From January 2 to {its not been connected yet}, internet access in Iran was suddenly disrupted nationwide. Available data shows that this shutdown was not the result of a technical failure, but a targeted, nationwide internet blackout aimed at suppressing protests against the Islamic Republic of Iran. This disruption had wide-ranging social, economic, and communication consequences.

What happened? ( Day by Day journal )

The first whispers of an internet blackout began on January 2, 2026. A collective of free-software activists issued a soft warning to the public, encouraging people to install Delta Chat, a decentralized messaging application that uses the email protocol to deliver messages through a messenger style interface.

On the same day, the IRCF Telegram channel published an analysis explaining that technical findings indicated the regime was attempting to conceal digital repression through traffic engineering. According to this post, internet traffic in cities that were centers of protest dropped to less than 3.1%. However, traffic in political and administrative centers such as Alborz Province, which accounts for 50.8% of the country’s total internet traffic, remained unchanged.

This selective management of traffic effectively tricked internet monitoring platforms such as NetBlocks into reporting that Iran’s internet was still connected. As a result, the reality of digital suppression was obscured in global datasets.

On ###January 3###, Cloudflare Radar reported that Iran’s internet connection appeared to be technically online, but with significantly reduced quality, indicating an abnormal situation. Over the previous two days, the internet had not been completely cut off, but remained highly unstable. Connectivity worked for limited hours and then dropped unpredictably, making it unreliable for daily use.

Data showed a noticeable decline in overall internet usage, particularly among home users, web browsing, and general application usage. A significant portion of remaining traffic appeared to be related to automated systems, while the share of human-driven traffic dropped sharply. This pattern typically emerges when internet access becomes impractical and frustrating for everyday users.

These disruptions were nationwide, with no meaningful difference between home broadband and mobile internet. Compared to the 12-day period of conflict between Iran and Israel, the current situation was different. The internet was not entirely offline, but was intentionally managed to be slow, unstable, and exhausting to use. The result was an internet that technically existed, but at a high cost in time, effort, and mental strain.

On ###January 4###, Cloudflare Radar reported that on the previous two days there had been a sudden shock, with internet traffic dropping below 30% at certain points. On that day, however, the situation changed again. The internet was still not restored, but intermittent outages were replaced by persistent disruption, with human-driven traffic dropping to as low as 13% at some points.

The report suggested that the regime had begun targeting protocols such as QUIC, which many modern applications and censorship circumvention tools rely on. These disruptions did not occur all at once and appeared to be rolled out ISP by ISP, indicating a deliberate and controlled implementation rather than a technical failure.

###January 5### NetBlocks had still not published any statement regarding the situation in Iran. Based on Avravn Radar and Vanilla Radar data, the disruption did not affect Iranian data centers, or its impact at that level was minimal. However, there were several reports from areas where protests were taking place indicating that internet access had been cut. Difix Radar data shows that on this date, users of both home and cellular internet services experienced the most interruptions between 11:00 and 13:00 (UTC +3:30).

###January 6### Between 3:15 and 8:15 UTC+3:30, Cloudflare Radar detected an abnormality in the infrastructure. The pattern revealed irregular noise, sudden traffic spikes, followed by a significant drop, especially in HTTP traffic. This behavior does not align with typical nightly usage patterns, where traffic typically decreases gradually. The sudden spikes and drops suggest an anomaly that wouldn't be categorized under normal traffic variations.

This issue is unlikely to be a Distributed Denial of Service (DDoS) attack or a foreign intrusion, as suggested by IRFC. Additionally, the root cause doesn’t seem to be related to end-user behavior or natural consumption patterns. Given that the problem occurred at the infrastructure level, it is more plausible that this was the result of new restrictions or technical updates applied at a higher layer of the network.

The most likely explanation is that there was an internal disruption or deliberate limitation within the country’s internet infrastructure, impacting users’ ability to access the internet. This disruption could involve temporary adjustments to capacity, routing, or filtering settings that affected overall connectivity.

On ###January 7###, multiple reports emerged regarding widespread internet disruptions, strict limitations, and even complete internet shutdowns, including intranet services. The situation appears to be in a “whitelist mode,” where only certain ISP providers and specific locations can access a limited set of services, while all others are restricted. This suggests that the regime is actively manipulating the country's internet infrastructure, which raises significant concerns about control over communications and access to information.

