FORENSIC INFRASTRUCTURE ANALYSIS
THE DIGITAL
AUTOPSY
We scanned 16.7 million IP addresses across Iran's surviving network prefixes. This is what we found beneath the surface of the shutdown.
Scroll to begin the investigation
PROLOGUE — THE BASELINE
What Iran Had Before January 8th
In December 2025, Iran's internet was a sprawling network of 9,070 routes across hundreds of organizations. This is what connectivity looked like before the shutdown...
26.2% of Iran's internet addressing space was deliberately withdrawn on January 8th, 2026
26.2% of Iran's internet addressing space was deliberately withdrawn on January 8th, 2026
ACT I — THE SEVERANCE
January 8th, 2026
2,375 routes vanished. 26% of Iran's addressing space simply... stopped existing.
This wasn't a gradual degradation. It was a deliberate, coordinated severance of network connectivity.
The Backbone Bleeds
TCI, the national backbone, lost — 34% of ALL withdrawals came from the spine of Iran's internet.
The backbone was targeted. This wasn't random — this was surgical.
Who Survived?
Mobile carriers held on. MCI: . Irancell: .
The regime needed mobile control more than they needed the internet dead.
The New Routes
appeared — not recovery, but reconfiguration.
The National Information Network being rewired. New routes aren't restoration — they're control infrastructure.
ACT I — THE SEVERANCE
January 8th, 2026
2,375 routes vanished. 26% of Iran's addressing space simply... stopped existing.
The Backbone Bleeds
TCI, the national backbone, lost — 34% of ALL withdrawals came from the spine of Iran's internet.
The backbone was targeted. This wasn't random — this was surgical.
Who Survived?
Mobile carriers held on. MCI: . Irancell: .
The regime needed mobile control more than they needed the internet dead.
The New Routes
appeared — not recovery, but reconfiguration.
The National Information Network being rewired. New routes aren't restoration — they're control infrastructure.
ACT II — THE GHOST TOWN
We Went Looking
We probed 16.7 million IP addresses. 500,000 packets per second. This is what answered...
6,095 Live IPs
37.49% response rate. Iran's internet is now a ghost town.
What Shouldn't Be Exposed
We found 117 database and high-risk services exposed to the public internet.
ACT II — THE GHOST TOWN
We Went Looking
We probed 16.7 million IP addresses. 500,000 packets per second. This is what answered...
6,095 Live IPs
37.49% response rate. Iran's internet is now a ghost town.
For every million IPs we scanned, only 365 answered.
What Shouldn't Be Exposed
We found 117 database and high-risk services exposed to the public internet.
Someone left the doors open. Critical infrastructure accessible to anyone.
ACT II.5 — THE SURVEILLANCE APPARATUS
WHAT THE SCAN
REVEALED
Beyond the ghost town lies infrastructure designed not to serve, but to surveil. Here's the evidence of Iran's digital panopticon.
High Port Count Nodes
Anomalous Network Infrastructure
Normal Web Server
High Port Count Node
ANOMALOUSWhat Does This Mean?
We discovered 20 IP addresses in ArvanCloud's network that respond on virtually every TCP port.
A typical CDN server needs a handful of ports. A web server needs even fewer. Responding on 65,000+ ports is highly unusual.
ArvanCloud has confirmed this is their TCP Proxy service — a legitimate CDN feature (similar to Cloudflare Spectrum) that allows customers to proxy arbitrary TCP protocols through ArvanCloud's network.
All 20 High Port Count Nodes
185.220.226.0/24 subnetBGP Exposure
Routing Infrastructure at Risk
What is BGP?
Border Gateway Protocol (BGP) is the internet's GPS system. It controls how data packets find their way across the global network. When BGP ports are exposed to the public internet, attackers can potentially:
- BGP Hijacking - Redirect traffic through malicious servers
- Route Injection - Insert fake routes into the network
- Traffic Interception - Monitor data flows in transit
Security Implications
3,082 exposed BGP endpoints represent a massive attack surface. A single successful BGP hijack could redirect traffic for entire network blocks through attacker-controlled infrastructure.
