Inside the Walled Garden: Understanding Iran's Banking System After the June 2026 Cyberattack

The attack on four Iranian banks raises a deeper question: how does a financial system cut off from the global network actually function — and who regulates it?

June 16, 2026

On the evening of Saturday, June 13, 2026, the Coordination Council of Iranian Banks confirmed what customers of four of the country's largest institutions had already discovered for themselves: their banks had been hit. Mobile banking apps were down. Internet banking had failed. ATMs were offline. POS terminals were unresponsive. The four affected institutions — Bank Melli, Bank Tejarat, Bank Saderat, and the Export Development Bank of Iran — collectively serve tens of millions of Iranians and represent a substantial portion of the country's state-owned banking backbone.

Officials confirmed a "limited cyberattack" and insisted that no customer data had been leaked and that technical experts had systems under control. The Secretary of the Coordination Council of Banks, Alireza Gheytasi, told state broadcaster IRIB that operations to secure and restore systems were underway. No perpetrator was named.

The incident was not the first of its kind. Iranian banks have been targeted repeatedly in recent years, with previous breaches resulting in customer data appearing on the dark web or being offered for sale in criminal marketplaces.

But to understand why this attack matters — and why Iran's banking system is uniquely vulnerable to both cyberattacks and financial disruption — you need to understand what that system actually is: an almost entirely domestically enclosed financial ecosystem, operating in near-total isolation from the global banking infrastructure that the rest of the world takes for granted.

The Structure of the Iranian Banking System

The Central Bank: Bank Markazi

The apex of Iran's financial architecture is the Central Bank of the Islamic Republic of Iran, known in Persian as Bank Markazi. Established in 1960 when it was separated from Bank Melli Iran, which had served as a de facto central bank since 1928, Bank Markazi performs the functions familiar from any central banking institution: setting monetary policy, managing foreign exchange reserves, supervising the banking sector, and acting as lender of last resort.

Under the Monetary and Banking Act of Iran (MBAI), the CBI's formal objectives include maintaining the value of the national currency (the Iranian rial, and since 2019 officially the toman), maintaining equilibrium in the balance of payments, facilitating trade-related financial transactions, and supporting economic growth. In practice, the CBI operates under significant political pressure from the executive branch, and its independence is substantially more constrained than that of central banks in advanced economies.

All Iranian banks — state-owned and private — operate under licences issued and supervised by the CBI. The CBI sets reserve requirements, capital adequacy ratios, and the framework for Islamic banking compliance. This last point is important: Iranian banking operates under Islamic finance principles (Sharia-compliant banking), which means conventional interest-bearing loans and deposits are formally prohibited. Instead, banks use structures such as murabaha(cost-plus financing), musharakah (profit-sharing), and ijara (leasing) to achieve economically equivalent outcomes without nominally charging interest.

The State-Owned Banking Backbone

The four banks targeted in June 2026 are among Iran's most systemically important institutions:

Bank Melli Iran (National Bank of Iran), founded in 1928, is the largest bank in Iran and was historically the largest bank in the Islamic world. It served as Iran's central bank until 1960, after which it became a purely commercial institution. With a network of over 3,300 branches, Bank Melli is the closest thing Iran has to a universal retail bank, handling savings, loans, trade finance, and payment services for millions of customers and many government entities.

Bank Tejarat (Commerce Bank), formed in 1979 through the merger of eleven private, foreign, and multinational banks following the Islamic Revolution and the nationalisation of the banking sector, handles commercial and retail banking. It was partially privatised in 2009, with the Iranian state retaining a minority shareholding. Tejarat Bank operates a subsidiary, Persia International Bank, that has historically been used to manage limited international financial relationships.

Bank Saderat Iran (Export Bank of Iran), founded in 1952, is among Iran's oldest commercial banks and has historically operated the most internationally extended network of any Iranian bank, with approximately 3,500 offices across 12 countries and territories in Europe, the Middle East, and Asia. It has around 10 million customers. Bank Saderat's international reach has made it a particular target of US and EU sanctions designations.

Export Development Bank of Iran (EDBI), established in 1991, was specifically created to address the shortage of reliable financial services for export and import transactions — a role that has become increasingly complex under decades of sanctions pressure.

