A cyberattack has disrupted shared communications used by Bank Melli Iran, Bank Tejarat, Bank Saderat Iran, and Export Development Bank of Iran.
The disruption, reported in June 2026, affected a communications platform shared by the four institutions, which together account for a significant share of banking transactions in the country. According to Iran's Banking Coordination Council, technical teams identified unusual activity within the shared network and activated emergency response measures, isolating the affected systems to prevent further spread.
According to Reuters, the Council stated that no unauthorised access to customer accounts or banking databases has been identified, and that no information appears to have been deleted or altered during the incident. Customers nonetheless experienced temporary interruptions to digital banking services, payment processing, and certain online transactions while the banks worked to restore normal operations.
Shared infrastructure as a single point of failure
The incident illustrates how an attack on shared technology infrastructure can affect several institutions simultaneously, even when each bank's core systems remain intact. Banking networks increasingly rely on interconnected platforms to exchange information between institutions, a design that improves operational efficiency but can also concentrate risk. A breach or disruption at the shared layer can cascade across multiple organisations without necessarily compromising customer data held within individual banks.
Cybersecurity commentators note that such attacks are not always motivated by financial gain; in several cases, threat actors aim to undermine confidence in financial institutions, interrupt economic activity or demonstrate technical capability rather than extract funds or data.
Furthermore, modern cyber threats now extend well beyond traditional attempts to steal information, with organised groups increasingly targeting interconnected networks, cloud-based infrastructure, and shared digital ecosystems to maximise disruption. It was also added that detailed log analysis, network forensics, and real-time threat intelligence are central to identifying how an attack moved through a network and to limiting its impact.
Iranian authorities have not publicly attributed the attack to any individual or group. Investigators are conducting a forensic examination of the affected systems to establish how the intrusion occurred, which techniques were used, and the full extent of the disruption, while technical teams continue restoring services and reinforcing defences against potential follow-up attacks. The outcome of that investigation is expected to indicate whether the incident was an isolated event or part of a wider campaign targeting financial networks in the region. Sector observers also point to layered security architecture, continuous monitoring, and segmentation between communication networks and core banking systems as measures that reduce the risk of customer data exposure during similar incidents.