###Cloudflare Radar### reports that early this morning (Wednesday), a real and measurable infrastructure-level anomaly occurred in the network, lasting for several hours. The event was sudden and time-correlated, not gradual.

The graph shows that prior to this window, traffic closely followed the pattern of the previous week, indicating that the network was operating normally and stably. Immediately after this point, both Total Bytes and HTTP Bytes dropped simultaneously and then stabilized at a significantly lower baseline.

This simultaneity indicates that the issue is not limited to a specific protocol or service, but instead occurred along the traffic transit path itself. It is also unrelated to user consumption patterns, as the deviation from the previous week is significant and the slope of the decline is clearly abnormal.

This pattern almost conclusively rules out a DDoS attack, a sudden surge in usage, or a physical failure of international links, since none of those scenarios produce such a clean, sustained, and uniform traffic drop.

Instead, international infrastructure traffic appears to have entered a state resembling “capacity-reduced routing.” This could indicate that:

• Certain BGP routes were withdrawn
• Traffic was shifted to lower-capacity links
• Large-scale Deep Packet Inspection (DPI) was enabled

This decision or configuration change was applied at a layer above individual ISPs, specifically at the national infrastructure network level. As a result, all access types were affected simultaneously—including home users, data centers, mobile networks, and fixed-line connections.

Observed impacts include: – TLS handshakes becoming slow or failing – VPN connections becoming unstable – Partial or complete failure of some websites and services

Based on user reports, both fixed-line and mobile internet services in many cities across the country experienced severe instability, significant speed degradation, and major upload disruptions, coinciding with the eleventh day of nationwide strikes and public protests. In some areas, even access to domestic services was not functioning properly.

Evidence indicates that access to the international internet has been heavily restricted. In parts of Tehran, Shiraz, Ahvaz, Mashhad, Ilam, and other cities, connectivity has effectively been reduced to a national intranet. Taken together, these reports point to a prolonged disruption, a noticeable reduction in available bandwidth, and increasingly concerning connectivity conditions nationwide.

###January 8###

Regarding fixed-line and mobile internet services, some methods and protocols are barely functioning, and it appears that international internet access has not yet been completely cut nationwide. Out of the four internet connections currently available to me, one has become entirely unusable.

According to Arvan Radar data monitoring domestic data centers, 4 out of 10 indicators are currently experiencing disruptions, while 3 are offline. Notably, some of these data centers experienced relatively severe disruptions between 14:00 and 24:00 yesterday.

when Iran’s international internet connectivity came close to a near-total disruption, Cloudflare Radar surprisingly did not record or report any anomaly. Why is that?

The chart in question shows traffic volume, not connection quality or actual international reachability. When we say that Iran’s internet was close to an international cutoff, it does not necessarily mean that the volume of transmitted bytes dropped to zero or near zero. Rather, it means that routes became unstable, slow, or selectively blocked.

In such situations, several things usually happen at the same time. Users remain technically online, applications still open, and requests continue to be sent, but responses arrive extremely slowly or not at all. These repeated retries can keep traffic volume seemingly stable, even while the user experience is catastrophic. Put simply, the internet “doesn’t work, but it keeps struggling.”

Additionally, a significant portion of the traffic visible in these charts is domestic or semi-domestic. This includes CDNs, caches, local services, and even some foreign services with in-country termination points. When international connectivity degrades, usage naturally shifts toward these paths, which helps keep overall traffic graphs from collapsing.

There is also a more critical point. International disruptions in Iran are rarely uniform or nationwide. Certain ASNs, routes, or protocols are affected more severely than others. From Cloudflare’s perspective, which observes traffic from a limited set of vantage points and links, a dramatic failure may not appear as a sharp drop in volume. From the user’s perspective, however, connectivity to the global internet is effectively broken.

If this chart were meant to clearly reflect yesterday’s disruption, it would need to show indicators such as increased retries, higher latency, timeouts, or reduced handshake success rates, rather than just a decline in byte volume. The chart shows that data was exchanged, not whether that data successfully reached its intended destination or was actually useful.

In short, yesterday the internet in Iran could have been close to an international outage from the user’s point of view, while from Cloudflare Radar’s perspective it appeared severely degraded and inefficient. These two observations are not necessarily contradictory.

January 9-Total Black Out

On January 9, Iran experienced a sudden and near-complete communications blackout. Internet connectivity was fully disrupted, and mobile voice services were also rendered unavailable. The outage persisted until the morning of January 12.

