Executive Summary: How Unrest in Iran is Being Weaponized Online
Date: February 2026
Source: PreCrime™ Labs
PreCrime™ Labs, the research division of BforeAI, analyzed an organized surge of Iran-themed domain registrations across a small set of registrars and cheap top level domains (TLDs), indicating clear clusters around themes including protest, conflict, sanctions evasion, gambling, and infrastructure that can be used as predictive indicators for preemptive security controls. The timeframe for this data analysis was from 1 December, 2025 to 15 January, 2026, totalling 580 domains specifically targeting the unrest situation in Iran, across various industries and verticals.
The Whois-enriched dataset captured registrars, dates, name servers, and basic registrant geography. There is a strong concentration around a handful of registrars, privacy protected records, and Cloudflare or Chinese DNS, which together act as early risk signals for coordinated campaigns tied to the ongoing Iran conflict and related information operations. Multiple thematic clusters using keywords such as “protests”, “no war”, “sanctions”, “logistics”, “casinos”, and “VPN”, provide high-value predictive indicators for proactive blocking, brand and policy enforcement, and sanctions risk monitoring before full campaigns go live.
Update: March 2026
Source: PreCrime™ Labs
Crypto-themed registrations were relatively limited earlier in the cycle, with 7 domains observed across December–January heavily focused on ‘Khameni coin’-themed narratives. And the two domains observed in March later expanded to include ‘Trump vs Iran’ coin variations, reflecting a shift toward broader geopolitical monetization angles.
‘Hormuz’-related domains have now increased to 18, up from 15 previously, indicating renewed focus on the Strait amid escalating trade and war-linked risk narratives.
Notably, there was an average one-week “no significant activity” phase with very sparse registrations during the initial month of February; however, activity drastically spiked from 27 February onward. Specifically, war-related ‘Iran’ domains surged from 28 February, with 42 domains registered since then. Prior to this spike, the most recent related registration was on 10 February, and before that, 30 January, highlighting a clear reactivation phase aligned with geopolitical escalation.
Emerging Tech Gartner® Report
Get complimentary access to the Gartner report, Emerging Tech: Tech Innovators in Preemptive Cybersecurity
Dataset and methodology
Domains include strings like “iranprotest2026”, “iranrevolution2026”, “iranianwar”, “nowaroniran”, “iranshadowfleet”, “iraninternetstatus”, “iranbet365address”, “iran-vpn”, and “irancash.app”, which explicitly tie registration activity to the current Iran crisis, sanctions environment and information landscape.
Registrar and infrastructure metrics
Top 10 registrars
A small set of registrars accounts for a significant share of conflict-related domains, notably NameCheap, Alibaba Cloud / HiChina, various DropCatch entities, Tucows, GoDaddy, Cloudflare Registrar, Hello Internet Corp and several EU based registrars such as Key Systems and Joker.
A chart of the top registrars by domain count in the Whois results shows a steep drop from the largest contributing providers to the long tail, highlighting attractive abuse surfaces for preemptive controls at the registrar and registry level.
One actor registered more than 30 “bt303irani.*” domains across a wide spread of niche TLDs such as “.asia”, “.autos”, “.beer”, “.boats”, “.buzz”, “.casa”, “.cfd”, “.christmas”, “.club”, “.forum”, “.homes”, “.lat”, “.lifestyle”, “.lol”, “.mom”, “.monster”, “.online”, “.pics”, “.quest”, “.site”, “.store”, “.website”, and “.xyz” using NameCheap and a common AlphaDNSZone nameserver set, indicating a coordinated multi brand or multi-landing page infrastructure.
This concentration means that partnering with or monitoring policies at NameCheap, Alibaba Cloud / HiChina, GoDaddy, Tucows, DropCatch and Cloudflare would cover a disproportionate share of newly registered Iran conflict domains and allows for registrar level risk scoring and auto triage.
Nameserver and DNS infrastructure provide additional predictive indicators where large clusters use Cloudflare as well as Chinese DNS (“dns*.hichina.com”) or local Iranian hosting (“hostiran.net”, “netafraz.com”, and “irandns.com”), giving early hints about likely hosting geography and potential DDoS or cloaking capabilities.
