149 Hacktivist DDoS Attacks Strike 110 Organizations Across 16 Countries Following Middle East Tensions

In the days after the U.S. and Israel launched their coordinated military campaign against Iran—known as Epic Fury and Roaring Lion—the conflict quickly spilled into cyberspace. What started as a physical confrontation soon turned into a digital battle, leaving many organizations scrambling to protect themselves.

Cybersecurity experts say hacktivist groups reacted almost immediately. According to Radware, the situation became heavily unbalanced, with just two groups—Keymous+ and DieNet—responsible for nearly 70% of all attack activity between February 28 and March 2. The very first distributed denial-of-service (DDoS) attack during this wave was launched on February 28, 2026, by a group called Hider Nex, also known as the Tunisian Maskers Cyber Force.

Hider Nex, described by Orange Cyberdefense as a secretive Tunisian hacktivist collective, openly supports pro-Palestinian causes. The group combines DDoS attacks with data breaches, often leaking sensitive information to embarrass its targets and push its political message. Though it only appeared publicly in mid-2025, it has already built a reputation for aggressive digital tactics.

In total, 149 DDoS attack claims were recorded, targeting 110 different organizations across 16 countries. Twelve separate groups were involved, but three—Keymous+, DieNet, and NoName057(16)—accounted for nearly three-quarters of the activity.

Most of the damage was concentrated in the Middle East. Out of all reported incidents, 107 attacks targeted organizations in the region, many of them government bodies and public infrastructure. Europe also felt the impact, accounting for nearly 23% of global activity during this period. Globally, government organizations were hit hardest, making up almost 48% of targets. Financial institutions and telecom companies followed.

Radware described the situation as an expansion of the battlefield. “The digital front is growing alongside the physical one,” the company noted. Three countries—Kuwait, Israel, and Jordan—were especially affected. Kuwait alone accounted for 28% of attack claims, followed closely by Israel and Jordan.

But the story doesn’t end with DDoS attacks.

Several pro-Russian hacktivist groups, including Cardinal and Russian Legion, claimed they breached Israeli military networks—even going as far as to say they accessed systems connected to the Iron Dome missile defense program. These claims remain difficult to verify, but they added to the rising tension and fear.

At the same time, cybersecurity firm CloudSEK uncovered an SMS phishing campaign targeting Israeli citizens. Attackers created a fake version of the Israeli Home Front Command’s RedAlert app. By convincing people to install what looked like an urgent wartime update, hackers secretly deployed surveillance malware. The fake app worked convincingly, displaying real-looking alerts while quietly harvesting personal data in the background—an unsettling reminder of how fear can be weaponized.

Meanwhile, Iran’s Islamic Revolutionary Guard Corps (IRGC) reportedly targeted energy and digital infrastructure across the Middle East. According to Flashpoint, Saudi Aramco and an Amazon Web Services data center in the UAE were among the targets. Analysts believe the goal was to cause economic disruption as a response to military setbacks.

Another Iranian-linked group, Cotton Sandstorm (also known as Haywire Kitten), revived an older identity called the Altoufan Team and claimed to have hacked websites in Bahrain. Security researchers believe this signals a strong likelihood of further cyber operations as the conflict continues.

Data from Nozomi Networks shows that Iranian state-sponsored group UNC1549—also known by several other names—was one of the most active threat actors in late 2025. Its focus has largely been on defense, aerospace, telecom, and government targets, reflecting clear geopolitical motives.

Even Iran’s cryptocurrency sector felt the strain. Major exchanges remained online but limited withdrawals and warned users to prepare for possible connectivity disruptions. Ari Redbord of TRM Labs described the situation as a “stress test” for Iran’s shadow crypto economy, which has long been used to work around sanctions. While there’s no clear sign of panic-driven capital flight, the pressure is visible.

Interestingly, Sophos reported a noticeable spike in hacktivist activity but said it did not see a major escalation in overall risk levels. Much of the activity involved pro-Iran groups launching DDoS attacks, defacing websites, and making bold—but sometimes unverified—claims about breaching Israeli infrastructure.

The U.K.’s National Cyber Security Centre (NCSC) has warned organizations to stay alert, particularly for Iranian-linked cyber activity. It urged companies to strengthen defenses against DDoS attacks, phishing campaigns, and potential attempts to target industrial control systems.

Cynthia Kaiser, a former FBI Cyber Division leader and now SVP at Halcyon’s ransomware research center, pointed out that Iran has a history of using cyber operations to retaliate against what it sees as political insults. In recent years, those operations have increasingly included ransomware.

“Iran has often turned a blind eye to private cybercriminal groups targeting U.S., Israeli, and allied interests,” Kaiser explained. “That gives the government flexibility. If leaders believe cyberattacks can deliver meaningful retaliation, they may activate those networks.”

SentinelOne echoed similar concerns, warning that organizations in Israel, the U.S., and allied countries—especially in government, critical infrastructure, defense, finance, academia, and media—could face direct or indirect targeting.

Nozomi Networks added that Iranian threat actors frequently mix espionage, disruption, and psychological tactics to amplify their impact. During unstable periods like this, those operations often intensify and extend well beyond the immediate conflict zone.

To reduce risk, cybersecurity experts are urging organizations to act quickly. Recommended steps include continuous monitoring, updating threat intelligence systems, minimizing exposed online assets, reviewing connected systems for vulnerabilities, separating IT and operational networks, and isolating IoT devices.

As Adam Meyers of CrowdStrike put it, Iran’s cyber actors have steadily refined their methods. They’re no longer limited to traditional network intrusions but are now targeting cloud systems and identity platforms—allowing them to move faster and hit harder across modern hybrid environments.

What’s clear is that this conflict is no longer confined to borders or battlefields. It’s unfolding quietly in data centers, corporate networks, and even on people’s phones. And while missiles dominate headlines, the invisible digital war is creating its own kind of anxiety—one that governments and businesses can’t afford to ignore.