A “limited” cyberattack on shared communications infrastructure disrupted four of Iran’s largest state banks on Saturday, June 13, leaving shoppers across Tehran unable to use their cards at supermarkets, gas stations, and restaurants. The disruption cascaded through mobile banking, internet banking, ATMs, and point-of-sale terminals in a financial system that processes the bulk of Iran’s daily commerce.
The Coordination Council of Iranian Banks confirmed the attack on Saturday evening, naming Bank Melli, Bank Tejarat, Bank Saderat, and the Export Development Bank of Iran (EDBI) as the affected institutions. A shopkeeper told Iran International that nearly 90% of bank cards had been down for about four hours, with businesses falling back to handwritten receipts. The council said no customer data was accessed or deleted.
Four Banks, One Backbone
The Coordination Council of Iranian Banks said the incident hit Bank Melli, Bank Tejarat, Bank Saderat, and the Export Development Bank of Iran, four of the country’s most systemically important financial institutions. “Immediately upon identifying unusual activity, technical teams implemented the necessary protective and preventative measures to safeguard customer data and banking infrastructure,” the council stated, per the council’s full statement on the four-bank outage. The council’s framing is consistent: the attack was “limited,” no data was taken, and restoration was “progressing rapidly.”
The four banks rely on the same digital plumbing, which is why an attack on the shared communication infrastructure rippled into four simultaneous outages. “Detailed technical investigations indicate that this disruption was caused by a limited cyberattack on the shared communication infrastructure of these four banks, and fortunately, no unauthorized access to customer information occurred and no information was deleted,” the council said in a statement reported by Cybernews. That single point of common dependency turned a targeted intrusion into an outage that hit all four lenders at once. Each lender plays a distinct role in Iran’s financial system:
| Bank | Role in Iran’s banking system | Hit in IRLeaks Aug 2024 |
|---|---|---|
| Bank Melli | Iran’s largest state-owned bank | Yes |
| Bank Tejarat | Large state commercial bank | Yes |
| Bank Saderat | Major state retail and corporate bank | Not named in cited scope |
| Export Development Bank of Iran | Mandated to finance Iran’s foreign trade | Yes |
On the Tehran Side of the Outage
- 4 banks affected
- ~90% of bank cards down
- ~4 hours of disruption
- No customer data accessed
For a few hours, ordinary commerce in Tehran simply stopped working. Cards were declined at supermarket checkouts, gas-station pumps would not take payment, and restaurants told customers their machines were down. One shopkeeper said nearly 90% of bank cards had been down for about four hours, leaving customers unable to make purchases, per shopkeeper reports of nearly 90% of cards failing. POS devices at some shops were showing an “issuer error” to anyone who tried to tap a card. Some businesses, unwilling to turn away trade, fell back on handwritten receipts.
A Mashhad resident said banks had been facing disruptions since the morning. Separate messages to Iran International reported that cards issued by Bank Mellat were failing alongside those of Melli, Tejarat, and Saderat, even though Mellat is not on the council’s official list. The street-level pattern matched the council’s framing: a service outage, with customer data intact.
Iran International is a London-based Persian-language outlet that receives tips from inside Iran. The same outlet reported user messages about blocked transfers, POS errors, and ATM withdrawals failing across multiple cities. Customer deposits and account balances, per the council’s statement, were not affected.
The “Limited” Frame and the Black Wolves Claim
Five categories of banking service went dark during the incident:
- Mobile banking apps
- Internet banking platforms
- ATMs
- Point-of-sale terminals
- Certain card-based services
The list, drawn from the IranWire summary of the council’s statement, captures the full surface of consumer banking. The council said technical teams had regained control of the affected systems and that restoration was “progressing rapidly.” The framing, both from the council and from its secretary, is the same: limited cyberattack in scope, no data lost, recovery under way.
Iran’s banking coordination council has worked to project control over the response.
All relevant infrastructures are under the control of technical experts, and operations to secure and restore the systems are being carried out rapidly.
Alireza Gheytasi, the Secretary of the Coordination Council of Banks, told the IRIB News Agency that recovery was already under way.