SWIFT: The Wall Iran Hit in 2012 — and Has Never Fully Crossed Since

What SWIFT Is — and Why It Matters

SWIFT (the Society for Worldwide Interbank Financial Telecommunication) is a Belgian cooperative that operates the dominant global financial messaging network. It does not move money itself; it sends the standardised instructions between institutions that tell them to move money. As of 2022, SWIFT connected over 11,500 institutions in more than 200 countries and handled approximately 44 million messages per day. Without access to SWIFT, a bank cannot reliably send or receive international wire transfers through the global correspondent banking system.

Iran's SWIFT History: Disconnection, Reconnection, Disconnection

Iran's relationship with SWIFT is the central story of its financial isolation.

In March 2012, pursuant to EU sanctions targeting Iran's nuclear programme, SWIFT disconnected approximately 30 Iranian banks — including the Central Bank — from its messaging network. This was described at the time by SWIFT's own CEO as "an extraordinary and unprecedented step." It was the first time a nation's banking system had been collectively excluded from SWIFT, and it had immediate, severe consequences: Iranian businesses found it nearly impossible to conduct international trade, settle foreign-currency obligations, or receive payment for oil exports through normal channels.

Following the 2015 JCPOA nuclear deal (the Joint Comprehensive Plan of Action), EU sanctions were lifted and Iranian banks were reconnected to SWIFT. The economic relief was substantial but incomplete — US unilateral sanctions remained on many institutions, limiting the practical benefit of SWIFT reconnection for dollar-denominated transactions.

In November 2018, following President Trump's withdrawal from the JCPOA, the US Treasury warned SWIFT that it would face sanctions itself if it did not disconnect the Central Bank of Iran and all other re-designated Iranian banks by November 4. SWIFT complied, disconnecting the CBI and the major sanctioned Iranian institutions again. The financial isolation reimposed in 2018 has remained in place since.

As of 2026, all four banks targeted in the June cyberattack — Bank Melli, Bank Tejarat, Bank Saderat, and the Export Development Bank of Iran — are either SWIFT-disconnected or subject to severe restrictions that make any meaningful SWIFT-based international transaction functionally impossible. These banks operate in an international financial vacuum, dependent on workarounds and alternative channels for any cross-border transactions.

IBAN and SHEBA: Iran's Domestic Account Numbering System

What IBAN Is

IBAN (International Bank Account Number) is the international standard under ISO 13616 for uniquely identifying bank accounts to facilitate cross-border transactions. Every participating country's IBAN begins with a two-letter country code, followed by two check digits, and then a country-specific account number. The UK format is 22 characters; Germany uses 22; France uses 27.

Iran's SHEBA System

Iran adopted its own version of this standard, called SHEBA (an acronym in Persian for the Iranian Bank Account Identifier). Since January 1, 2007, the Central Bank of Iran has made the use of SHEBA mandatory for foreign exchange transfers and interbank transactions within Iran.

An Iranian SHEBA number starts with IR (Iran's ISO country code) followed by 24 digits — two check digits and then 22 digits encoding the bank identifier and individual account number — for a total of 26 characters. The check-digit algorithm is identical to the international IBAN standard, meaning the format is technically compatible with international systems.

However, the practical significance of this compatibility is severely limited. While Iran's SHEBA numbers follow the global IBAN format and could theoretically be used in international transactions, the underlying banks are disconnected from SWIFT and subject to sanctions designations that make foreign financial institutions unwilling to process transactions involving Iranian accounts regardless of their technical format. SHEBA functions effectively as a domestic interbank account identifier, used primarily for transactions within Iran's own banking system.

Iran's Domestic Payment Infrastructure: Shetab and SEPAM

Excluded from global payment networks, Iran built its own.

Shetab

Shetab (Persian: شتاب, meaning "Acceleration") is Iran's domestic electronic banking clearance and automated payment system, introduced in 2002 by the Central Bank. Before Shetab, Iranian bank cards would only work on ATMs and POS terminals belonging to the card-issuing bank. Shetab created a unified interoperability layer so that any Iranian bank card can be used at any Iranian bank's ATM or POS terminal — the same function that Visa and Mastercard networks perform internationally, but operating entirely within Iran's borders.

