Executive summary – what changed and why it matters

Simultaneous U.S. and Israeli air strikes, near-nationwide internet blackouts, and a compromise of the BadeSaba prayer app created a layered communications crisis in Iran that impeded digital retaliation, deepened civilian vulnerability, and intensified attribution uncertainty.

  • Impact: NetBlocks and Cloudflare data reported connectivity plunging to roughly 1% of normal levels for over 48 hours following strikes that began Feb. 28, 2026.
  • App Compromise: Security firms noted that the BadeSaba app (reported 5 million+ downloads) was used to push anti-regime messages in Farsi.
  • Operational Effect: Early vendor assessments suggest the blackout constrained Iranian state cyber operations while creating a chaotic environment exploited by hacktivist groups.
  • Risk: Civilians faced disruptions to emergency communications, healthcare coordination, and independent journalism, raising humanitarian and escalation concerns.

Incident analysis

According to network monitors NetBlocks and Cloudflare, public internet connectivity in Iran dropped to single-digit percentages on Mar. 1 UTC, with NetBlocks recording levels near 1% at the peak of the outage. Analysts observed selective “whitelisting” of certain government-approved services—an approach consistent with prior state blackouts used to suppress dissent.

Concurrently, security researchers reported that the BadeSaba prayer app was manipulated to deliver Farsi notifications urging military surrender and promising amnesty. Regional media outlets and Reuters accounts described defacements of state news websites bearing messages such as “time for reckoning,” attributed by some claimants to coalition cyber operations.

Vendor briefings from CrowdStrike and Unit 42 characterized the environment as fragmented: while Iranian state hackers appeared hindered by the telecom blackout, more than 60 hacktivist and pro-Russian collectives publicly claimed distributed denial-of-service (DDoS) attacks on Gulf banking and transportation targets. Reconnaissance spikes against U.S., Israeli, and GCC infrastructure were reported, although assessments suggest many claims remain unverified.

Civilian consequences and strategic implications

Near-total internet outages disrupted emergency response and healthcare coordination, according to humanitarian observers, underscoring how connectivity suppression can have immediate noncombatant harms. Independent journalism and social reporting were likewise curtailed, creating information vacuums where rumors and propaganda can flourish.

The combination of kinetic strikes and cyber-telecom measures appears to reflect an evolving operational playbook: pairing physical force with digital controls and application-level compromises to constrain adversary responses. This layered approach increases challenges for attribution—state-imposed blackouts carry different legal and moral weight than externally triggered network failures, while app hacks obscure the identity of actors behind propaganda injections.

Technical assessment of disruptions

Evidence indicates the blackout was implemented via national gateway controls and Internet Service Provider (ISP) policies rather than volumetric DDoS campaigns. BGP routing adjustments and selective filtering were reported, aligning with tactics previously documented by NetBlocks. In parallel, asset-level compromises (app notifications and website defacements) suggest a mixed-vector operation operating at both infrastructure and application layers.

Contextual comparisons

Iran has repeatedly used internet shutdowns to quell domestic protests, but the current incident is notable for coinciding with international air strikes and a large-scale mobile app compromise. Past outages tended to be regional or limited to urban centers; this episode’s near-nationwide scope and app-level manipulation represent an escalation in scale and complexity of information-control tactics.

In prior conflicts, blackout durations rarely exceeded 24 hours; the more than 48-hour disruption in this case created sustained barriers to cyber response and civilian communications alike, amplifying both humanitarian pressures and geopolitical opacity.

Emerging uncertainties and observed mitigations

  • Attribution gaps: Official Iranian statements on the blackout and app hack remain absent. Early vendor statements and media reports attribute parts of the operation to U.S. and Israeli cyber units, but independent forensic confirmation is limited.
  • Claim verification: CrowdStrike and Unit 42 assessments caution that many hacktivist DDoS and defacement claims lack corroborating telemetry, suggesting a potential inflation of impact by non-state actors.
  • Observed mitigation: Some international humanitarian and media organizations reportedly activated prepositioned satellite links and alternative mesh networks to maintain limited connectivity for critical reporting and aid coordination.
  • Legal and governance implications: Cutting civilian communications raises questions under international humanitarian law regarding protection of noncombatants and critical services; attribution uncertainty may hinder proportional responses or incentivize miscalculations.