TLD and keyword trends
The domain list shows extensive use of cheap generic TLDs like “.xyz”, “.online”, “.store”, “.shop”, “.site”, “.info”, “.top”, “.space”, “.buzz”, and “.fun” alongside classic “.com”, “.org”, and some country code domains such as “.ca”, “.fr”, “.uk”, and “.asia”.
Clusters of nearly identical labels in many TLDs are visible, for example “iranprotest2026.com / .net / .store”, “bt303irani.” across dozens of extensions and “chaoziran.” registered in at least “.asia”, “.biz”, “.chat”, “.click”, “.cloud”, “.club”, “.cyou”, “.design”, “.fans”, “.fit”, “.fun”, “.group”, “.host”, “.info”, “.ink”, “.link”, “.live”, “.ltd”, “.mobi”, “.one”, “.press”, “.ren”, “.space”, “.store”, “.tech”, “.uno”, “.vip”, “.wang”, “.website”, “.work”, “.world”, and several other TLDs.
Keyword analysis reveals several high risk thematic buckets
Protest and unrest: “iranprotest”, “iranprotesttracker”, “iranrevolution”, “theiranianrevolution”, “iranrevolt”, “iran-uprising”, “iranrevolution2026”, often paired with “.org”, “.online”, “.app”, and “.com”.
Kinetic conflict framing: “iranianwar.com”, “iraniancivilwar.com”, “iranwarwatch.com”, “irancivilwar.com”, “iranconflict.com”, “stateofiran.com”, and “stateofiran.net”, which can be used for propaganda, situational reporting or disinformation about the ongoing tensions.
Sanctions and gray logistics: “iranianshadowfleet.com”, “iranshadowfleet.com”, “iranianports.com”, “iraniansteelco.com”, “iraniansteeltrade.com”, “iranpetroexport.com”, “iranianoilexports.com”, “iranpetrol.com”, “iranianpetroleum.com”, “iranstoneexport.com”, “iranboat.com”, and “iranrailtour.com”, which intersect directly with sanctions evasion and maritime risk narratives around Iran.
Circumvention and infrastructure: “iran-vpn.com”, “iraninternetstatus.com”, “iranmobile.cfd”, “iranmobile.sbs”, “iraniservers.site”, “iranpay.io”, “iranpay.net”, “iranpayments.com”, and “iranllm.net / .org”, which indicate infrastructure for censorship bypass, payments and possible data collection against Iranian users under conflict conditions.
These keyword and TLD combinations are powerful precrime indicators for automated detection pipelines: terms like “protest”, “revolution”, “war”, “shadowfleet”, “bet”, “casino”, “vpn”, and “pay” intersecting with “iran*” Fresh registrations should be triaged as higher risk items when observed in hostile or contested geopolitical environments.
Temporal and geographic risk indicators
Most of the domains featured in this dataset were created between early December 2025 and mid January 2026, which coincides with the intensification of the Iran conflict and related international responses. Patterns like newly created .com and .org domains about “iranianwar”, “iranconflict”, “iranshadowfleet”, and “iraninternetstatus” in January 2026, often fronted by Cloudflare and registered through US, Canadian or European registrars, suggest opportunistic actors racing to control high value narratives as the situation evolves.
Registrant geography is heavily masked but still reveals hints: privacy protected records in Iceland, China, the United States, and Western Europe are common, while some records expose locations such as Tajikistan, Dubai, and other Gulf states for commercial or logistics focused Iran domains.
Chinese infrastructure providers (Alibaba Cloud / HiChina) and Chinese registrants appear as central nodes for the “chaoziran.*” cluster, which may represent foreign commercial or content operations rather than domestic Iranian actors, yet still intersects the conflict information space.
Key Campaigns of Interest
Cryptocurrencies and betting
One of the primary interests of threat actors during the unrest in Iran is monetization. By launching emotionally provoking crypto-themed domains and tokens, they can leverage anger and ideological themes to drive investment. This can lead to fraudulent pump and dump schemes, where threat actors turn political instability into financial extraction. Certain domains were still in “parked” states, indicating that the campaign remains under construction and is yet to be launched fully.
Another avenue of rising scams was found in casino and betting sites, where unrest-linked attention was used to push and capitalize on gambling and betting platforms. Such domains repurpose geopolitical narratives to drive traffic, induce risky financial behavior, and extract money as a part of entertainment or “alternative income” channels.
