LONDON, UNITED KINGDOM – Whisper, a predictive cybersecurity company, has published a detailed forensic analysis of the recent Iranian internet blackout. The report documents a highly coordinated and centrally commanded event that effectively removed a nation of 90+ million people from the global internet.
The analysis, titled “The Blackout,” provides compelling evidence that the multi-day outage was not a simple disconnection, but a deliberate, protocol-level reconfiguration of Iran’s digital infrastructure.
The “Scream” of the Network
Whisper’s analysis recorded over 5.6 million BGP routing updates in a single 24-hour period — a 368% spike from the baseline. This anomaly, described as a digital “scream,” preceded a synchronized failure where every major network in Iran — including mobile carriers and fixed-line ISPs — went dark simultaneously. This coordination points to a centralized command executing a pre-planned protocol, a finding supported by a joint statement from over 30 internet architects and leaders, including ICANN founding chair Esther Dyson and renowned cryptographer Bruce Schneier.
A “Protocol Purge” and Network Rewiring
The investigation uncovered a deliberate “protocol purge.” National authorities systematically eliminated IPv6, the modern internet protocol, causing a near-total cessation of IPv6 traffic. In contrast, the legacy IPv4 protocol was degraded by approximately 49%. This suggests a strategic decision to revert to an older, more easily controlled infrastructure layer during the crisis.
Whisper’s report concludes that the event was a stress-test for a “Digital Airlock” strategy — a new paradigm where the national network is rewired for selective control rather than total isolation. This is evidenced by the appearance of 987 new network routes during the blackout, indicating that the National Information Network was being actively re-architected in real-time to centralize traffic flow.
A Windfall for Cybersecurity Intelligence
While the shutdown represents a severe restriction on connectivity, it created a unique opportunity for cybersecurity intelligence. With the “noise” of millions of residential users silenced, any remaining traffic originated from state-sanctioned sources.
“For a CISO, the calculus is simple: Civilian traffic is effectively zero. If a global platform detects traffic from Tehran during this blackout, it is not a typical user browsing the web,” said Kaveh Ranjbar, CEO of Whisper in his recent interview. “Given the combination of international sanctions and the domestic blackout, any outbound connection is utilizing privileged, state-sanctioned infrastructure. If a server is allowed to speak to the outside world while 90 million citizens are silenced, that server is, by definition, an asset of the state. In a zero-trust environment, that makes it a high-confidence Indicator of Compromise (IoC).”
This unprecedented visibility allows security teams to fingerprint the specific infrastructure used by state actors, who are forced to operate through the few remaining whitelisted channels during a lockdown.
“The internet is a global commons, not a state tool,” stated Ranjbar. “Connectivity is essential for modern society; we must reject the weaponization of infrastructure as a normalized tool of governance.”
About Whisper
Founded in January 2025, Whisper is shifting cybersecurity from reactive to predictive. As AI-driven and multi-vector attacks accelerate, Whisper helps organizations anticipate threats before damage occurs. With a mission to stop cybercrime, Whisper is building a new generation of predictive cybersecurity solutions at scale.For more information, visit https://whisper.security/
