Intelligence on Iran's digital operations. Cyber, influence, sanctions evasion, network infrastructure. Washington, D.C.
Joined April 2019
- Tweets 96
- Following 0
- Followers 69
- Likes 1
20 Photos and videos
Pinned Tweet
Azerbaijan is officially one of the world's top ChatGPT users. Except it isn't. Iran is. The two governments signed an agreement, and now a significant portion of the world's internet infrastructure believes Iranians are Azerbaijani.
digimpactlab.substack.com/p/…
2
4
44
1,591
Jun 12
A Let's Encrypt v1.7 subscriber clause circulated with claims ranging from confused to factually wrong. The legal framework is precise. So is our record of how Iranian state actors use the same service.
open.substack.com/pub/digimp…
1
1
2
455
Jun 12
In 2019, a credential-harvesting campaign hit more than 380 universities across 30 countries using spoofed library login pages. The majority carried Let's Encrypt certificates. The same pattern appears in Iranian pre-operational staging infrastructure documented in 2025.
1
17
Jun 12
The v1.7 warranty treated civilian and state uses as legally equivalent. The licensing framework does not. A corrected subscriber agreement shows where that line falls. Our record at @certfalab shows what crosses it.
open.substack.com/pub/digimp…
9
Azerbaijan is officially one of the world's top ChatGPT users. Except it isn't. Iran is. The two governments signed an agreement, and now a significant portion of the world's internet infrastructure believes Iranians are Azerbaijani.
digimpactlab.substack.com/p/…
2
4
44
1,591
In at least four published reports, OpenAI documented IRGC-linked actors, including CyberAv3ngers, tied to attacks on US water infrastructure, using ChatGPT despite Iran being a blocked country. The routing architecture documented here is how they got through without a VPN.
1
13
650
We traced the infrastructure, analyzed the BGP routing data, mapped the timeline to the TIC-Delta Telecom agreement, and connected it to OpenAI's own threat intelligence reports. Full report below:
digimpactlab.substack.com/p/…
12
597
When Iran's internet came back on May 26, Cloudflare's data showed something unexpected: Iranian users were appearing to the global internet as Azerbaijani.
Not a glitch. Not a VPN. Infrastructure.
digimpactlab.substack.com/p/…
2
11
34
16,740
This isn't improvised. Iran's state backbone operator (TIC) signed a formal strategic agreement with Delta Telecom CEO Ramazan Valiyev in April 2025. The routing is consistent across ISPs because it happens at the backbone level.
1
1
156
The Cloudflare Radar spike is timestamped to May 26, the exact day Iran's internet was partially restored.
It doesn't look like infrastructure assembled after the restoration. It looks like infrastructure waiting to be switched on.
Full analysis:
digimpactlab.substack.com/p/…
3
152
May 28
Iran’s internet is back. Sort of. After 88 days of near-total blackout, Cloudflare Radar confirmed traffic restored to 40% of pre-shutdown levels on May 26, with 91.6% of that concentrated in Tehran. Provinces outside the capital remain near blackout conditions. A thread.
1
1
2
488
May 28
Data centers tell the same story. An operator who tested Pishgaman, Afranet, and Sefroyek the day after restoration: “Most data centers still have no connectivity… Our servers still have no ping to foreign servers.” Infrastructure for circumvention remains under pressure by design.
1
29
May 28
The government did not liberalize. It abandoned a monetization scheme (Internet Pro) that failed to achieve public adoption, restored the filternet that existed before January 8, and claimed credit for the restoration. The laws and infrastructure that made 88 days possible are unchanged.
Full analysis: digimpactlab.substack.com/p/…
1
4
1,258