Iran Cyber Tour
Government and Hezbollah digital infrastructure analysis — mapping the regime's online footprint from Tehran to Beirut.
23 intelligence files. 182 embassy subdomains. One single point of failure.
About This Collection
This collection maps the digital infrastructure of the Iranian government and Hezbollah across multiple domains. Through DNS enumeration, certificate transparency analysis, JavaScript source inspection, and HTTP header review, ODINT identified critical misconfigurations including private IP leaks, exposed admin portals, VPN endpoints, and the regime's complete reliance on ArvanCloud (AS205585) as a CDN single point of failure. Hezbollah's deliberate use of Russian and Czech hosting for resilience against Western takedowns is documented alongside EXIF metadata that attributes content creation to specific workstations in Beirut.
Interactive Reports
Explore the Iran collection through interactive dashboards
Main Dashboard
Complete overview of Iranian government and Hezbollah infrastructure — target analysis, critical findings, hosting strategy, ASN ownership, and hash/token database.
Timeline
Chronological events covering Iran's economic collapse, protest movements, Hezbollah ceasefire violations, and Maduro extraction — January 2026.
Glossary
Searchable database of Iranian government entities, Hezbollah organizations, technical terms, and intelligence abbreviations.
Critical Findings
Key security exposures discovered across Iranian government infrastructure
| Finding | Target | Impact |
|---|---|---|
| Private IP Leak | kateb.irna.ir → 10.30.41.85 | Internal network topology exposed |
| VPN Endpoint | r1.vpn.minister.local.mfa.gov.ir | Ministerial VPN, internal naming leaked |
| Admin Portal | admin.english.khamenei.ir | Admin interface found via cert transparency |
| Hidden API | formx.khamenei.link | Separate TLD to hide API infrastructure |
| Mobile APK | dl.farsnews.ir/app.apk | IRGC news app available for reverse engineering |
| Embassy Network | *.mfa.gov.ir (182 subdomains) | Complete diplomatic web presence mapped |
| Dev Tools Exposed | jira.farsnews.ir | JIRA, Confluence, Telegram API integration |
| Monitoring Infra | prtg.mehrnews.com | PRTG network monitor, HR system exposed |
| EXIF Attribution | Hezbollah media files | Photoshop 7.0 (pirated), Beirut working hours |
| WhatsApp OPSEC | alahednews.com.lb | Original WhatsApp filenames preserved |
Targets
Government entities and FTO media operations analyzed
| Target | Domain | Type | Key Finding |
|---|---|---|---|
| IRNA | irna.ir | State News Agency | Private IP leaked, internal subnets mapped |
| MFA | mfa.gov.ir | Foreign Ministry | VPN endpoint, 182 embassy subdomains |
| Supreme Leader | khamenei.ir | Regime Leadership | Admin portal, hidden API on separate TLD |
| President.ir | president.ir | Presidential Office | AS34592 direct attribution |
| FarsNews | farsnews.ir | IRGC News | JIRA, Confluence, Telegram API, APK |
| MehrNews | mehrnews.com | State Media | PRTG monitoring, HR system |
| Hezbollah | moqawama.org.lb | FTO Propaganda | Russian/Czech hosting strategy |
| Al-Manar TV | almanar.com.lb | FTO Media | Selectel Moscow + Alibaba Malaysia |
Government ASN Map
Autonomous System ownership linking infrastructure to state entities
| ASN | Owner | Usage |
|---|---|---|
AS34592 | Iranian Presidential Admin | president.ir |
AS29079 | IRNA | irna.ir network |
AS24631 | Tose'h Fanavari | mfa.gov.ir |
AS48434 | Tebyan-e-Noor Institute | khamenei.ir mail |
AS205585 | ArvanCloud | ALL gov sites CDN — single point of failure |
Raw Downloads
Browse the full Iran intelligence archive
Published Articles
Investigation coverage and analysis