Since Russia's latest escalation in 2022 with its invasion of Ukraine, hacktivism has surged, impacting both private and public sectors through DDoS attacks, defacements, and disinformation campaigns. These cyberattacks align with geopolitical events. As 2024 saw over 50 countries holding elections, this creates particularly ripe conditions for influence operations such as misinformation and propaganda campaigns.
DDoS attacks have also intensified, with one pro-Russian hacktivist group alone claiming over 6,000 attacks since March 2022. Driven by political tensions and geopolitical conflicts, we saw a significant increase in both volume and intensity. Hacktivists are now more experienced, leveraging DDoS-for-hire services and sophisticated tools.
To better understand the complex threat landscape, we aim to explore current hacktivism more deeply, examining its various facets and connections to geopolitical tensions, building on our previous findings.
This article doesn't cover all actors or activities from the past year. Our perspective, shaped by Western, English-language viewpoints, may limit our understanding of the broader phenomenon. We avoid naming the Hacktivist group we primarily examine, as it thrives on attention.
Historical Context of hacktivism
Hacktivism has evolved through three key eras. The first, the Digital Utopia era, was driven by ideals of building a better internet, as seen with groups like Chaos Computer Club (CCC). Next came the Anti-Establishment era, where hacktivists exposed the flaws in how cyberspace developed, often opposing entrenched powers. The current era however sees groups shifting from anti-establishment actions to aligning with certain state agendas. This is a massive paradigm shift from traditional hacktivism, which rejected state control. Instead, we see state-sponsored activities that transform into operations of cyber warfare rather than traditional hacktivism.
Evaluating the evolution of these groups offers key insights into the factors shaping today's hacktivists. Understanding how modern hacktivism differs from activities in the past reveals a striking change in motivation, which can ultimately help in developing better strategies for defense.
Modern hacktivism
In the modern era, hacktivists utilize more advanced techniques than in the past. This is partly due to technological advancements and the sharing of skills and tools in the shared economy model (albeit at times with malicious intent), and partly because state-supported hacktivists might have opportunities to tap into better resources. DDoS attacks have consequently scaled exponentially in size and sophistication, with modern groups claiming and executing DDoS attacks that generate billions of requests per second or consume 3.8 terabits per second (Tbps) in bandwidth.
We also observe a significant shift in the operational methods of hacktivist groups, especially a growing reliance on DDoS-for-hire services and crowd-sourced DDoS tools.
The volunteer-based nature of these groups enables them to scale attacks more effectively, as participants need minimal technical expertise and are incentivized through cryptocurrency rewards. This is an interesting shift since early hacktivist movements were primarily motivated by ideological or political causes, rather than financial rewards. One explanation for this is that as the cybercrime economy evolved and DDoS-for-hire services became more accessible, the line between financially motivated attackers and ideologically driven hacktivists began to blur. Hacktivists in this era also started to cross the line to impacting critical infrastructure and Operational Technology (OT) systems- previously the domain of organized cybercrime or more regular state actors.
Today, hacktivist groups operate in smaller, and more independent groups; and many of the more prominent hacktivist groups align themselves with major powers, allowing them to operate with less fear of authorities and prosecution compared to groups from previous eras.
Security Navigator 2024 is Here - Download Now
The newly released Security Navigator 2025 offers critical insights into current digital threats, documenting 135,225 incidents and 20,706 confirmed breaches. More than just a report, it serves as a guide to navigating a safer digital landscape.
What's Inside?#
- 📈 In-Depth Analysis: Statistics from CyberSOC, Vulnerabilitiy scanning, Pentesting, CERT, Cy-X and Ransomware observations from Dark Net surveillance.
- 🔮 Future-Ready: Equip yourself with security predictions and stories from the field.
- 👁️ Security deep-dives: Get briefed on emerging trends related to hacktivist activities and LLMs/Generative AI.
Stay one step ahead in cybersecurity. Your essential guide awaits!
