The target receives dozens or hundreds of legitimate OTP messages from different Iranian companies simultaneously, effectively "bombing" their notifications. Popular Technologies Used
: A comprehensive analysis (February 2024) detailing how Iran leverages low-cost tools for asymmetric warfare, including disruption and information operations.
The ecosystem extends beyond these primary examples. Several other projects contribute to the threat landscape:
: These scripts utilize the public APIs of popular Iranian services (e.g., Digikala, Snapp, Tapsi, Divar, Shad, and various banking apps ) that send OTP (One-Time Password) codes for login or registration.
: Features a community-driven approach with active GitHub Discussions and Actions for testing. Last Updated : February 2024 (stable version still widely referenced). Key Technical Trends iran-bomber · GitHub Topics sms bomber github iran
GitHub’s terms of service prohibit hosting malware or tools explicitly meant for malicious harm. However, many developers label their SMS bombers as "penetration testing tools" or "educational projects" designed to help companies test their API rate-limiting defenses. This theoretical dual-use categorization often delays repository takedowns. The Specific Context of Iran
– Many Iranian websites lack robust CAPTCHA systems or dynamic rate limiting, making them easy targets for automated SMS flooding.
The scripts send automated HTTP requests to Iranian digital platforms (e.g., Digikala, Snapp, Tapsei, or local banks).
: Most are command-line tools that provide real-time feedback on which APIs successfully sent a message. Risks and Ethical Considerations The target receives dozens or hundreds of legitimate
While often dismissed by youth or casual internet users as harmless pranks, deploying an SMS bomber carries severe legal and ethical penalties.
CRIL’s investigation identified sustained development activity surrounding SMS, OTP (One-Time Password), and voice-bombing campaigns, with evidence of technical evolution observed through late 2025 and continuing into 2026.
While many repositories claim these tools are for “educational purposes” or “penetration testing,” the reality is that SMS bombing constitutes harassment, violates telecommunications terms of service, and is illegal in most jurisdictions.
Developers write Python or Bash scripts that automatically cycle through dozens of these public APIs. Several other projects contribute to the threat landscape:
Developers globally fork, update, and improve bomber scripts. If a specific website fixes its API vulnerability, another developer quickly replaces it with a new target endpoint.
In Iran, unauthorized access to telecommunications infrastructure and electronic harassment are punishable under the Computer Crimes Law.
The financial impact of these attacks is also significant, with estimates suggesting organizations face costs of , factoring in the expenses from API calls, infrastructure strain, and potential service disruptions.
Add a description, image, and links to the iran-sms-bomber topic page so that developers can more easily learn about it. iran-bomber · GitHub Topics
Several repositories on GitHub focus specifically on Iranian service APIs to bypass local rate limits: