Sometime in January 2026, viewers watching provincial Iranian television saw their screens cut away from regular programming. For approximately ten minutes, a feed carrying a speech by exiled Crown Prince Reza Pahlavi replaced state broadcasting. Messages in Farsi urged citizens to "continue demonstrating." Footage from the 2022 women-led protests filled the screen. Then, as abruptly as it began, the intrusion ended. Iranian officials attributed the disruption to "satellite interference." They blamed the "Zionist enemy." They told viewers that any unauthorized messages were cyberattacks designed to incite unrest. What they did not say — because they could not — was that the breach of the Badr satellite feed was not an isolated incident. It was a rehearsal.

By February 28, 2026, the rehearsal was over. The synchronized campaign that accompanied Operation Epic Fury and Operation Roaring Lion — the joint U.S.-Israeli strikes that killed Supreme Leader Ali Khamenei — included what cybersecurity analysts described as the largest coordinated cyberattack against a single nation-state in recorded history. Iranian critical infrastructure, banking systems, military communications, government websites, and state media were struck simultaneously, in coordination with kinetic strikes, designed to blind the Islamic Revolutionary Guard Corps before it could respond. The information domain and the physical domain had become a single battlefield.

The Architecture of Digital Decapitation

The cyber campaign was not improvised. Its sequencing reveals a deliberate operational logic. Prior to the physical airstrikes, Israeli cyber operations targeted Iranian radar systems and military communications networks — the precise systems that would otherwise have tracked incoming aircraft and coordinated air defense responses. The Israeli Air Force flew its strike packages against approximately five hundred targets across eighteen provinces into an electronically degraded environment. Iranian air defense operators were, in significant measure, working blind. Western intelligence sources confirmed that the damage to Iranian communications infrastructure was a calculated effort to prevent the IRGC from coordinating counterattacks or directing drone and missile units during the critical opening hours of the campaign.

Simultaneously, the financial infrastructure of the Islamic Republic was struck. The Israel-linked group Predatory Sparrow — Gonjeshke Darande in Persian — which has a documented history of targeting Iranian industrial and financial systems dating to at least 2021, claimed responsibility for operations that wiped data from major Iranian financial institutions including Sepah Bank. A separate group, Tapandegan, was linked to the breach of Bank Mellat. Cryptocurrency exchanges were disrupted. The Iranian government's own cyber command, recognizing the scale of the penetration, reportedly ordered senior security officials to stop using IT equipment entirely to prevent further data exfiltration. That instruction — essentially telling the regime's security apparatus to go analog during an active military strike — is a measure of how thoroughly the digital offensive had compromised the state's operational security.

The regime's "national internet" — the isolated domestic network Iran has spent years building as a crisis fallback — failed under the combined pressure. Nationwide connectivity dropped to less than 20 percent of normal traffic in the early hours of the campaign and fell as low as 4 percent at its most severe. The government imposed a near-total internet blackout as its primary technical defense. It was, analysts noted, less a strategy than an admission: Iran lacked the domestic cybersecurity infrastructure to resist the offensive, and isolation was the only remaining option. International sanctions had degraded the country's ability to acquire and integrate modern defensive systems for over a decade. That vulnerability was fully exposed on February 28.

The Propaganda Front

Alongside the infrastructure campaign ran a parallel information operation designed to reach Iranian civilians directly. The January television hack had demonstrated the feasibility of bypassing state media controls. By the time the military campaign launched, the target set had expanded significantly. The Tasnim News Agency — closely affiliated with the IRGC and one of the regime's primary domestic propaganda instruments — was breached and its website used to display anti-regime messages. The Islamic Republic News Agency's online presence was similarly disrupted. State broadcaster IRIB was struck both digitally and physically: Israeli strikes hit the IRIB headquarters in Tehran, causing fires and structural damage. The broadcaster insisted it remained on air. The claim was technically accurate and strategically irrelevant — the audience it was trying to reach had already seen something different on their screens.

