Hacktivist DDoS Surge Targets 110 Organizations Across 16 Countries Amid Middle East Conflict

A wave of hacktivist DDoS attacks has targeted 110 organizations across 16 countries following the U.S.-Israel military campaign against Iran, with cybersecurity researchers documenting 149 attacks concentrated heavily in the Middle East. The surge represents a significant escalation in digital retaliation amid ongoing regional tensions.

Hacktivist Groups Drive Majority of Attacks

According to Radware's analysis, the hacktivist threat landscape in the Middle East is "highly lopsided," with two groups driving nearly 70% of all attack activity between February 28 and March 2. Keymous+ and DieNet accounted for the bulk of the 149 recorded DDoS claims, while a total of 12 different groups participated in the campaign.

Geographic Distribution and Sector Targeting

The attacks show a clear geographic concentration, with 107 of the 149 attacks (72%) focused on Middle Eastern targets. The distribution within the region was heavily concentrated in three specific nations: Kuwait accounted for 28% of attack claims, Israel for 27.1%, and Jordan for 21.5%.

Nearly half of all targeted organizations globally belonged to the government sector (47.8%), followed by finance (11.9%) and telecommunications (6.7%). This targeting pattern suggests a strategic focus on critical infrastructure and state-level entities rather than random opportunistic attacks.

Key Attackers and Their Methods

Several prominent hacktivist groups have emerged in this campaign:

Hider Nex (Tunisian Maskers Cyber Force) launched the first DDoS attack on February 28, 2026. This shadowy Tunisian group supports pro-Palestinian causes and employs a "hack-and-leak" strategy that combines DDoS attacks with data breaches to leak sensitive information and advance its geopolitical agenda. The group emerged in mid-2025.

Keymous+, DieNet, and NoName057(16) collectively accounted for 74.6% of all activity during the observed period. These groups have demonstrated sophisticated capabilities in coordinating large-scale disruptive operations.

Other participating groups include Nation of Saviors (NOS), the Conquerors Electronic Army (CEA), Sylhet Gang, 313 Team, Handala Hack, APT Iran, the Cyber Islamic Resistance, Dark Storm Team, the FAD Team, Evil Markhors, and PalachPro.

State-Sponsored Operations and Advanced Threats

The conflict has also seen state-sponsored cyber operations intensify. Iran's Islamic Revolutionary Guard Corps (IRGC) targeted energy and digital infrastructure sectors in the Middle East, striking Saudi Aramco and an Amazon Web Services data center in the U.A.E. with the intent to "inflict maximum global economic pain as a counter-pressure to military losses," according to Flashpoint.

Cotton Sandstorm (aka Haywire Kitten) revived its old cyber persona, Altoufan Team, claiming to hack websites in Bahrain. Check Point noted this reflects "the reactive nature of the actor's campaigns and a high probability of their further involvement in intrusions across the Middle East amid the conflict."

Data from Nozomi Networks shows that the Iranian state-sponsored hacking group UNC1549 (also known as GalaxyGato, Nimbus Manticore, or Subtle Snail) was the fourth most active actor in the second half of 2025, focusing attacks on defense, aerospace, telecommunications, and regional government entities to advance Iran's geopolitical priorities.

Pro-Russian Hacktivist Activity

Pro-Russian hacktivist groups have also joined the fray. Cardinal and Russian Legion claimed to have breached Israeli military networks, including the Iron Dome missile defense system. An active SMS phishing campaign has been observed using a rogue replica of the Israeli Home Front Command RedAlert application to deliver mobile surveillance and data-exfiltrating malware.

CloudSEK described the campaign: "By manipulating victims into sideloading this malicious APK under the guise of an urgent wartime update, the adversaries successfully deploy a fully functional alert interface that masks an invasive surveillance engine designed to prey on a hyper-vigilant population."

Cryptocurrency Market Impact

Major Iranian cryptocurrency exchanges have remained operational but announced operational adjustments, either suspending or batching withdrawals and issuing risk guidance urging users to prepare for possible connectivity disruption. Ari Redbord, Global Head of Policy at TRM Labs, noted that "what we're seeing in Iran is not clear evidence of mass capital flight, but rather a market managing volatility under constrained connectivity and regulatory intervention."

Redbord added that "for years, Iran has operated a shadow economy that, in part, has used crypto to evade sanctions, including through sophisticated offshore infrastructure. What we're seeing now – under the strain of war, connectivity shutdowns, and volatile markets – is a real-time stress test of that infrastructure and the regime's ability to leverage it."

Security Recommendations and Threat Assessment

Organizations are advised to activate continuous monitoring to reflect escalated threat activity, update threat intelligence signatures, reduce external attack surface, conduct comprehensive exposure reviews of connected assets, validate proper segmentation between information technology and operational technology networks, and ensure proper isolation of IoT devices.

Cynthia Kaiser, ransomware research center SVP at Halcyon and former FBI Cyber Division official, warned that "Iran has a track record of using cyber operations to retaliate against 'perceived political slights,' adding these activities have increasingly incorporated ransomware."

Kaiser emphasized that "Tehran has long preferred to turn a blind, or at least indifferent, eye to private cyber operations against targets in the US, Israel, and other allied countries. That's because having access to cyber criminals gives the government options. As Iran considers its response to US and Israeli military actions, it is likely to activate any of these cyber actors if it believes their operations can deliver a meaningful retaliatory impact."

Cybersecurity company SentinelOne has assessed with high confidence that organizations in Israel, the U.S., and allied nations are likely to face direct or indirect targeting, particularly within government, critical infrastructure, defense, financial services, academic, and media sectors.

Adam Meyers, head of Counter Adversary Operations at CrowdStrike, noted that "Iranian adversaries have continued to evolve their tradecraft, expanding beyond traditional intrusions into cloud and identity-focused operations, which positions them to act rapidly across hybrid enterprise environments with increased scale and impact."

The digital front is clearly expanding alongside the physical conflict, with hacktivist groups simultaneously targeting more nations in the Middle East than ever before. The concentration of attacks on government, financial, and telecommunications sectors suggests a coordinated effort to disrupt critical infrastructure and create maximum disruption during this period of heightened geopolitical tension.