Search
Choose a style
Dark
Light
Time to read: 7 min

How payments are collapsing – and adapting – in wartime Iran

How payments are shifting in wartime Iran
Image credit: Mehaniq/Shutterstock

Recently, Iran has released a 10m rial bank note, a reflection of rising inflation and a war time reliance on cash when payments infrastructure comes under fire

When Iran’s central bank introduced a 10m rial ($7.60) banknote in late March 2026, it framed the move as ensuring public access to cash. In reality, it reflects a far more acute problem.

A state-imposed internet blackout has reduced connectivity to roughly 1% of normal levels across the nation; mobile banking apps at the country’s two largest banks have gone offline; and a combination of missile strikes and cyberattacks has crippled Bank Sepah‘s infrastructure. For millions of Iranians, cash is the only option left.

The new denomination, now the highest in circulation, joins a currency in structural freefall. Annual inflation stood at 47.5% in the month ending 19 February 2026, while food and drink inflation had surged above 105% following the government’s elimination of subsidised foreign currency for essential imports.

The banknote issue is less a monetary policy decision than a triage measure – but as one former US Treasury official has noted, it may not even be sufficient. 

As of January 2026, banks were already running out of physical banknotes daily, with informal withdrawal caps of $18–$30 per day and cash in circulation surging 49% year-on-year due to panic hoarding – leaving the regime simply unable to pivot to cash payments because there is not enough physical currency in the system.

Speaking to Payment Expert, Adam Irwin, Managing Partner of Strategic Insights at Heligan Group, says: “Iran issued its highest-denomination banknote in history – worth approximately £5.70 – because Iranians were queuing at ATMs running dry after digital channels collapsed under strikes, cyberattacks and state-imposed blackouts simultaneously.” 

He adds the harder question – absent from any regulatory framework he has seen seriously addressed – is how many days of genuine cash fallback capacity any Western economy actually holds.

“Nobody knows. That ignorance is the vulnerability.” – Adam Irwin

A system built in response to sanctions, not for war

This system was already unlike most others in the world. Fifty years of sanctions forced Iran to develop its own isolated financial infrastructure, with Visa, Mastercard and American Express legally barred from operating in the country, and the SWIFT network absent from Iranian banking entirely. 

In their place, Iran built Shetab – its own domestic interbank network – alongside mobile payment platforms and an intranet designed to keep transactions running even when international connectivity was severed.

Philip Nichols, Professor of Legal Studies & Business Ethics at Wharton, cautions against overstating what this architecture was designed to do. “The Shetab/Shaparak systems were not built to be sanctions-proof – they were built to provide Iranian people and business firms with the same conveniences enjoyed in other countries, even though Iranian financial institutions were denied access to SWIFT,” he tells Payment Expert.

The systems were created because of sanctions, not as proof against them. They interact with Russia’s Mir payment system, but beyond that, remain largely isolated from global infrastructure.

This design assumption has now been tested to breaking point due to the government’s deliberate cut to internet connectivity. Unlike previous Iranian internet shutdowns, where essential services like banking and local apps were able to function, this is no longer the case.

Jacob Rider, UK Payments Lead at Projective Group, tells Payment Expert that “alternative domestic rails like Shetab were designed to withstand external disconnection, but they proved vulnerable when disruptions originated internally – such as state-imposed internet shutdowns and cyber intrusions.”

“This is an example of why operational-resilience plans need to include scenarios where the state itself becomes a source of systemic disruption,” he says.

Adam Irwin, Heligan Group (left), Philip M Nichols, The Wharton School (centre), Jacob Rider, Projective Group ((right) Image credit: LinkedIn))

Bank Sepah and the limits of resilience planning

The damage to Bank Sepah – one of Iran’s largest state-owned banks and the institution responsible for processing military salaries – illustrates how the crisis has multiple, overlapping causes rather than a single point of failure. 

A missile struck the bank’s digital security centre on Haghani Street in Tehran while it was processing salary payments for military personnel, leaving online banking unavailable and customers limited to card-based services.

But IranWire reported that the wider outages across the banking network had begun before the missile strike, and that a single branch hit would not normally bring down an entire network. A separate malware intrusion into Sepah’s systems prevented successful data backup restoration, prolonging the outage.

For Bank Sepah customers, ATMs malfunctioned across many areas, POS terminals failed, and in some branches staff told customers that deposits and withdrawals were entirely impossible – with one Sepah employee confirming he could not access his own salary.

The result has been a pronounced regression toward cash. Iranians queued at ATMs for hours, only to find many had run out of notes. 

One 80-year-old Tehran resident told the Financial Times she waited an hour to withdraw a single 10 million rial note at a bank branch – enough to sustain her for a few days if digital payments stopped working entirely. “I’ve visited ten ATMs today,” another man in Tehran told Iran International. “None had any cash.”

The economic toll of the connectivity collapse is substantial. Iran’s ICT minister estimated the economy was losing at least 50 trillion rials – around $33m – per day during the January blackout, while acknowledging the true figure was likely considerably higher.

Irwin argues that most Western resilience frameworks model two threat sources: external adversaries and internal failures – leaving a third category almost entirely unaddressed. 

“A regulator isolating a clearing house network during a live ransomware attack produces the same downstream collapse as a politically-motivated shutdown – just with better press coverage,” he says. 

Irwin argues if continuity planning doesn’t distinguish between adversary action, state self-disruption and defensive kill-switch collateral damage, then “it isn’t a resilience document. It’s crisis communications preparation with a fancy binding.”

Nichols adds the Iran case is a stark reminder of how dependent sophisticated digital payment systems are on physical infrastructure –  more so, he argues, than cash. He notes if a hostile nation attacked an advanced cashless economy and destroyed its digital infrastructure, the consequences would be severe in ways that are easy to underestimate in peacetime.

Contagion beyond Iran’s borders

Beyond Iran’s borders, the conflict has activated a wider payments threat. Iranian drone strikes on AWS data centres in the UAE took facilities offline and triggered outages at payments companies including Alaan and Hubpay, as well as banking providers ADCB and Emirates NBD

Pro-Iranian “hacktivist” groups targeting banks in the UAE. Image credit: Aleksandar Malivuk/ Shutterstock

Pro-Iranian “hacktivist”’ groups have claimed attacks on the websites of Riyadh Bank and the Bank of Jordan, while the Cyber Islamic Resistance claimed to have compromised Israeli payment infrastructure.

Irwin says these cyber attacks highlight the shortcomings of robust cyber defences at neighbouring financial institutions. The strikes took down multiple payments firms and banking providers in a single operational sequence. 

“Multi-AZ redundancy had no answer for it,” he says, “it was never designed to. The architecture assumes component failure. It doesn’t assume a military actor with a target list.”

Rider agrees that the contagion effects demonstrate geopolitical cyber risk is now inherently cross-border, and that third-party and concentration-risk assessments must be updated to reflect it. 

Nichols, meanwhile, sees a longer-term lesson in the vulnerabilities exposed by systems built under isolation. “The more sophisticated a payment system becomes, the more vulnerable it becomes,” he says, adding systems developed in places like Laos or Kyrgyzstan – built around far more challenging infrastructure assumptions – may offer underappreciated insights into resilience.

For a society which has made recent advances in digital payments adoption, driven in part by the financial infrastructure sanctions placed upon it, the war highlights the fragility of digital payment systems at large when placed under military threat. 

Without war, Iranians would not have been forced to queue for banknotes at branches which scarcely have any in stock. 

Subscribe to our newsletter