Shetab now connects all 26 Iranian banks and supports a network of approximately 57,000 ATMs. When the June 2026 cyberattack knocked out ATMs and POS terminals at four banks simultaneously, it was this Shetab-connected infrastructure that went offline.

Iran has extended limited Shetab connectivity to neighbouring countries including Armenia and Turkey, and briefly established connections to ATM networks in Bahrain, Qatar, the UAE, and Kuwait, though the international reach of this system remains extremely limited compared to global card networks.

In July 2024, Shetab was linked to Russia's Mir payment system — a significant development reflecting the deepening financial relationship between two countries both subject to Western sanctions. This linkage allows Iranian cardholders to withdraw rubles from Russian ATMs, and in later phases will enable purchases at Russian retail points of sale.

SEPAM

SEPAM is Iran's domestic interbank financial messaging system — its internal equivalent of SWIFT. In February 2023, SEPAM was connected to SPFS, Russia's equivalent domestic messaging system, creating a direct Iran-Russia interbank communication channel outside the SWIFT network. Russia's VTB Bank and Sberbank joined this link, and VTB opened a dedicated office in Tehran in May 2023 to serve as an agent bank for bilateral transactions.

Iran also developed the CIMS (Currency Information Management System) under its RUNC exchange, which the Central Bank of Iran has authorised for use outside Iran to facilitate foreign financial transactions and connections with non-sanctioned correspondent banks — particularly in China, where Bank of Kunlun has been used to maintain a financial relationship despite its own US sanctions designation.

Regulatory Framework: Who Governs Iranian Banks?

Domestic Regulation

Iran's banking sector is governed by:

• The Monetary and Banking Act of Iran (MBAI), the foundational legislation establishing the CBI's authority and the framework for banking operations.
• The Usury-Free Banking Act of 1983, which codified Islamic finance principles across all Iranian banking operations following the 1979 Revolution.
• CBI regulations and circulars, which set capital adequacy requirements, reserve ratios, reporting standards, and supervisory frameworks.
• The Money and Exchange Act, governing currency transactions and foreign exchange operations.

The Money and Credit Council, chaired by the CBI Governor and including government ministers, is the primary policy-setting body for monetary and banking regulation.

International Regulatory Relationships: The FATF Problem

In the international regulatory framework, Iran's position is defined by its placement on the Financial Action Task Force (FATF) blacklist — formally the "High-Risk Jurisdictions Subject to a Call for Action."

The FATF is the Paris-based intergovernmental body that sets global standards for anti-money laundering (AML) and counter-terrorism financing (CTF). Being on the FATF blacklist obliges all FATF member countries to apply enhanced due diligence and countermeasures to transactions involving Iranian institutions. As of February 2025, the FATF blacklist contains only three countries: Iran, Myanmar, and North Korea.

In October 2025, the FATF reaffirmed Iran's blacklisted status, finding that despite Iran's re-engagement and its conditional ratification of the Palermo Convention (UN Convention against Transnational Organised Crime) in 2025, Iran "has failed to address the majority of its action plan since 2016" — when it first committed to reforming its financial system. The FATF specifically found that Iran's domestic compliance with Palermo was "not in line with the FATF standards" and that reservations it attached to the convention were "overly broad" — widely understood as a legal loophole preserving Iran's ability to fund designated terrorist organisations.

The practical consequence is that no FATF-compliant financial institution — in the EU, UK, US, or the 40+ other FATF member jurisdictions — can maintain normal banking relationships with Iranian banks without risking regulatory action in their home jurisdictions. This creates a global structural barrier to Iranian banking integration that is entirely separate from, and compounding of, the SWIFT disconnection and bilateral sanctions.

US Sanctions: OFAC and the Maximum Pressure Architecture

The United States Treasury's Office of Foreign Assets Control (OFAC) maintains the most extensive sanctions architecture targeting Iran. All four banks affected by the June 2026 cyberattack have been designated under various executive orders and statutory authorities, making any transaction by a US person — or any foreign institution with US dollar clearing relationships — involving these banks a potential sanctions violation.

