Bots in a Blackout: Foreign AI or Iran's Cyber Army Boosting Pahlavi?

Foreign AI Operations or Iran's Cyber Forces? An Ops Brief on a Manufactured Consensus

A cracked smartphone on a street. Protests behind it. Then, near-total blackout. That's the setup in Iran since late December 2025: heat on the ground, silence online.

Yet X fills with loud, pro-Pahlavi takes that feel coordinated. Threads with 500+ replies show roughly 85% attacking skeptics and about 35% sliding into slurs and threats. Same phrases, faceless accounts, high posting tempo-hard to reconcile with limited access under a blackout.

Two plausible drivers

• Foreign, AI-driven influence ops: Reports like the Citizen Lab analysis point to deepfakes, AI images, doctored audio, and bot swarms seeding pre-packaged protest narratives and timing drops for maximum spread. Citizen Lab
• Regime-linked coordination: A "privileged access" playbook (e.g., so-called White SIM allowances) used in past crises could be aimed at shaping sentiment now-possibly even boosting a convenient adversary to fracture the opposition and steer discourse into a safe lane.

These are not mutually exclusive. Both can operate at once. Treat them as hypotheses supported by indicators, not proof.

Signals ops teams should track

• Access mismatch: High-volume posting from accounts claiming to be in blackout zones without credible workarounds (satellite, enterprise uplinks). Cross-check with public outage data from groups like NetBlocks.
• Cadence and timing: Bursts at machine-like intervals, synchronized replies within seconds, and activity spikes misaligned with local sleep/work hours.
• Language patterns: Repeated phrasing across accounts, identical slogans, similar punctuation and emoji stacks, and abrupt language switching (Persian/English) that mirrors scripts rather than conversation.
• Account provenance: New or repurposed handles, low follower diversity, sudden follower inflations, and clusters created within narrow date windows.
• Media forensics: Recycled footage labeled as new, mismatched geotags, inconsistent shadows/weather, heavy filtering to hide artifacts, or compressed layers that suggest repeated reposting chains.
• Network footprints: Concentration in a few ASNs or VPN egress points, satellite IPv4/IPv6 ranges, or traffic sources tied to known hosting providers rather than residential ISPs.
• Cross-platform sync: Copy-paste narratives dropping across platforms within minutes, using the same hooks and timestamps.
• Toxicity ratio: Unusual volume of insults, threats, and pile-ons aimed at critics; reply sections that drown out nuance rather than debate.

Action plan for operations leaders

• Stand up an IO watch cell: Small, cross-functional team (ops, comms, security, data) with a 24/7 rota during the blackout window.
• Define a narrative map: Track key claims, hashtags, slogans, and their first-seen sources. Maintain a living timeline.
• Gate decisions with verification: For high-impact claims, require at least two independent confirmations (trusted on-the-ground contacts or verified media) before acting.
• Apply bot-resistant filters: Minimum account age, follower/following ratios, posting interval variability, and language-style checks to score engagement quality before you treat it as signal.
• Protect comms: Pre-approved messaging for brigading events. Do not pivot strategy based on astroturfed sentiment. Escalation matrix for threats.
• Evidence handling: Preserve raw captures, URLs, and timestamps. Keep chain-of-custody notes for potential disclosure to platforms or investigators.
• Out-of-band truth channels: Maintain secure, low-bandwidth updates from trusted observers (SMS relays, satellite snippets, curated Signal/Telegram lists).
• Run small canary tests: Drop neutral, time-stamped posts to measure amplification/brigading tendencies without inflaming risk.

Metrics that cut through noise

• Share of voice skew: Compare pro/anti topic volumes against a pre-blackout baseline.
• Median account age: Younger than normal often flags coordination.
• Toxicity per thread: % of replies with slurs, threats, or templated insults.
• Engagement diversity: Unique handles per 100 comments and Gini coefficients of participation to detect a few accounts doing most of the work.
• First-seen lag: Time from offline event to online spike; scripted campaigns tend to over-synchronize.
• Feasibility check: Estimated % of chatter likely originating from blackout-affected areas vs. known accessible networks.

How to brief leadership in 30 seconds

We see an engineered narrative inflating support for a specific figure and punishing dissent. Indicators suggest either foreign AI-assisted ops, regime-linked coordination using privileged access, or both. We are filtering engagement quality, verifying ground truth out-of-band, and holding strategy steady despite brigading. Current risk: decision drift due to fake consensus. Next updates: metrics snapshot, platform reports, and any verified on-the-ground shifts.

Bottom line

Blackouts create a vacuum. Coordinated actors fill it. Your job is to separate real signal from staged momentum and keep decisions anchored to verifiable inputs. Discipline beats outrage.

If your team needs structured upskilling to build an AI monitoring and response playbook, see this resource: AI Automation Certification.