During this period, limited communication was possible only through a small number of exceptions, including Shatel’s BigBlueButton infrastructure and certain self-hosted Jitsi servers. These services are not identified in detail here due to security considerations.

Access to the public international internet was entirely unavailable throughout the blackout. Government-sponsored and so-called domestic messaging platforms, including Rubika, Soroush Plus, iGap, Ita, and Bale, were also non-functional for message delivery. In addition, SMS services were disrupted and did not resume until Saturday, January 11.

The scope and uniformity of the disruption indicate a centrally enforced shutdown affecting both data and voice layers of the national communications infrastructure.

##January 9 until January 15-Total blackout continues, SMS, Government sponsored messengers were cutted off off and all websites hosted outside of country were out of reach##

The blackout continued. International internet was completely cut off, leaving only the national intranet operational.

Government-sponsored messengers and platforms were technically online but blocked normal communication, so people could not send messages. As a result, users relied on domestic websites such as state news agencies, banks, and other approved services.

Some citizens turned to alternative and decentralized communication methods. Tools like Delta Chat were used where possible, and some individuals self-hosted mail and messaging servers on the intranet. Free software activists shared simple scripts and guides to help others set up temporary local servers during the shutdown.

Newly launched websites faced serious issues obtaining SSL/TLS certificates, because global certificate authorities were unreachable. Many sites were accessed directly via IP addresses, bypassing HTTPS.

On January 15, NetBlocks reported that Iran had entered approximately 168 hours of continuous internet shutdown, confirming that the blackout was intentional and ongoing. NetBlocks — Iran internet disruption

Independent measurements showed connectivity at almost zero percent internationally, making this one of the longest nationwide internet shutdowns in Iran’s history. Wikipedia — 2026 Internet blackout in Iran

Human rights organizations warned that the blackout was being used to suppress information, prevent organization of protests, and conceal violations. Amnesty International ARTICLE 19

###January 15###

As the Iran internet shutdown passed 156 hours, connectivity remained critically low, with NetBlocks reporting a near-total blackout and only tiny fractional increases in traffic, likely from whitelisted services or state-linked endpoints. Network telemetry showed no meaningful return of international connectivity, and analysts noted an online information vacuum that has enabled pro-regime narratives and AI-generated disinformation to spread more easily.

Cloudflare’s internet traffic data similarly indicated that overall traffic levels inside Iran were nearly flat-lined compared to pre-shutdown baselines, with only occasional transient uplifts on specific mobile networks that quickly fell back to blackout levels.

Meanwhile Filterwatch and internet freedom organisations warned that Tehran’s authorities appear to be formalising a “tiered access” model—only whitelisted users or critical institutions may connect, while the public remains segregated into the state’s National Information Network.

DNS Tunneling was the new method( DNS Splitstream + v2ray) that some people were successful to implement and use to connect to the internet. this method was available because some websites were whitelisted.

Telegram channels start spreading NPV (napster V) config files among users for free. the most famous one named mitivpn.

New scams also rose up, some people on telegram started to scam people stating that they sell Starlink VPN configurations, at the best condition they would be connect for 1-2 days and then they were disconnected.

January 16

Technical monitors observed no substantial restoration by this date. Routing tables and BGP updates continued to show international prefixes unreachable, confirming that most global traffic was being dropped or filtered at major internet exchange points.

Cloudflare online traffic dashboards and locally collected telemetry showed connective anomalies but no stable return of usable internet for the majority of users. VPN and circumvention attempts were frequently terminated by deep packet inspection (DPI), connection resets, and throttling consistent with active blocking policies.

At the same time, a spokesperson for the Iranian government told media activists that unrestricted access would not return “before Nowruz” (March 20), suggesting a politically driven restoration timeline rather than a technical one.

January 17

NetBlocks noted slight, short-lived increases in connectivity spikes that corresponded with heavily filtered access to certain messaging services such as Google APIs. However, these were temporary and immediately followed by regression back to near-zero connectivity.

Digital rights groups corroborated that SMS services were restored and that internal domestic platforms were being enabled before any international internet access. This matched technical observations that only minimal layers of communication were reinstated, and international TCP/IP traffic remained blocked for most endpoints.

Amnesty International and other rights bodies highlighted that the blackout was being used to obscure the scale of human rights violations during the protests, as journalists and activists could not document events in real time.

