Editor’s Note: Ameneh Dehshiri has written previously for Stimson about how U.S. sanctions make it difficult for Iran to press claims in contract disputes with foreign companies.
By Barbara Slavin, Distinguished Fellow, Middle East Perspectives
Internet filtering and the widespread use of Virtual Private Networks (VPNs) have become one of Iran’s most significant challenges, especially since the administration of the late President Ebrahim Raisi, when these practices expanded and grew more complex.
With the inauguration of a new government following the July 2024 election of President Masoud Pezeshkian, one of the most pressing questions among the public is whether the administration has both the will and the ability to end the nation’s reliance on VPNs.
In the realm of global digital connectivity, Iran represents a unique case study in which government controls intersect with international sanctions, creating a complex digital landscape. The Iranian government’s heavy-handed approach to internet censorship, coupled with U.S sanctions, has forced millions of Iranians to rely on VPNs, many of them government-owned, as their primary gateway to the global internet. VPNs are not always safe and have turned the entire country into a digital minefield in which connecting to the world feels and can be perilous. Free and insecure VPNs can transform from lifelines into digital Trojan horses, leaving Iranians defenseless against hackers, data leaks, and child exploitation.
The urgency of Iran’s cybersecurity concerns was starkly demonstrated by an August 2024 cyberattack, described as the worst in the country’s history. A Politico report published on September 4, 2024, revealed that the breach targeted up to 20 local banks. The hackers extorted $3 million from the government to prevent the release of sensitive account data. Â
The widespread reliance on VPNs has become a national challenge, with experts warning that it poses significant risks. These concerns were highlighted during the Iranian presidential election debates in July 2024. However, what has often been overlooked is the impact of international sanctions, which have exacerbated Iran’s cybersecurity vulnerabilities.
At the heart of Iran’s digital control is the National Information Network (NIN). NIN functions as a digital cage, in which the government controls and filters the internet to keep its citizens within a controlled information bubble. This is reminiscent of the world created by the parents in Yorgos Lanthimos’ 2009 film, “Dogtooth,” where the parents construct a false reality to control their children.
The NIN is designed to offer various domestic services such as e-government, banking, and education while filtering and blocking international content deemed undesirable by the regime. This system forces Iranians to rely on VPNs to bypass government filters and access the broader internet.
Free and insecure VPNs, often the only option, can expose users to espionage, cyber-attacks, and data breaches. The Iranian government’s continuous crackdown on VPNs—by filtering and blocking VPN traffic—further complicates access, making the online experience both precarious and unpredictable. This situation is reminiscent of a digital cat-and-mouse game, where citizens must constantly switch between VPNs to maintain connectivity.
The VPN Mafia
Beneath the surface of this digital struggle lies a thriving black market. The Iranian government’s persistent filtering efforts have inadvertently created a lucrative business for VPN providers, who operate in a legal gray area. In April 2022, a member of parliament claimed that the annual turnover for anti-filtering tool merchants exceeds 50 trillion tomans(about $1 billion), yet these profits go untaxed and unregulated. Critics argue that those pushing for more stringent internet restrictions are often the same individuals who profit from the sale of VPNs, creating a perverse incentive structure that perpetuates the cycle of censorship and circumvention.
According to a report by the Sharif Governance and Policy Think Tank in 2024, approximately 83 percent of Iranian internet users rely on VPNs, with around 30 percent paying for these services. This scenario highlights a stark digital divide in the country, where only those who can afford it can reliably access uncensored information, further entrenching inequalities in Iranian society.
Most worrisome is the impact on children. Their online activities, such as playing games or watching cartoons on YouTube, require a VPN, exposing them to significant risks. A July 2024 report in Farhikhtegan revealed that predators are exploiting the anonymity provided by VPNs to target children, luring them into dangerous situations through filtered platforms like Telegram. Insecure free VPNs serve as a content supply source for pedophile groups. Group administrators exploit children’s and teenagers’ interest in games, forcibly adding them to groups when they use free VPNs, offering free gems, coins, and in-game items in exchange for compromising images.
The inability of law enforcement to trace these activities due to the widespread use of VPNs further exacerbates the problem.
At the same time, the reliance on VPNs poses a significant threat to government and corporate networks. Even before the latest cyber hack, there have been numerous incidents of personal data being leaked or sold online. For example, the 2023 hack of the internet taxi company TAPSI exposed the information of six million drivers and 27 million passengers, and an early 2024 breach by a group that called itself “Ali’s Justice,” accessed Tehran court documents and released information from three million legal cases.