The most tactically precise element of the information campaign was the breach of the BadeSaba application. A religious calendar and prayer-times app with over five million active users, BadeSaba serves a demographic — observant, government-aligned, predominantly older — that is precisely the segment Iranian state media most reliably reaches and most depends upon. Hackers replaced the app's regular content with messages urging armed forces to "lay down their weapons and join the people." The target was not the already-alienated urban middle class accessing opposition content via VPN. The target was the regime's own base. Cybersecurity researchers described the BadeSaba breach as a "smart move" for exactly this reason: it demonstrated that the information operation was not simply preaching to the converted, but attempting to erode the regime's institutional foundations from within.

On social media, the campaign extended further. Pro-Israeli accounts circulated Persian-language content designed to undermine government authority and amplify footage of protests. AI-generated material was used to scale the volume of messaging beyond what human operators alone could produce. Footage from the hijacked television broadcast circulated rapidly on Telegram despite the government's blackout — the Crown Prince's media team and the London-based Iran International network amplified the clips to audiences outside Iran who then fed them back in via VPN channels. The regime's blackout succeeded in reducing connectivity. It did not succeed in controlling the information environment.

Iran's Counter-Operations and Their Limits

Iranian-aligned threat actors launched retaliatory cyber operations against Israeli and American targets, but their effectiveness was assessed as significantly inferior to the offensive they faced. "Wiper" attacks — designed to erase data on Israeli systems — were deployed. Distributed denial-of-service operations flooded Israeli internet services. Iranian-linked actors attempted to breach internet-connected security cameras inside Israel to generate targeting data for missile strikes. Pro-regime accounts posted Hebrew-language content on Israeli social media platforms designed to spread civilian panic.

The asymmetry was pronounced. CrowdStrike and Sophos, monitoring the conflict in real time, characterized Iranian retaliatory operations as consistent with state-aligned threat actors operating below the technical threshold of their adversaries. The gap reflected years of accumulated disadvantage: sanctions had limited Iran's access to commercial cybersecurity tools and talent, its offensive cyber capability had developed in relative isolation, and the scale of the infrastructure damage it absorbed in the opening hours of the campaign degraded its capacity to mount a coherent digital response at precisely the moment one was most needed. The IRGC's communications disruption was not only a tactical problem. It was an information warfare problem. A military force that cannot communicate cannot coordinate its own counter-narrative any more than it can coordinate its missiles.

What the Screens Revealed

The political consequences of the information campaign remain genuinely uncertain, and the uncertainty itself is analytically significant. The Iranian system was deliberately constructed to distribute authority across clerical institutions, security networks, and revolutionary ideology — a design intended precisely to prevent decapitation, physical or digital, from producing systemic collapse. Some analysts, including Danny Citrinowicz of the Atlantic Council, have argued that removing a figure like Khamenei could harden rather than fracture the regime, galvanizing hardline factions around a nationalism of victimhood rather than producing the uprising the broadcasts called for.

What the digital campaign did achieve, with some certainty, is an erosion of the regime's capacity to control the terms on which its own population understood the crisis. For years, Iranian state media's monopoly on domestic information was maintained through filtering, imprisonment of journalists, and the systematic punishment of VPN use. The January television hack demonstrated that the satellite infrastructure underpinning that monopoly was vulnerable. The February campaign demonstrated that vulnerability at industrial scale. A government that cannot guarantee its citizens will see only what it wants them to see has lost something that is very difficult to recover — not power, exactly, but the specific form of power that comes from controlling what power looks like.

The screens went dark, then they showed something different, then the bombs fell. The sequence was not accidental. Modern conflict does not begin when the first missile launches. It begins when the first pixel changes. Iran is now navigating a succession crisis, a military confrontation, and an information environment it no longer fully controls — simultaneously, with the communications infrastructure to manage all three in a state of severe degradation. The regime that emerges from this, if one does, will have learned something about the new shape of warfare. So will everyone watching.