The Node
Darya had not slept in thirty-one hours. She was sitting at her kitchen table in a rented apartment in North York — the neighborhood Iranians call “Tehranto” — watching a progress bar on her laptop screen. The bar represented bandwidth. Specifically, it represented the fraction of her home internet connection that was being routed through Psiphon Conduit to an unknown number of users inside Iran who were trying to reach the outside world.
She had installed Conduit on January 9, six hours after her mother stopped answering calls. Her sister in Vancouver had installed it. Her ex-boyfriend in Hamburg had installed it. Her old university roommate in Los Angeles had installed it. By the end of that first week, she was part of a network of approximately four hundred thousand Iranians abroad who had turned their personal computers into bridge nodes — relay stations that tunneled Iranian internet traffic through residential IP addresses scattered across thirty countries.
Darya did not know who was using her connection. She did not know if the data passing through her apartment was a text message, a photograph, or a seven-second video of men firing from a rooftop. She knew only that her mother had called at 7:48 PM Tehran time on January 8 to say the internet was going down, and then the line went dead. For twelve days, Darya’s laptop was the only thing she could do that felt like reaching back.
If your family lived in a country that could go silent with the flip of a switch — no calls, no messages, no proof of what was happening — what would you do with your laptop?
The Architecture
Psiphon was not built for January 2026. It was built in 2006 at the Citizen Lab at the University of Toronto — a research group that studies the intersection of digital technology and human rights.1 The original design was a circumvention tool: software that helps users in censored countries bypass internet filters.
The tool works by creating encrypted tunnels between a user inside a censored country and a proxy server outside it. The user’s traffic enters the tunnel, travels to the proxy, exits onto the open internet, and returns the same way. From the perspective of the censoring state, the traffic appears to be going to an innocuous destination — not to the banned website or messaging service the user actually wants to reach.
What made Psiphon different from a standard VPN was its protocol agility. When the regime’s deep packet inspection systems learned to identify and block one tunneling protocol, Psiphon automatically switched to another. It cycled through SSH, HTTP proxy, and obfuscated protocols — a constant adaptation to the censor’s countermeasures. The regime’s DPI boxes were configured to drop TLS handshakes and inject TCP Reset packets. Psiphon’s obfuscation layer disguised its traffic as something other than a TLS handshake — making it harder to fingerprint and block.
But the real innovation was Conduit.
Standard circumvention tools rely on proxy servers — machines in data centers with known IP addresses. Governments can identify and block these addresses. Iran had been doing this for years, maintaining blocklists of VPN servers that were updated daily.
Conduit inverted the model. Instead of routing traffic through a small number of data-center servers, it routed traffic through the home internet connections of ordinary people. When Darya installed Conduit on her laptop in North York, her residential IP address — an address indistinguishable from any other Canadian home connection — became a proxy node. Multiply that by four hundred thousand, and the regime faced an impossible filtering problem: blocking Conduit meant blocking residential internet traffic from every country where Iranians lived. It meant blocking Canada, Germany, the United States, the United Kingdom, Australia, Turkey, the UAE. It meant, functionally, blocking the entire internet — which would defeat the purpose of a selective blackout.
The Math of Decentralization
Data-center proxy servers: ~thousands of addresses (blockable) | Conduit residential nodes: ~400,000 addresses across 30+ countries (unblockable without shutting down all foreign traffic) | Regime’s DPI capacity: designed for centralized targets, overwhelmed by distributed residential nodes
This was the asymmetry. The regime had built its censorship infrastructure to fight a centralized enemy — VPN companies with identifiable servers. Conduit presented a decentralized one. The same principle that makes peer-to-peer networks resilient — no single point of failure — made Conduit resistant to state-level filtering.
The Outperformance
The obvious question: if Starlink had fifty thousand terminals inside Iran, why did a software tool running on diaspora laptops matter?
The answer is that Starlink was fighting on the regime’s chosen terrain — the electromagnetic spectrum — where the state held decisive advantages.
Starlink terminals broadcast radio signals to satellites. Radio signals can be jammed. The Russian-supplied Kalinka system detected Starlink terminal emissions and directed high-power jamming beams at the uplink frequencies. The Tobol system jammed the downlink. GPS spoofing caused terminals to miscalculate their positions, degrading antenna steering. Physical drone raids targeted the dishes themselves. By the height of the crackdown, approximately forty thousand of fifty thousand terminals were disabled or degraded.2 Packet loss in Tehran reached thirty to eighty percent — functionally unusable for uploading video evidence.
Starlink operated in the physical world. Its terminals had a detectable electromagnetic signature. They sat on rooftops where drones could find them. They required GPS signals that could be spoofed. Every terminal was a physical object that could be seized and whose owner could be imprisoned.
Psiphon Conduit operated in the logical layer of the internet — in the software that routes packets, not the hardware that transmits them. A Conduit node in Toronto had no electromagnetic signature for Kalinka to detect. It sat in an apartment the IRGC could not raid. Its traffic, disguised by protocol obfuscation, was mixed with billions of other packets crossing the same undersea cables and internet exchanges that Iran could not physically sever without also severing its own government’s connectivity.
The Canadian tool outperformed the twenty-billion-dollar satellite constellation not because it was more technologically advanced, but because it was architecturally invisible. It turned the diaspora’s greatest asset — its geographic dispersion across dozens of countries — into a technical advantage the regime could not overcome.
The Sneakernet
Conduit was not the only non-satellite method for moving information. In the border provinces, activists used the oldest data-transfer protocol in human history: physical movement.