A different actor took credit for the incident. On Saturday, a Telegram channel operated by a group calling itself Black Wolves posted, “A silent war is unfolding, and Iran is under cyberattack,” per the Black Wolves Telegram claim of responsibility. The council’s official statement did not identify any external actor, and as of Sunday morning, no Iranian government official had attributed the attack to a specific party.
Hours Before the MOU
The cyberattack came hours before the United States and Iran were scheduled to sign a memorandum of understanding aimed at ending the war between the two countries and reopening the Strait of Hormuz. That timing has fueled speculation about a possible political or strategic motive, though no authority has confirmed any link. The MOU sets the table for a 60-day technical phase of negotiations, with sanctions relief and the release of frozen Iranian assets expected to dominate that second stage.
Iran’s banking system would be the conduit for any post-deal financial flows. Bank Melli, Bank Tejarat, and Bank Saderat are all designated under US Treasury sanctions programmes, restricting their access to dollar clearing and international correspondent banking networks. Reuters reported on Friday, June 12, that the UAE had agreed to release up to $20 billion to Iran in exchange for a halt to Iranian attacks on Gulf states, an arrangement Abu Dhabi has denied. The four banks now failing under a cyberattack carry an extra layer of operational risk into whatever financial provisions accompany any peace agreement.
The MOU signing is part of a wider regional realignment. The story of how Gulf Arab states became Iran targets sits outside this article, but the banking outage lands squarely inside it. Pakistan’s prime minister announced a peace deal was closer than ever on the same day. President Donald Trump said the Strait of Hormuz would reopen immediately upon signing. The shared banking backbone, meant to underpin financial normalization, was knocked offline.
Why Iran’s Banking Stack Stands on Shared Rails
State ownership pulls Iran’s biggest lenders onto common rails, and Western sanctions have shaped those rails for years. Both forces push toward a single, narrower stack, which is what the attackers found.
Iran’s banks have been hit before. In August 2024, a group called IRLeaks targeted Iranian banks in what Politico described as the worst cyberattack in Iranian history, affecting 20 of approximately 29 Iranian credit institutions. Bank Melli, Bank Tejarat, and the Export Development Bank of Iran had all been identified in the earlier attack’s scope by security researchers. Bank Saderat was not named in the cited IRLeaks reporting. Three of the four banks hit on Saturday are the same three that were in IRLeaks’ crosshairs in 2024.
The cyber operations between Iran and its adversaries go back years. The Stuxnet worm, deployed against uranium enrichment centrifuges at the Natanz facility, set the template for state-on-state digital confrontation. Iran’s Natanz facility was struck again by US and Israeli airstrikes in June 2025, and the Operation Epic Fury strikes that began on February 28, 2026, extended the conflict into physical infrastructure.
On the Iranian side, the pattern runs the other way. Hackers breached Tehran’s Evin Prison in 2021, leaking surveillance footage. During the 2022 women’s protests, hackers targeted the Iranian Central Bank. An Iran-linked group has more recently claimed to breach California water utilities in stated retaliation for US strikes on Iranian water infrastructure. The Saturday outage fits a wider pattern of cyber conflict.
The Resilience Question
For defenders anywhere, the Iranian banking outage is a clean illustration of shared-infrastructure risk. Four banks did not independently fail; they failed together because they depended on a common component. A shared backbone is also a single point of failure.
The council’s “limited” characterisation left the full scope of the disruption unverified by independent sources, per reporting cited in regional outlets. Local media reported that by Sunday, transactions had returned to normal, with issues at Bank Tejarat and the Export Development Bank of Iran resolved later in the day per local media cited by Cybernews. The Coordination Council said recovery efforts were under way and that banking services would resume in the near future, without specifying a timeline. As of Sunday morning, no Iranian government official had attributed the attack to a specific actor, leaving attribution contested. The question of what this disruption actually was remains open.
The MOU between the United States and Iran, if signed on Sunday as scheduled, will test whether Iran’s banking infrastructure can handle the transaction volumes involved in any follow-on agreement. The Coordination Council said normal banking services would resume in the near future, per the WANA News Agency, without specifying a timeline. Analysts cited in regional reports said the operation appeared designed to target critical components of Iran’s financial network. The Saturday outage was a visible disruption, with handwritten receipts replacing card readers across Tehran.