January 18

By January 18, Cloudflare Radar and traffic charting continued to show extremely low overall connectivity, with only small bursts of traffic visible, interpreted as either background system noise or highly controlled, filtered access that did not amount to functional internet.

NetBlocks metrics suggested these ephemeral spikes were possibly engineered to create a false impression of restoration, as the broader network infrastructure remained effectively offline.

Rights organisations such as EFF (Electronic Frontier Foundation) joined global tech infrastructure advocates in publicly urging Tehran to immediately restore full, unfiltered internet access, emphasizing that state-ordered shutdowns violate fundamental information rights and destabilise the global internet commons.

January 19

On January 19, international agencies including Reuters noted officials acknowledging minimal traffic increases but describing the situation as a “filternet”—a heavily censored, filtered internet service with severe restrictions on global access.

Technical real-time dashboards showed that overall connectivity remained under ~2% of normal levels, and periods of brief partial access were followed by renewed shutdowns. This pattern suggested continued deep infrastructure filtering and routing controls rather than true restoration.

Policy experts and digital rights groups continued to warn that, beyond temporary tactical adjustments, Tehran was building tools and policies to make such blockades more efficient and persistent, fostering a long-term state-controlled internet environment.

there is some ground reports indicating VPN configs behind Cloudflare CDN are working with fragment. Some people could connect while re configuring their APN and using Psiphon.

January 20

By January 20, the blackout had lasted nearly two full weeks with global visibility metrics confirming negligible international traffic and minimal usable connectivity. Cloudflare’s historical traffic reductions showed the blackout far exceeded typical protest-related throttling, indicating active, centralized suppression rather than technical faults.

NetBlocks, Cloudflare Radar, Amnesty International, EFF, and other digital freedom and human rights monitors classified this shutdown as among the most comprehensive and longest in Iran’s history, combining state-level censorship tools such as DPI, DPI-based session resets, protocol blocking, BGP withdrawal, and targeted whitelist routing to isolate citizens from the global network.

Despite periodic claims by officials of impending restoration, the technical data clearly shows the regime continued to restrict fundamental internet protocols and infrastructure, keeping the vast majority of users offline or on highly censored and monitored channels.

Digiato quoted from speaker of national center of cyber space that internet access would be provided for merchants through the chamber of merchanting and then for knowledge based companies.

January 21 Accodrding to Netblocks its been more than 300 hours passed from Iran's internet blackout

also there was several reports that the regime is trying to exploit the telegram advertisement to identify active users, this advertisements were also exploited by scammers who claimed they can provide an stable VPN connection.

one of the Government Information Council members said “ internet might be connected in the next week”

some internet freedom activists suggested to Starlink owners to turn of their snow melt ability. apparently this ability would expose the Starlink to the regime drones spying around looking for Starlinks, they also suggested that the drones are using infrared to detect Starlinks and infrared works better at night so it would be safer to turnoff Starlinks at night.

January 22

January 23 Several Iranian technology-focused channels publicly urged people living abroad to install and run Psiphon Conduit, presenting it as a way to help users inside Iran access the open internet during restrictions. These channels emphasized that participation from outside the country could expand available connection capacity for users facing censorship. At the same time, they warned Iranian users to obtain Psiphon invitation links only through trusted and verified channels, citing concerns over surveillance, fake links, and potential security risks associated with unverified sources.

January 24

January 25 NetBlocks reported that Iran has entered 400 hours (17 days) of an internet blackout. NetBlocks described the situation as a combination of: – minimal whitelisted services available to some users – circumvention tools allowing some messages to get through – brief connectivity spikes that give a false impression of wider restoration

The report ends with three grim words: “The Shutdown Continues.”

What I heard on the ground from people is that some VPNs might work for short periods of time. This is believed to be because the regime is actively experimenting with the network structure. At times, even some websites and applications like Telegram, YouTube, or Instagram briefly open and load for a few minutes or hours without any VPN.

This unstable and abnormal behavior at the network level has kept a frightening theory alive among digital activists. The theory goes by many names, but the term most often heard from insider activists is GFW, which stands for Great Firewall, similar to the one used in China.

Fars News reported yesterday that the internet would return to its “normal” situation. By normal, they mean the state before the blackout, which still included heavy filtering. This did not happen. People have since turned it into a joke: whenever officials say the internet will reconnect and the promised time passes without any connection, people simply go back and read that news again. Another version of the joke says that whenever they promise to connect the internet, they actually end up disconnecting it even more.

