Cybersecurity researchers have warned of a surge in retaliatory hacktivist activity following the U.S.-Israel coordinated military campaign against Iran, codenamed Epic Fury and Roaring Lion.

"The hacktivist threat in the Middle East is highly lopsided, with two groups, Keymous+ and DieNet, driving nearly 70% of all attack activity between February 28 and March 2," Radware said in a Tuesday report. The first distributed denial-of-service (DDoS) attack was launched by Hider Nex (aka Tunisian Maskers Cyber Force) on February 28, 2026.

According to details shared by Orange Cyberdefense, Hider Nex is a shadowy Tunisian hacktivist group that supports pro-Palestinian causes. It leverages a hack-and-leak strategy combining DDoS attacks with data breaches to leak sensitive data and advance its geopolitical agenda. The group emerged in mid-2025.

In all, a total of 149 hacktivist DDoS claims were recorded targeting 110 distinct organizations across 16 countries. The attacks were carried out by 12 different groups, including Keymous+, DieNet, and NoName057(16), which accounted for 74.6% of all activity.

Of these attacks, the vast majority, 107, were concentrated in the Middle East, disproportionately targeting public infrastructure and state-level targets. Europe was the target of 22.8% of the total global activity during the time period. Nearly 47.8% of all targeted organizations globally belonged to the government sector, followed by finance (11.9%) and telecommunications (6.7%) sectors.

"The digital front is expanding alongside the physical one in the region, with hacktivist groups simultaneously targeting more nations in the Middle East than ever before," Radware said. "The distribution of attacks within the region was heavily concentrated in three specific nations: Kuwait, Israel, and Jordan, with Kuwait accounting for 28%, Israel for 27.1%, and Jordan for 21.5% of the total attack claims."

Besides Keymous+, DieNet, and NoName057(16), some of the other groups that have engaged in disruptive operations include Nation of Saviors (NOS), the Conquerors Electronic Army (CEA), Sylhet Gang, 313 Team, Handala Hack, APT Iran, the Cyber Islamic Resistance, Dark Storm Team, the FAD Team, Evil Markhors, and PalachPro, per data from Flashpoint, Palo Alto Networks Unit 42, and Radware.

The current scope of cyber attacks is listed below -

Pro-Russian hacktivist groups like Cardinal and Russian Legion claimed to have breached Israeli military networks, including its Iron Dome missile defense system.

An active SMS phishing campaign has been observed using a rogue replica of the Israeli Home Front Command RedAlert application to deliver mobile surveillance and data-exfiltrating malware. "By manipulating victims into sideloading this malicious APK under the guise of an urgent wartime update, the adversaries successfully deploy a fully functional alert interface that masks an invasive surveillance engine designed to prey on a hyper-vigilant population," CloudSEK said.

Iran's Islamic Revolutionary Guard Corps (IRGC) targeted the energy and digital infrastructure sectors in the Middle East, striking Saudi Aramco and an Amazon Web Services data center in the U.A.E. with an intent to "inflict maximum global economic pain as a counter-pressure to military losses," Flashpoint said.

Cotton Sandstorm (aka Haywire Kitten) revived its old cyber persona, Altoufan Team, claiming to have hacked websites in Bahrain. "This reflects the reactive nature of the actor's campaigns and a high probability of their further involvement in intrusions across the Middle East amid the conflict," Check Point said.

Data gathered by Nozomi Networks shows that the Iranian state-sponsored hacking group known as UNC1549 (aka GalaxyGato, Nimbus Manticore, or Subtle Snail) was the fourth most active actor in the second half of 2025, focusing its attacks on defense, aerospace, telecommunications, and regional government entities to advance the nation's geopolitical priorities.

Major Iranian cryptocurrency exchanges have remained operational but announced operational adjustments, either suspending or batching withdrawals, and issuing risk guidance urging users to prepare for possible connectivity disruption.

"What we're seeing in Iran is not clear evidence of mass capital flight, but rather a market managing volatility under constrained connectivity and regulatory intervention," said Ari Redbord, Global Head of Policy at TRM Labs. "For years, Iran has operated a shadow economy that, in part, has used crypto to evade sanctions, including through sophisticated offshore infrastructure. What we’re seeing now – under the strain of war, connectivity shutdowns, and volatile markets – is a real-time stress test of that infrastructure and the regime's ability to leverage it."

Sophos said it "observed a surge in hacktivist activity, but not an escalation in risk," primarily from pro-Iran personas, including Handala Hack team and APT Iran in the form of DDoS attacks, website defacements, and unverified claims of compromises involving Israeli infrastructure.

The U.K. National Cyber Security Centre (NCSC) alerted organizations to a heightened risk of Iranian cyber attacks, urging them to strengthen their cybersecurity posture to better respond to DDoS attacks, phishing activity, and ICS Targeting.

In a post shared on LinkedIn, Cynthia Kaiser, ransomware research center SVP at Halcyon and former Deputy Assistant Director with the Federal Bureau of Investigation's Cyber Division, said Iran has a track record of using cyber operations to retaliate against "perceived political slights," adding these activities have increasingly incorporated ransomware.

"Tehran has long preferred to turn a blind, or at least indifferent, eye to private cyber operations against targets in the US, Israel, and other allied countries," Kaiser added. "That's because having access to cyber criminals gives the government options. As Iran considers its response to US and Israeli military actions, it is likely to activate any of these cyber actors if it believes their operations can deliver a meaningful retaliatory impact."

Cybersecurity company SentinelOne has also assessed with high confidence that organizations in Israel, the U.S., and allied nations are likely to face direct or indirect targeting, particularly within government, critical infrastructure, defense, financial services, academic, and media sectors.

"Iranian threat actors have historically demonstrated a willingness to blend espionage, disruption, and psychological impact operations to advance strategic objectives," Nozomi Networks said. "In periods of instability, these operations often intensify, targeting critical infrastructure, energy networks, government entities, and private industry far beyond the immediate conflict zone."

To counter the risk posed by the kinetic conflict, organizations are advised to activate continuous monitoring to reflect escalated threat activity, update threat intelligence signatures, reduce external attack surface, conduct comprehensive exposure reviews of connected assets, validate proper segmentation between information technology and operational technology networks, and ensure proper isolation of IoT devices.

"In past conflicts, Tehran's cyber actors have aligned their activity with broader strategic objectives that increase pressure and visibility at targets, including energy, critical infrastructure, finance, telecommunications, and healthcare," Adam Meyers, head of Counter Adversary Operations at CrowdStrike, said in a statement shared with The Hacker News.

"Iranian adversaries have continued to evolve their tradecraft, expanding beyond traditional intrusions into cloud and identity-focused operations, which positions them to act rapidly across hybrid enterprise environments with increased scale and impact."