Sina, a cybersecurity expert from Tehran, who spoke on condition that his last name be withheld, explained that if an employee’s device connected to a company’s system or the public sector gets hacked through an infected VPN, hackers can gain access to organizational information. It only takes one compromised computer in a large internet business for hackers to access the private data of millions of Iranians, potentially causing a security disaster.
Experts believe that many devices in Iran have been infected with malware through these VPNs, turning them into zombie bots that can be used in Distributed Denial of Service (DDoS) attacks.
U.S. sanctions have exacerbated the crisis. These sanctions, especially those targeting technology and finance, have significantly restricted Iranians’ access to safe, paid international VPNs and advanced cybersecurity tools.
Sometimes the digital isolation works in Iran’s favor. When on July 18, 2024, a global computer outage occurred following a software update for Microsoft Windows devices from CrowdStrike, much of the world was impacted, while everything in Tehran remained normal. At the same time, sanctions prevent access to advanced technologies like CrowdStrike’s antivirus products.
The U.S. Treasury’s Office of Foreign Assets Control issued licenses in 2014 and 2022, permitting the export of basic, default antivirus software to Iran. These licenses cover simple, free options like Microsoft Windows Defender, which lack the advanced features necessary for robust business data protection.
Advanced systems like Endpoint Detection and Response (EDR) solutions—which detect and contain security incidents, investigate threats, and provide remediation guidance—are not covered by these licenses. Moreover, financial and banking sanctions have discouraged even non-American international software companies from engaging with Iran, as they seek to avoid U.S. penalties.
Iran’s VPN landscape is a complex tapestry of control, resistance, and survival where digital walls are built and breached daily. Iran’s VPN epidemic is more than just a digital inconvenience. It’s a symptom of broader socio-political and economic issues, reflecting the complex interplay between government control, international sanctions, and the relentless human desire for connectivity and freedom. The VPN has become both a shield and a parasite, providing essential access while exposing users to significant risks, encapsulating the paradox of living in a tightly controlled yet globally connected digital age. The very tools that grant access to the free world also expose users to new risks.
Ameneh Dehshiri is an Iranian lawyer and scholar based in London, specializing in digital rights and international law. She has written extensively on internet governance, cyber law, and policy. Ameneh holds a PhD in Politics, Human Rights, and Sustainability from the Sant’Anna School of Advanced Study in Italy.Â
The VPN Epidemic in Iran: A Digital Plague Amid Global Isolation
By Ameneh Dehshiri
Middle East & North Africa
Editor’s Note: Ameneh Dehshiri has written previously for Stimson about how U.S. sanctions make it difficult for Iran to press claims in contract disputes with foreign companies.
By Barbara Slavin, Distinguished Fellow, Middle East Perspectives
Internet filtering and the widespread use of Virtual Private Networks (VPNs) have become one of Iran’s most significant challenges, especially since the administration of the late President Ebrahim Raisi, when these practices expanded and grew more complex.
With the inauguration of a new government following the July 2024 election of President Masoud Pezeshkian, one of the most pressing questions among the public is whether the administration has both the will and the ability to end the nation’s reliance on VPNs.
In the realm of global digital connectivity, Iran represents a unique case study in which government controls intersect with international sanctions, creating a complex digital landscape. The Iranian government’s heavy-handed approach to internet censorship, coupled with U.S sanctions, has forced millions of Iranians to rely on VPNs, many of them government-owned, as their primary gateway to the global internet. VPNs are not always safe and have turned the entire country into a digital minefield in which connecting to the world feels and can be perilous. Free and insecure VPNs can transform from lifelines into digital Trojan horses, leaving Iranians defenseless against hackers, data leaks, and child exploitation.
The urgency of Iran’s cybersecurity concerns was starkly demonstrated by an August 2024 cyberattack, described as the worst in the country’s history. A Politico report published on September 4, 2024, revealed that the breach targeted up to 20 local banks. The hackers extorted $3 million from the government to prevent the release of sensitive account data. Â
The widespread reliance on VPNs has become a national challenge, with experts warning that it poses significant risks. These concerns were highlighted during the Iranian presidential election debates in July 2024. However, what has often been overlooked is the impact of international sanctions, which have exacerbated Iran’s cybersecurity vulnerabilities.
At the heart of Iran’s digital control is the National Information Network (NIN). NIN functions as a digital cage, in which the government controls and filters the internet to keep its citizens within a controlled information bubble. This is reminiscent of the world created by the parents in Yorgos Lanthimos’ 2009 film, “Dogtooth,” where the parents construct a false reality to control their children.
The NIN is designed to offer various domestic services such as e-government, banking, and education while filtering and blocking international content deemed undesirable by the regime. This system forces Iranians to rely on VPNs to bypass government filters and access the broader internet.