Hamshahri news agency reported, citing unnamed government sources, that at least 1,300 megawatts of electricity were reduced from Iran’s national power grid during a recent period, a claim that has not yet been independently confirmed through official grid or energy authority disclosures. Around the same timeframe, publicly available Bitcoin network data indicated a decline in estimated global hash rate, falling from approximately 450 exahashes per second to about 406 exahashes per second, or roughly a 10 percent decrease, though such figures vary by data provider and calculation method. While fluctuations in hash rate can coincide with changes in electricity availability or mining conditions, no conclusive evidence has been presented to establish a direct causal link between the reported power reduction and the observed change in Bitcoin mining activity.

Some ground reports suggested that merchants were being permitted limited access to the internet at designated locations, reportedly for sessions of up to 20 minutes at a time and under direct human supervision. According to these accounts, the restricted access was intended to allow basic commercial activities while maintaining tight control over communications, though no official confirmation of such measures has been publicly issued yet.

January 26

The Paskooche Telegram channel reported that some users were able to use Snowflake through Orbot, although it may not work for everyone. When users enable Snowflake in Orbot, the initial connection to the Tor network does not rely on known or static Tor nodes. Instead, it routes traffic through temporary, volunteer-run proxy nodes operated by users around the world, making these connections significantly harder to identify, classify, and censor.

At the same time, free software activists began actively advocating for the use of the Ceno Browser. The rationale behind this push is that even limited connectivity for a small number of users can help strengthen the Ceno peer-to-peer distribution network, potentially allowing content to reach a much larger group of users who remain completely disconnected from the global internet.

There were also reports from the ground indicating a sharp increase in the cost of international phone calls. According to these accounts, the price rose from 4,000,000 Iranian rials to 7,000,000 Iranian rials per 10 minutes, adding further economic pressure on families and businesses attempting to maintain communication with the outside world.

NetBlocks reported that Iran’s nationwide internet disruption had entered its 18th consecutive day, continuing to obscure the scale and impact of what it described as a deadly crackdown on civilians. The monitoring group noted that prolonged connectivity restrictions have limited independent verification and information flow from inside the country. At the same time, remaining gaps in Iran’s filtering system were being systematically closed to restrict the use of circumvention tools, while whitelisted, state-aligned accounts remained active online, amplifying and promoting the Islamic Republic’s official narrative.

January 27

Cloudflare radar stated that traffic started rising significantly in Iran from 15:00 +3:30 UTC 2026-01-26 was shunted down again. also the news about use of 20 minutes internet in special merchant rooms with signing a certificate and a human supervisor confirmed by Asr Iran magazine.

data on active users on Psiphon conduit project showed that about 190,000 users joined this network in few past days. most technologists think that this significant user gain is not unrelated to the Iran internet blackout.

beside no information on some anonymous internet freedom activists, there is some other news about arresting technologists like “Saeed sozangar” and “ Iman sirfey “

as one of the internet blackout consciousnesses Websites SSL certificate is not extending and that is about to become a serious security challenge and it might force administrators to use some sort of forced and insider certificate which would give the issuing organizations even more access to users data. this would violate the network principle of neutrality and would question the security of the intranet in that case.

the government announced that the internet is divided in 8 levels which level 8 stands for total intranet and nearly blackout and level 1 stands for filter-net.

Access to the apple app-store and google play store were retrieved. it seems that these two services added to the whitelist.

Netblocks reported that 84% of the network got back. how ever from the Iranain users perspective that doesn't mean that the intranet went back to its filternet state, its just that the Iranian systems and services can bee seen in the network, but the situation in Iran is whitelisted still.

Cloudflare radar reported in the last 24 hour time frame this morning Iran internet is uprising slowly and there was a remarkable rise around 12:00 UTC +3:00. at 21:30 UTC +3:30 the total traffic reached 65% of total capacity. and the http traffic also reached 63.6%. how ever a close look at the graph reveals 97.6% of the returned http traffic is limited. basically this means that users send requests at the network but they don't get any respond.

Psiphon stated that the Iran filternet is coming backup slowly and reported that 4,000,000 users are actively using Psiphon in Iran, following this data Psiphon asked people abroad to tun Psiphon conduit to help the capacity.

January 28

Access is control, Control is political.