The 412 Protocol
ArvanCloud CDN Response Pattern
What is HTTP 412?
HTTP 412 "Precondition Failed" is ArvanCloud's response when the Host header doesn't match a configured domain. This indicates traffic routed through ArvanCloud infrastructure.
Consistent response patterns (same server header, same content-length) indicate centralized CDN infrastructure handling these requests.
Block Page Fingerprints
Identical content-length values indicate standardized block pages from centralized filtering:
HTTP Status Code Distribution
The CDN Duopoly
Who Controls Iran's Internet?
One company (ArvanCloud) is US Treasury sanctioned for building Iran's censorship infrastructure. Together, these two companies control nearly half of all responsive HTTP services in Iran.
HTTP Server Distribution
ArvanCloud - OFAC Sanctioned
US Treasury designated ArvanCloud on June 2, 2023 for constructing Iran's National Information Network - the censorship backbone.
- Founders Pouya Pirhosseinloo and Farhad Fatemi personally sanctioned
- Dubai shell company created for sanctions evasion
- Controls 38.4% of Iran's HTTP infrastructure
The Polish Connection
Foreign Certificate Authority Dependency
Iranian Government on Polish Certificate AuthorityCRITICAL FINDING
Iran's government trusts a Polish company (Unizeto/Asseco) to issue certificates for its official domains. If Poland revokes these certificates, Iranian government services would show security errors to all visitors.
Certificate Issuers by Country
Polish CA Certificates (25)
Click for detailsCertificate Health Status
336 CERTIFICATES ANALYZED ACROSS IRANIAN INFRASTRUCTURE
ACT III — THE BROKEN LOCKS
Certificate Chaos
92 of 336 certificates have expired. Security has collapsed from within.
Certificate Authority Dependency
IRAN'S INFRASTRUCTURE DEPENDS ON FOREIGN CAs
Nearly half of Iranian infrastructure relies on Let's Encrypt, a US-based certificate authority. While 0% use self-signed certificates for internal services, external-facing services depend heavily on foreign CAs.
Let's Encrypt, Google Trust Services
Internal/shadow infrastructure
Used by Aparat/Filimo CDN
Comodo/Sectigo
Enterprise certificates
Other certificate authority
Other certificate authority
Domestic Infrastructure
IRAN'S HOMEGROWN SERVICES AND THEIR CERTIFICATE SOURCES
Aparat
Iranian YouTube
Filimo
Streaming platform
Derak Cloud
CDN provider
Digikala
E-commerce
KEY FINDINGS
Explore Certificate Data
Click to Explore Certificate Details
Certificates by Issuer
Download Certificate Data
TLS certificates with IP addresses and threat indicators
Certificate Health Status
336 CERTIFICATES ANALYZED ACROSS IRANIAN INFRASTRUCTURE
ACT III — THE BROKEN LOCKS
Certificate Chaos
We examined 336 TLS certificates across Iran's internet infrastructure.
What we found tells a story of neglect, foreign dependency, and active surveillance.
82% TLS 1.3
244 certificates are using modern protocols. The infrastructure has largely adopted current security standards.
However, 91 certificates are self-signed, indicating internal infrastructure without trusted CA validation.
Foreign CA Dependency
45% of certificates come from US-based Let's Encrypt. Iran's infrastructure depends heavily on foreign certificate authorities for trust.
If certificate authorities were weaponized, significant portions of Iran's web presence could be disrupted through trust chain attacks.
Certificate Authority Dependency
IRAN'S INFRASTRUCTURE DEPENDS ON FOREIGN CAs
Nearly half of Iranian infrastructure relies on Let's Encrypt, a US-based certificate authority. While 0% use self-signed certificates for internal services, external-facing services depend heavily on foreign CAs.