In Kurdistan, where the Zagros Mountains create a porous border with Iraqi Kurdistan, activists hiked to elevations where their phones could capture cellular signals from Iraqi towers. They recorded what they saw. They saved the files on SD cards. Then they descended and handed the cards to kolbar couriers — the cross-border porters who have carried goods on their backs between Iran and Iraq for generations, navigating mountain paths that no vehicle can reach and no drone can easily surveil.
The kolbars hid memory cards in vehicle linings, in hollowed-out books, in the seams of clothing. The footage was delayed by days — sometimes a week — before it reached Kurdish media outlets, diaspora verification networks, or international journalists. But it arrived in high resolution, with GPS metadata baked into the image files, with timestamps that could be cross-referenced against satellite imagery of the same locations on the same dates.
In Sistan-Baluchistan, the pattern was similar. Activists traveled to Pakistan’s border zone to upload footage via Pakistani cellular networks. In the northwest, Turkish towers served the same function for Azerbaijani-speaking Iranians.
The sneakernet was slow. It was dangerous — kolbars are routinely shot by border guards even in peacetime. But it was unjammable. Kalinka cannot intercept an SD card in a porter’s backpack. Deep packet inspection cannot filter a USB drive hidden in a truck’s wheel well. The regime had built its censorship apparatus for the digital age. The resistance responded with methods from the pre-digital one.
The Evidence Chain
Raw footage is not evidence. A video of gunfire without context, geolocation, and authentication is deniable. The regime’s standard response to atrocity footage — “fabrication by Western intelligence agencies” — works when the provenance of the material is uncertain.
The diaspora had built the infrastructure to close that gap.
1500tasvir — named for the approximately 1,500 people killed during the November 2019 blackout — operated as the revolution’s primary evidence chain.3 A distributed network of diaspora activists received raw footage through encrypted channels. They cross-referenced geolocation data embedded in image metadata against satellite imagery and known protest sites. They verified timestamps against the blackout timeline. They authenticated the identity of victims by matching footage against social media profiles, family confirmations, and independent witness accounts. Only then was the material published — with a forensic confidence level that international human rights organizations and journalists could cite.
The Abdorrahman Boroumand Center performed a complementary function. Where 1500tasvir operated in near-real-time, the ABC worked on a longer timeline — building the Omid Memorial database: individual case files for every documented political prisoner, execution, and disappearance since 1979. The January 2026 dossiers were compiled in real time for eventual use in international prosecution. Every name, every date, every photograph — a pre-built evidentiary archive modeled on the Commission for International Justice and Accountability that documented war crimes in Syria.
The Human Rights Activists News Agency (HRANA) applied the most conservative methodology: counting only deaths where full biographical verification was possible.4
The Forensic Record: HRANA confirmed identities: 6,634+ (mid-February) — the forensic floor. Leaked IRGC internal documents: 12,000 (January 11 report to SNSC). Interior Ministry update: 36,500+ (January 24). Doctors’ clinical tally: 30,304 in civilian hospitals alone.
Together, these networks transformed a trickle of smuggled footage into a body of evidence that the regime could not dismiss as fabrication. The Psiphon nodes provided the bandwidth. The kolbars provided the physical transport. The verification networks provided the forensic rigor. The chain held.
The Honest Ledger
The Psiphon army was real, and its contribution was decisive for documentation. But it should not be romanticized into a story of technology saving the day.
Four hundred thousand Conduit nodes created narrow, intermittent tunnels — high-value channels for the most urgent communications, not a replacement internet for ninety million people.5 A mother in Tehran could not video-call her daughter in Toronto. A doctor could not upload a complete surgical record. What got through was selective — the most determined users with the most urgent files found paths. The vast majority of Iranians experienced the blackout as absolute.
The sneakernet was heroic but slow. Evidence that arrived a week late documented what had already happened. It built the evidentiary record that outlasts the killers.
And the entire diaspora information infrastructure depended on platforms and institutions the diaspora did not control. Psiphon’s servers could be targeted. Social media platforms could change their policies. Satellite TV frequencies could be jammed with sufficient investment. The architecture of resistance is fragile in ways the architecture of repression is not.
What the Psiphon army proved is narrower and more important than technological salvation. It proved that when a state deploys military-grade electronic warfare to silence its own population, the most effective countermeasure is not a better satellite or a faster VPN. It is human solidarity — distributed, voluntary, and operating on a principle the regime’s engineers never modeled: that four hundred thousand people would donate their bandwidth to strangers they could not see, for a cause whose outcome they could not predict, because they believed that silence was complicity.
This article is part of The Digital Siege. For the authoritarian technology supply chain, see The Splinternet. For the regime’s war against diaspora media, see The Assassination Bureau.
Footnotes
-
Iran International, “Volunteers Abroad Deploy Tech to Pierce Iran’s Internet Iron Curtain,” January 24, 2026 ↩
-
United24 Media, “Iran Reportedly Tested Russian Electronic Warfare Against Starlink During Mass Protests,” January 2026; IranWire, “Why There’s No Starlink Access During Nationwide Shutdown in Iran?,” January 2026 ↩
-
Iran International, “More Evidence of Mass Killings Surfaces Despite Iran Internet Blackout,” January 21, 2026 ↩
-
Wikipedia, “2026 Iran Massacres,” accessed February 2026; Iran HRM Monthly Report, January 2026 ↩
-
Iran International, “Volunteers Abroad Deploy Tech to Pierce Iran’s Internet Iron Curtain,” January 24, 2026; Chatham House, “Iran’s Internet Shutdown Signals a New Stage of Digital Isolation,” January 2026 ↩