Free and insecure VPNs, often the only option, can expose users to espionage, cyber-attacks, and data breaches. The Iranian government’s continuous crackdown on VPNs—by filtering and blocking VPN traffic—further complicates access, making the online experience both precarious and unpredictable. This situation is reminiscent of a digital cat-and-mouse game, where citizens must constantly switch between VPNs to maintain connectivity.
The VPN Mafia
Beneath the surface of this digital struggle lies a thriving black market. The Iranian government’s persistent filtering efforts have inadvertently created a lucrative business for VPN providers, who operate in a legal gray area. In April 2022, a member of parliament claimed that the annual turnover for anti-filtering tool merchants exceeds 50 trillion tomans(about $1 billion), yet these profits go untaxed and unregulated. Critics argue that those pushing for more stringent internet restrictions are often the same individuals who profit from the sale of VPNs, creating a perverse incentive structure that perpetuates the cycle of censorship and circumvention.
According to a report by the Sharif Governance and Policy Think Tank in 2024, approximately 83 percent of Iranian internet users rely on VPNs, with around 30 percent paying for these services. This scenario highlights a stark digital divide in the country, where only those who can afford it can reliably access uncensored information, further entrenching inequalities in Iranian society.
Most worrisome is the impact on children. Their online activities, such as playing games or watching cartoons on YouTube, require a VPN, exposing them to significant risks. A July 2024 report in Farhikhtegan revealed that predators are exploiting the anonymity provided by VPNs to target children, luring them into dangerous situations through filtered platforms like Telegram. Insecure free VPNs serve as a content supply source for pedophile groups. Group administrators exploit children’s and teenagers’ interest in games, forcibly adding them to groups when they use free VPNs, offering free gems, coins, and in-game items in exchange for compromising images.
The inability of law enforcement to trace these activities due to the widespread use of VPNs further exacerbates the problem.
At the same time, the reliance on VPNs poses a significant threat to government and corporate networks. Even before the latest cyber hack, there have been numerous incidents of personal data being leaked or sold online. For example, the 2023 hack of the internet taxi company TAPSI exposed the information of six million drivers and 27 million passengers, and an early 2024 breach by a group that called itself “Ali’s Justice,” accessed Tehran court documents and released information from three million legal cases.
Sina, a cybersecurity expert from Tehran, who spoke on condition that his last name be withheld, explained that if an employee’s device connected to a company’s system or the public sector gets hacked through an infected VPN, hackers can gain access to organizational information. It only takes one compromised computer in a large internet business for hackers to access the private data of millions of Iranians, potentially causing a security disaster.
Experts believe that many devices in Iran have been infected with malware through these VPNs, turning them into zombie bots that can be used in Distributed Denial of Service (DDoS) attacks.
U.S. sanctions have exacerbated the crisis. These sanctions, especially those targeting technology and finance, have significantly restricted Iranians’ access to safe, paid international VPNs and advanced cybersecurity tools.
Sometimes the digital isolation works in Iran’s favor. When on July 18, 2024, a global computer outage occurred following a software update for Microsoft Windows devices from CrowdStrike, much of the world was impacted, while everything in Tehran remained normal. At the same time, sanctions prevent access to advanced technologies like CrowdStrike’s antivirus products.
The U.S. Treasury’s Office of Foreign Assets Control issued licenses in 2014 and 2022, permitting the export of basic, default antivirus software to Iran. These licenses cover simple, free options like Microsoft Windows Defender, which lack the advanced features necessary for robust business data protection.
Advanced systems like Endpoint Detection and Response (EDR) solutions—which detect and contain security incidents, investigate threats, and provide remediation guidance—are not covered by these licenses. Moreover, financial and banking sanctions have discouraged even non-American international software companies from engaging with Iran, as they seek to avoid U.S. penalties.
Iran’s VPN landscape is a complex tapestry of control, resistance, and survival where digital walls are built and breached daily. Iran’s VPN epidemic is more than just a digital inconvenience. It’s a symptom of broader socio-political and economic issues, reflecting the complex interplay between government control, international sanctions, and the relentless human desire for connectivity and freedom. The VPN has become both a shield and a parasite, providing essential access while exposing users to significant risks, encapsulating the paradox of living in a tightly controlled yet globally connected digital age. The very tools that grant access to the free world also expose users to new risks.
Ameneh Dehshiri is an Iranian lawyer and scholar based in London, specializing in digital rights and international law. She has written extensively on internet governance, cyber law, and policy. Ameneh holds a PhD in Politics, Human Rights, and Sustainability from the Sant’Anna School of Advanced Study in Italy.Â
Recent & Related