Financial, gambling and fraud domains: “iraniancoin.xyz”, “makeirangreatagaincoin.com”, “irancoinjoin.xyz”, “irancash.app”, “gamblingtipsiran.com”, “casino-onlineirani.com”, “iranbet365address.site”, “iranbett.com”, “iranbetinfo.com”, “site-shartbandi-football-irani.com”, “shartbandi-iran.com”, “rouletteiran.com”, and “radioiranporn.com”, representing high fraud and AML risk if weaponized.
Protest and movement trackers
Certain domains were registered during this period of unrest claiming to provide real time intelligence and movement of the protests, in an attempt to allegedly set a narrative. By branding as a “freedom hub,” these domains attract attention to shape perception and potentially steer engagement. While using strategic phrases, these platforms often blur OSINT data, speculation, and activism, risking the amplification of misinformation.
Narrative-setting domains
Another area of domain registrations that dominated the dataset was influential and narrative driven domains that project speculative futures for Iran through protest symbolism without verifiable facts. By imagining outcomes rather than presenting evidence, such sites steer extreme perception and shape expectations. Such sites, by default, ignore the concrete claims that could be challenged or disproven.
Predictions and early registrations
Certain domains appeared in the staging phase rather than being actively operational. While no confirmed misleading content is present yet, the naming aligns with emerging geopolitical narratives. Such early registrations suggest strategic readiness, allowing rapid activation when attention peaks, rather than immediate influence, a common method seen in fast-evolving geopolitical conflicts.
Funding and donations
Another attempt to capitalize on the global attention generated by the situation in Iran was found in suspicious fundraising platforms. The example below initially leaned heavily on emotion-driven protest symbolism and crypto-first donation appeals, and later transitioned, within a short window, into a polished, transparency-focused humanitarian narrative. This evolution coincided closely with escalation in protests and international discourse.
Early-stage versions prioritize urgency and emotional resonance to capture attention quickly. As scrutiny increases, platforms often pivot toward legitimacy signaling, introducing language around accountability, civil society, and reports to reduce donor friction and regulatory suspicion.
From a threat intelligence perspective, this pattern does not automatically imply malicious intent. However, speed of narrative pivot, alignment with peak unrest, and reliance on crypto rails collectively raise red flags. Such behavior reflects opportunistic monetization of instability.
Support from other nations
Certain clusters of domains seemed to be registered by opportunistic actors seeking early narrative, economic, or informational footholds. Domain registrations referencing Iran alongside other nations (e.g., China, India, and Canada) indicate preparation to engage once geopolitical, diplomatic, or economic windows open.
Such domains may later host content framing about alliances, positioned as “information”, “trade”, or “civil society”. Dormant or benign-looking sites are frequently registered early to avoid scrutiny, then activated when timing is optimal. Early registrations with neutral content allow actors to later claim legitimacy or organic interest.
Recommended preemptive controls
From the dataset, PreCrime Labs identifies the following concrete indicator categories for preemptive security:
Fresh Iran unrest registrations: Domains with “iran”, “irani*”, or key figures (for example “khamenei.xyz”, “margbarkhamenei.com”, “khamenei.live”) created in the last 30 to 60 days using privacy services or Cloudflare / HiChina DNS represent early stage infrastructure and should be scored higher for brand, fraud, and policy monitoring.
Thematic bundles: Families like “bt303irani.” and “chaoziran.” across many TLDs are structurally similar to phishing or campaign infrastructures and are ideal candidates for graph-based clustering, sinkholing and pre-registration policy controls at registrars.
Sanctions-related logistics labels: Any new domain combining “iran” with “shadowfleet”, “ports”, “petrol / petroleum”, “oilexports”, “stoneexport”, “steeltrade”, “boat”, or “rail” should be considered high risk for sanctions evasion or commodity fraud narratives and monitored jointly by security and compliance teams.
Financial and gambling strings: Finance-oriented keywords such as“coin”, “cash”, “bet”, “casino”, and “shartbandi” combined with “iran*” in a new registration, particularly on cheap TLDs or via high risk registrars, are likely precursors to fraud, unlicensed gambling, or money laundering schemes that target populations affected by the conflict.