Since February 2025, OFAC designated approximately 1,000 Iran-related persons, vessels, and aircraft as part of what the Treasury Department has called "Economic Fury" — a campaign targeting Iran's shadow banking architecture. In April 2026, the Treasury designated 35 additional entities and individuals overseeing what it described as networks facilitating the movement of tens of billions of dollars tied to sanctions evasion, IRGC financing, and funding for proxy groups.

EU Sanctions

The EU maintains its own separate sanctions regime against Iran, administered under EU Council Regulations. It was EU Regulation — specifically the prohibition on providing specialised financial messaging services to EU-sanctioned Iranian banks — that compelled SWIFT to disconnect Iranian banks in 2012 and again effectively in 2018 (with the US providing the additional pressure in the later episode). EU sanctions target many of the same institutions as US sanctions but are governed by Belgian law through SWIFT's incorporation structure.

What Iran Uses Instead: Shadow Banking and Bilateral Channels

Excluded from SWIFT, blacklisted by FATF, and sanctioned by the US, EU, and others, Iran has developed an extensive parallel financial architecture to sustain cross-border transactions:

Exchange houses (sarrafis) operating in Dubai, Istanbul, Oman, Malaysia, and elsewhere act as intermediaries, moving value between Iran and foreign counterparties through informal networks.

Hawala-style transfers, where an Iranian importer pays rials to a domestic broker and a counterpart abroad pays the foreign supplier from a separate pool of foreign currency, allow trade settlement without formal bank-to-bank transfers.

Front companies and intermediary firms invoice and settle trades on behalf of Iranian clients, disguising the ultimate Iranian party in the transaction.

China remains Iran's most significant official financial partner. Bank of Kunlun, despite its own US designation, has maintained a financial relationship with Iran, providing a channel for the settlement of Iranian oil exports to China in renminbi. Iran's CIMS system was specifically designed to connect to Bank of Kunlun.

Russia has become a second significant partner since 2022, with the SEPAM-SPFS interbank messaging connection, the Shetab-Mir card linkage, and the opening of VTB Bank's Tehran office creating the most extensive formal bilateral banking infrastructure Iran has maintained with any external partner since 2018.

In October 2025, the US Treasury's Financial Crimes Enforcement Network identified $9 billion of potential Iranian shadow banking activity in 2024 alone, based on reporting from US financial institutions — a figure that almost certainly represents a fraction of the actual flows.

The Cyberattack in Context

The June 13 attack on Bank Melli, Bank Tejarat, Bank Saderat, and the Export Development Bank of Iran occurred against this backdrop of structural isolation. Because these banks are disconnected from international systems, the attack's primary impact was domestic: Iranian citizens were unable to access their accounts, use ATMs, or make payments at retail points of sale.

In a banking system connected to global networks, such an incident would also trigger international alerts, activate correspondent banking contingency protocols, and potentially engage SWIFT's own security infrastructure. For Iran's banks, cut off from all of that, the incident was purely a domestic emergency, managed through the CBI's oversight, the Coordination Council of Banks, and the technical staff of the affected institutions.

The fact that no perpetrator was identified — and that the official account characterised the attack as "limited" while external observers noted the simultaneous disruption of ATMs, mobile banking, internet banking, and POS terminals across four major institutions — is consistent with the pattern of Iranian banking sector incidents over recent years. The combination of a large domestic attack surface, systemic underinvestment in cybersecurity relative to the sophistication of adversaries, and the political sensitivity of any acknowledgment of infrastructure weakness creates a predictable gap between what happened and what is officially acknowledged.

What is clear is that Iran's banking system, forced by decades of sanctions into building its own enclosed infrastructure, carries the vulnerabilities of that isolation as surely as it carries its independence from external financial systems. The walls that keep sanctions out also keep global cybersecurity standards, threat intelligence sharing, and international incident response out. In June 2026, that trade-off was on display for every Iranian who walked up to an offline ATM.

Sources: SWIFT, US Treasury OFAC, FATF, Central Bank of Iran, Valdai Club, Australian Department of Foreign Affairs and Trade, Wikipedia (Shetab, SHEBA, Bank Melli, Bank Saderat, Bank Tejarat), Iran International, JCFA, Global Banking & Finance