access, with monitoring groups reporting connectivity fell by about 99% to below 1%. The blackout affected nearly 90 million people and was described as a near-total nationwide shutdown.
According to the referenced reporting, the United States and Israel began large-scale strikes on Iran on February 28. The same account says the attack killed Supreme Leader Ayatollah Ali Khamenei and caused hundreds of deaths, citing the Iranian Red Crescent.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
foxbusiness.com
Open sourcemiddleeasteye.net
Open sourcewired.com
Open sourcebellingcat.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.