Let's Encrypt, Google Trust Services
Internal/shadow infrastructure
Used by Aparat/Filimo CDN
Comodo/Sectigo
Enterprise certificates
Other certificate authority
Other certificate authority
Domestic Infrastructure
IRAN'S HOMEGROWN SERVICES AND THEIR CERTIFICATE SOURCES
Aparat
Iranian YouTube
Filimo
Streaming platform
Derak Cloud
CDN provider
Digikala
E-commerce
KEY FINDINGS
Deep Dive: Certificate Data
CLICK ANY CATEGORY TO SEE IP ADDRESSES AND DOMAIN DETAILS
Click to Explore Certificate Details
Certificates by Issuer
Download Certificate Data
TLS certificates with issuers, domains, IP addresses, and threat indicators
Damage by Network
Click on any network to see its affected prefixes.
Download Prefix Data
Complete prefix comparison with status for each route
The New Routes: Control Infrastructure
987 new prefixes appeared after the shutdown. These aren't recovery — they're reconfiguration of the National Information Network.
987 New Routes Appeared
Network reconfiguration after the shutdown - click any network to explore
Download New Routes
All prefixes that appeared after the shutdown
Exposed High-Risk Services
These services should never be directly accessible from the internet. Click on any service to see the full list of exposed IPs.
218 High-Risk Services Exposed
These services should never be directly accessible from the internet
Database exposed to internet - potential data breach
Database exposed to internet - potential data breach
Database exposed to internet - potential data breach
Often misconfigured without authentication
Can expose indexed data without auth
Default config has no authentication
Transmits credentials in plaintext
Common attack target for ransomware
Credentials transmitted in plaintext
Often has weak authentication
Cluster management - potential full system access
Download Exposed Services
High-risk services exposed to the internet
THE GATEKEEPER
ArvanCloud Infrastructure Handles 61% of Responsive Services
When scanning Iranian IP space, 61% of responsive services are on ArvanCloud-affiliated infrastructure (185.220.x.x).
Note: This measures responsive services by IP, not market share by traffic volume. HTTP header analysis shows ArvanCloud serves 47% of web traffic.
Download Service Data
All responsive services by IP, port, and network
ACT III — THE DNS LANDSCAPE
314 DNS Servers. Only 0 Answered.
27 Open Resolvers Detected
These DNS servers allow recursive queries from any source. This can be exploited for DNS amplification attacks or used as surveillance infrastructure to monitor DNS queries.
Software Fingerprints
Download DNS Data
All DNS servers with version fingerprints and resolver status
ACT IV — THE WEB FINGERPRINT
The 412 Wall
The 412 Wall
143 responses returned HTTP 412 "Precondition Failed" - every single one from ArvanCloud. The WAF is blocking foreign probes, revealing the centralized control point of Iran's filtered internet.
ArvanCloud rejecting foreign probes
Response Status Distribution
Server Fingerprints
Download HTTP Data
All HTTP endpoints with status codes, certificates, and domains
EPILOGUE — THE EVIDENCE
This Is Your Data
Download it. Analyze it. Share it. The world needs to see what's happening in Iran.
Download Complete Dataset
Get all raw data files for your own analysis
Includes: prefix comparison, service scans, DNS enumeration, HTTP fingerprints
RAW DATA DOWNLOADS
Data sources: Whisper Security, RIPE RIS, RIPEstat, OONI. Verify claims independently.
DISCLAIMER: This report processes extensive network telemetry data from multiple sources. We actively review and incorporate corrections as feedback is received. If citing these findings, we recommend independent verification or contacting us for support.
All network disruptions and censorship actions documented in this report are preserved with cryptographic timestamps as evidence for future accountability proceedings.
Data collected January 12, 2026 | Scan methodology: TCP SYN on 34 ports
Whisper SecurityEND OF INFRASTRUCTURE REPORT // JAN 2026