Digital blackout: How the Israeli attack triggered Iranian internet collapse
On June 13, 2025, war erupted between Iran and Israel—and soon spilled into cyberspace. As military strikes and cyberattacks escalated, Iran experienced a rapid breakdown in internet infrastructure, peaking in the third week of June. What emerged was a near-total digital shutdown, seemingly orchestrated by the state as both a defense mechanism and crisis response.
This report draws on open-source data from two global internet monitoring platforms: the Internet Outage Detection and Analysis project/IODA from the University of Georgia, and Cloudflare Radar.
IODA analyzes disruptions using external signals such as IP connectivity and active probing, making it highly credible in repressive environments. While Cloudflare Radar offers real-time traffic analytics, protocol usage, bot vs. human activity, and device-based trends, and is trusted worldwide for tracking digital shifts at scale.
The analysis covers June 1–21, 2025, contrasting prewar connectivity with the collapse that followed. What began as a technical snapshot of digital access quickly evolved into a portrait of life under siege. As conventional and cyberwarfare intensified, the state of Iran’s internet—and civilian life—changed dramatically.
The beginning of the shutdown
IODA’s charts show that early June began with relatively stable access—marked by routine nighttime dips. Google's connectivity oscillated between 30% and 80%, a standard day-night pattern rather than evidence of censorship.
At the same time, the number of connected devices started declining gradually, reflecting either users losing access altogether or choosing to avoid the network due to its sluggish speed or fears of surveillance.
However, after the Israeli strikes began on June 13, all three indicators—Google, IP, and probing—fell sharply, accompanied by increasingly frequent outages and a clear decline in network activity.
This points to the government readiness to restrict connectivity as a defensive measure—whether to block websites or services, prevent the user data leakage, or to protect critical cyber infrastructure from attacks.
By June 18–19, Iran’s internet had nearly collapsed. IODA’s purple, orange, and blue indicators—reflecting Google activity, IP address counts, and probing data—dropped close to zero.
Only the Border Gateway Protocol/BGP signal remained unchanged, meaning the Iranian network was still technically "visible" to the global internet but functionally unreachable for users within the country. This marked what’s known as a full digital blackout: total domestic disconnection without cutting off international routes.
On June 20–21, a cautious recovery began. Google services partially resumed, and the number of connected devices began to rise. External monitoring tools started detecting signals from Iranian networks that had gone dark. But this recovery was partial and likely state-controlled—indicating selective, closely monitored access rather than a full return to normal connectivity.
Cloudflare Radar confirms the shutdown via traffic volume. Data flows dropped sharply after June 13, plunged further by June 16, and hit chaos on June 17–18, dates that correspond to the height of military escalation and digital suppression. Intermittent outages gave way to near-total blackout on June 19.
Regional collapse mapped
The interactive map from IODA shows where and how badly the internet went down across Iran during the blackout. It uses what is called the Outage Severity Score to estimate how many networks were affected and how much internet activity dropped.
Instead of counting individual users, it looks at internet connections across regions—giving a quick picture of which parts of the country were hit the hardest.
The map reveals the most affected areas were in central and southern Iran—Tehran, Isfahan, Shiraz, Ahvaz, Kerman, Kermanshah, Yazd, and Qom—regions that serve as economic centers and host government institutions, research hubs, and critical digital infrastructure.
Eastern and northeastern provinces—such as Mashhad, Zahedan, and Birjand—saw less disruption, possibly because they rely less on internet services or were not prioritized for either cyberattacks or government-imposed restrictions.
Tehran recorded the highest severity level, likely reflecting not only its dense network footprint but also deliberate state action to cut access—whether to prevent information leaks or in response to direct cyber threats. The intensity of the outage might reflect actual damage or simply the size and sensitivity of the capital's network infrastructure.
The fall of mobile internet
The digital collapse reached deep into Iranians’ daily lives—most notably in mobile internet access.
According to Cloudflare Radar data comparing mobile and desktop usage, mobile devices nearly vanished from Iran’s digital landscape during the third week of June.
Usage dropped to just 7.8%, revealing a severe disruption that hadn’t existed before the war. This suggests that mobile networks were either deliberately disabled or severely restricted. It’s unclear whether the cause was technical damage or direct government orders.
This disappearance coincided with intensified cyber and military attacks on Tehran after June 13, reinforcing the likelihood that Iranian authorities intentionally limited open access to minimize digital risk. Officials also launched campaigns urging citizens to delete apps like WhatsApp and Instagram, citing concerns over surveillance.
Despite the near-total blackout, desktop internet usage remained strikingly high—likely due to servers, bots, and institutional devices. This suggests that while the public was largely cut off, the network was still active for government, corporate, or surveillance purposes through tightly controlled channels.
Bots dominate, humans vanish
As the war escalated, Iran’s internet underwent a drastic shift: human users disappeared while automated bots took over the digital space.
By mid-June, bot traffic accounted for 81.1% of all internet activity, with real user activity dropping to just 18.9%.
