The New Hacktivists: How Global Conflict Turned a Nuisance Into a Security Threat

Written by

Mention hacktivism to today's CISOs and most will roll their eyes. They might have a point. Many years after the term hacktivism was first coined, this type of cybercrime is still often viewed as a low-level threat carried out by fringe groups of frustrated digital pranksters in basements.

That's where hacktivism started, but it's not where it is now. Hacktivism has long since mutated into a very different beast, an evolution that continues apace. It is not a risk most CISOs will put on their top five cyber worries, but it is a phenomenon they should still pay close attention to because it is heading in a dangerous direction.

The turning point was the 2022 war between Ukraine and Russia. It probably helped that Russia was already a global superpower in commercial cybercrime knowhow. Hacktivist attacks surged. The main weapon of choice since then has been DDoS, cheaply rented from plentiful DDoS-for-hire services.

While not necessarily better funded today, hacktivism is driven more by motivation than money and has nevertheless metastasized. It is everywhere, encompassing hundreds of groups across the globe that seem almost immune to conventional arrest and infrastructure disruption.

Radware now tracks up to 150 different groups based on DDoS attack claims made on Telegram, most of which are evidenced by check-host links showing website availability. In the first half of 2025 alone, this amounted to 7,488 unique attack claims, with Europe and the Middle East disproportionately affected.

The 2026 war with Iran has continued the pattern, with Radware recording 1,128 DDoS attack claims made on Telegram, aimed mainly at countries allied with the US and Israel. Between February 28 and March 24, this resulted in 346 organizations being hit, around half in government.

In terms of attack numbers, a small band of “supergroups” dominates attacks, including NoName057(16), Keymous+, Hezi Rash (Dark Power), and Mr Hamza.

The most famous of these, NoName057(16), was targeted by a major Europol operation in July, which led to two arrests and international warrants issued for another half dozen people based in the Russian Federation.

While the operation arguably failed - NoName057(16) was largely back up and running within days – it offered a rare insight hacktivism's deeper structure and scale. NoName057(16) has amassed 1,000 active participants, including 15 administrators, across at least 12 countries. Its arsenal comprised 100 servers, likely an underestimate given how quickly it resurrected itself.

NoName057(16) is clearly well organized, recruiting a steady flow of new supporters, who are instructed on how to launch attacks using DDoS-for-hire services. Motivation is maintained with cryptocurrency rewards and gamified leaderboards tied to an ideological message.

When NoName057(16) activated in 2022, it was probably a handful of people. Yet within three years, it grew into an operation able to launch thousands of DDoS attacks, including attacks on UK local government and Germany's railway system. So much for the image of hacktivism as a prank crime.

Countering Hacktivism

NoName057(16) hints that hacktivism is merging with nation state attacks. Nation state actors are highly secretive groups that choose targets carefully to suit long-term goals. Hacktivism, by contrast, is noisy, opportunistic and focused on exploiting global events in real time.

Hybrid hacktivism with connections to nation states bridges the gap between these two realms. The objective for these neo-hacktivist groups is often to conduct psychological warfare through public embarrassment: as powerful as you appear, our attacks show that you are not invulnerable.

This strategy is potent because the claim is often true - even small but carefully targeted DDoS attacks often achieve some success. Far from being marginal, figures from ENISA report that hacktivism now accounts for around 80% of DDoS attacks affecting EU organizations.

The question is how organizations should react to the booming hacktivist threat. A key lesson is not to dismiss these groups as harmless or assume that your company won't be targeted. Each one might look small compared to a major ransomware actor, but there are a lot of them and they are increasingly organized.

This is why tracking hacktivist campaigns on Telegram or the dark web is a must for comprehensive threat intelligence. If your company or public sector organization is in hacktivists' sights – especially during wars or moments of heightened tension - this is where you will get an early warning.

Defending against such an unpredictable threat is challenging. Today, the term DDoS attack still summons the idea of large volumetric attacks that bring down sites with sustained traffic. In reality, today's DDoS is as likely to be much smaller and shorter, switching protocols and vectors in minutes as attackers probe for weak points.

That's why DDoS protection needs to be automated, a technology that analyses traffic in terms of intent rather than simply searching for a predefined signature. Done at machine speed, this also avoids the problem of defender fatigue in DDoS campaigns that can last days.

Only a fraction of hacktivist incidents cause major outages, but the effect is as much psychological as technical. Anyone could be next. The takeaway from all this is simple: hacktivism is no longer a juvenile protest movement. It has evolved into a grow-up threat type deserving of respect.

Image credit: Cineberg / Shutterstock.com

What’s Hot on Infosecurity Magazine?