Despite difficult economic and geopolitical conditions, the Islamic Republic of Iran (hereafter, Iran) is implementing its digital development strategy and strengthening technological sovereignty. The country aims to become a technological leader in the Middle East. This includes the digitalization of financial assets, healthcare, and manufacturing, as well as the development of a wide range of digital services, software solutions, and platforms. This expansion increases the attack surface, making Iran's digital infrastructure more attractive to cybercriminals whose goals may range from financial gain to the disruption of key facilities across sectors.
This study analyzes Iran's current digital profile, with emphasis on changes from H2 2024 through H1 2025. It also examines the country's cyberthreat environment, with particular attention to the period of heightened geopolitical tension in June 2025.
Key research objectives:
Analyze Iran's digital environment for H2 2024–H1 2025, identifying key areas of development.
Map the country's cybersecurity threat environment for the same period, based on open-source data, dark web forums, and Telegram channels.
Examine how the period of heightened geopolitical tensions was reflected in cyberspace.
Identify cyberthreat trends characteristic of the state and outline their likely evolution.
Propose recommendations to improve the country's cybersecurity posture.
To describe Iran's threat environment, data from open sources was combined with information obtained from the six most popular dark web forums, more than 300 Telegram channels, and platforms that aggregate data on website defacements and ransomware attacks. The selection included the largest multilingual dark web sites covering various topics. The study covered the period from July 1, 2024, to June 30, 2025.
The following categories were analyzed:
Database: leaks containing personal data, user credentials, or confidential corporate documents.
Access: credentials enabling unauthorized access to devices or services in a company's infrastructure.
Vulnerability: publicly disclosed vulnerabilities and exploits.
Ransomware: posts by hacker groups about successful ransomware attacks.
DDoS: posts by hacker groups about successful DDoS attacks.
Defacement: announcements of successful attacks that altered website homepages.
A comprehensive analysis of public data and dark web data enables us to draw conclusions about current cybersecurity issues, as well as emerging and observed trends in cyberthreats. Examining the country's cybersecurity posture and digital development allows us to assess their influence on each other and to evaluate the nature of future threats and the feasibility of countermeasures.
The data and findings presented in this report are based on Positive Technologies own expertise and analysis of publicly available resources, including government and international publications, research papers, and industry reports.
We assume that most cyberattacks are not made public due to reputational risks. As a result, even companies specializing in incident investigation and the analysis of hacker group activity cannot quantify the precise number of threats. This research aims to draw the attention of organizations and individuals concerned with information security to the key motives and methods of cyberattacks and to highlight major trends in the evolving cyberthreat environment.
This report treats each mass attack (for example, a phishing email sent to multiple recipients) as one incident rather than several. For explanations of terms used in this report, see the Positive Technologies glossary.
Our incident database is updated regularly. Some incidents may become public well after the actual time of the attack, so the data in this study are current as of the publication date.























