If you want to explore how to protect your own platforms from these types of API exploits, let me know:
Restrict a single phone number from requesting more than one OTP every 60 to 120 seconds.
Several repositories on GitHub focus specifically on Iranian service APIs to bypass local rate limits: sms bomber github iran
He deleted the repo from his local machine. Then he opened a burner email and wrote a short, carefully worded report in English to GitHub’s Trust & Safety team: “Repo [redacted] contains hidden exfiltration code targeting Iranian users. This is not a prank. It is a trap.”
Are you researching regarding digital harassment? Share public link If you want to explore how to protect
The search results loaded. A sea of Persian and English repositories. SMS-Bomb-V2 , Iran-SMS-Tool , Bomber-Gateway . Most had been taken down by GitHub, but mirrors existed—hidden in plain sight under innocuous names like Telegram-forwarder or Proxy-list-iran .
Amir froze. This wasn’t just a prank tool. It was a honeypot. Or worse, a weapon being passed from hand to hand. Every Iranian activist who ran this “bomber” was also leaking their own IP address, their own phone number, their exact timestamp of dissent to a third party. Who was collecting that data? The government? A rival faction? A foreign intelligence service? This is not a prank
: Integration with dozens of Iranian web services and applications (e.g., Snap, Digikala, Divar, Tap30) to trigger verification codes. Multi-Threading
While an SMS bomb does not breach a victim's personal data or steal financial information, its operational impact can be severe. 1. Denial of Service (DoS) on the Victim
Under the Computer Crimes Law of the Islamic Republic of Iran, disrupting internet services, data systems, or telecommunications infrastructure is a criminal offense. Launching an SMS attack can lead to heavy fines, lawsuits from affected companies, or imprisonment. How to Protect Against SMS Bombing
This Python-based SMS bomber carries a disclaimer stating the program is for “educational purposes only” and explicitly notes: “At this rate, we only accept .” The tool includes browser-dependent features for services that require headless Firefox automation.