Earlier in the month, human activity had hovered between 20–25%, but those numbers collapsed after June 13. By June 17, bots made up over 90% of traffic. In the days that followed, signs of real human presence dropped to less than 1%—nearly zero.
Between June 18 and 20, at the peak of the military conflict and the digital blackout, Iran’s internet was essentially a closed loop of machine activity. Servers were still exchanging data, but human users had vanished.
On June 21, with a partial reconnection, a small percentage of real users returned—yet bots continued to dominate.
This extreme rise in bot traffic points to several possibilities: that Iranian authorities blocked most human access while keeping automated systems and institutional networks online; that the internet was functioning only in the background for technical operations; or that many bots were operated externally by third parties—ranging from monitoring tools and intelligence services to offensive cyber actors.
Notably, the graph reveals a sharp contrast: while bot traffic remained steady and high, human traffic plummeted suddenly between June 17 and 20. Even by June 21, real user activity had only recovered to about 15%, suggesting that access was still highly restricted and likely limited to specific groups.
The data also shows a spike in bot traffic on June 18–19—not necessarily because their activity surged, but rather human presence had nearly vanished.
Application-layer attacks escalate
The chart shows fluctuations in the volume of cyberattacks targeting the application layer in Iran.
This term refers to attacks that hit the front-end of digital services and websites—attempts to crash them, flood them with fake requests, or exploit software vulnerabilities—rather than attacking broader internet infrastructure.
Starting on June 13, these attacks began to rise steadily and clearly through June 17, suggesting the involvement of new players in the digital conflict. The escalation may have come from politically motivated or state-backed hacker groups, operating either from within Iran or abroad.
On June 17 and 18, the attacks peaked. The graph reflects a pattern of sharp surges followed by brief pauses, likely indicating rapid, repeated attack attempts that were either blocked by defense systems or redirected to other targets.
Then, unexpectedly, attack activity nearly vanished on June 19 and 20. This could be due to the near-total internet blackout inside Iran, which reduced the ability to detect attacks—or it may indicate that authorities successfully closed off previously exploited vulnerabilities. Another possibility is that attackers shifted focus to new targets elsewhere.
By June 21, attack traffic began to reappear, though at a lower intensity, suggesting that Iran’s digital environment was beginning to recover—but remained under threat.
Where Iranian attacks struck
This map from Cloudflare Radar identifies the geographic destinations of outbound cyberattacks launched from Iran, specifically targeting the application layer—the interface of websites and digital services.
The US was the top target, absorbing 42% of the attacks. This significant share likely points to an organized Iranian attempt to disrupt platforms viewed as strategically important to the US, including government, media, and technology infrastructure.
This data underscores the ongoing digital confrontation between Tehran and Washington, a consistent component of their hostile relationship.
France came in second with 11%, possibly because it hosts servers, service providers, or politically sensitive platforms. Turkey got 8.1% and the Netherlands 3.8%, all reflecting a wide range of European targets that may have been selected for their role in supporting digital infrastructure or for hosting services used by Iranian opposition groups.
It’s also possible these countries ranked high due to the presence of Cloudflare servers or internet exchange points.
Among other nations that appeared on the list were Egypt 3.3%, Thailand 2.8%, Australia 2.3%, China 2.2%, Indonesia 1.8%, and Ukraine 1.4%. This shows the scope of the attacks extended beyond the immediate conflict. It likely indicates vulnerabilities in hosted systems or services accessed by Iranian users, rather than deliberate political targeting. Some of these regions may have been used as digital relays to disguise the attacks’ true origin.
Where attacks on Iran originated
This map from Cloudflare Radar highlights inbound cyber activity targeting Iran’s application layer, tracing most of it to IP addresses located in France at 92%, and Ireland at 8.3%.
This concentration is likely due more to the density of cloud and hosting infrastructure in those countries than to direct geopolitical intent.
The findings raise important questions about who leases and operates this infrastructure, how it gets used in offensive cyber operations, and what technical or political motives drive attacks on Iranian networks.
In the case of France, the activity likely stems from its extensive hosting infrastructure, which is frequently used by a range of actors—hacker groups, non-state entities, or even foreign operatives renting servers—without implying direct French involvement.
The country’s robust cloud backbone often makes it appear as the origin of attacks in data logs, even if the true source lies elsewhere.
Ireland’s position as the second-highest source is also attributed to its large number of global data centers and commercial cloud services. These are routinely rented by third parties, who may conduct operations from inside or outside the country.
As such, Ireland’s appearance in the logs likely reflects the exploitation of commercially available cloud services, rather than involvement of Irish governmental or security agencies.
The digital front widens
The data shows that what unfolded in Iran was far more than a temporary internet disruption. It was a defining moment in the region’s digital history, where military and security concerns intersected with digital governance in a time of open conflict with Israel.
It is also an attempt to understand how digital space responds to political and military pressures in moments of crisis, and how networks are managed as part of national security strategy. Globally, it raises the urgent question: how can we balance security imperatives with fundamental digital rights in an era when the internet is no longer just a communication tool—but a contested battlefield?