While most observed hacktivism attacks still focus on IT systems, the aim of hacktivism seems to be multi-purposed these days. On one side, cyber-attacks aim to disrupt; on the other hand, attacks are increasingly about shaping public opinion and spreading fear, uncertainty, and doubt (FUD) through targeted manipulative campaigns. For instance, information operations in the Nordics escalated tensions during Sweden's and Finland's NATO accession.
Modern hacktivists have shifted from anti-government positions, like opposing censorship, to supporting pro-government agendas through cyber operations. Unlike earlier hacktivists who focused on individual rights and ethics, today's groups often lack a history of activism. In this new era, 'traditional' hacktivism which still operates and focuses on access to information, privacy, fighting oppression, and advocating for ethical use of technology, is overshadowed.
Case Study: How does modern hacktivism look?
This study analyzes one of the most active pro-Russian hacktivist groups since March 2022, focusing on its communication strategies, narrative construction, and geopolitical influence. It also examines the group's alignment with state actors, values, and its role within the broader ecosystem. While this report focuses on just this one group, its prominence among peers offers valuable insights into similar pro-government hacktivist groups, allowing the study to reflect broader behaviors and tactics seen across this threat actor landscape.
Data collection
Our data was collected through the systematic scraping of the hacktivist group's Telegram channel monthly over a period of two years, from August 2022 to August 2024. The dataset renders:
- 3,214 unique messages: These messages included descriptions of the group's targets and other contents the group felt to share with the broader public. Thus, the messages serve to capture the group's narratives.
- 6,674 unique targets: These targets encompass a wide range of entities attacked by the group, provided and proven by the actors by posting a check-host link - an internet monitoring service commonly used by hacktivists as proof of the success of their Service DDoS attacks.
To ensure data consistency, scraping was conducted at the same time each month. The data includes textual content (reasons for targeting), metadata (timestamps, views, forwards), and contextual information about the targets. After processing, the exact number of targeted organizations and countries was determined.
Data processing
To analyze the communication patterns and geopolitical context of the hacktivist group, we analyzed the textual content of each message using natural language processing (NLP). We applied text preprocessing and named entity recognition (NER) to identify country references, refining the results with a list of known countries and nationalities. The extracted country information was added to the dataset, allowing us to examine the group's geopolitical focus and alignments.
Analysis
Before discussing the data, it's important to summarize recurring themes in pro-Russian Telegram posts. These narratives aren't unique to one group but are common across several pro-Russian cyber actors. The group frames its actions as retaliation for Russophobia, Western support for Ukraine, or sanctions on Russia.
Messages often mock targeted nations, criticizing leaders for prioritizing Ukraine over domestic issues. They use militaristic language, praising Russia's military and positioning themselves as cyber warriors defending Russia's interests, and aligning with broader narratives of resisting Western influence.
The group occasionally references subscriber requests and volunteer input, showing they incorporate follower feedback when selecting targets. This fosters community involvement and introduces a crowd-sourcing aspect to their cyber operations.
Victimology
The group's activities against targets serve both as a disruption tool and a symbolic statement against specific nations. By attacking organizations tied to everyday services, they retaliate against perceived wrongs and express disapproval of the nation's political stance, particularly regarding Russia and Ukraine.
Their strategy aims to influence international perception while creating domestic instability. Attacks on services like public transport or banking systems highlight institutional vulnerability, reinforcing the narrative that the state is failing to protect its citizens.
Consequently, it doesn't necessarily matter who the victim is at an operational level—it's more about what the organization symbolically represents in the context of a broader political or geopolitical message.
What does the data tell us?
In the following paragraphs, we analyze how many targets this specific hacktivist group has attacked over a two-year period. Within the 3,214 messages, we identified 6,674 targets from the private and public sectors, averaging around 280 targets per month.
The volume of messages fluctuated, potentially suggesting organized campaigns, likely timed to align with key political or military events. The group's focus appears to shift in response to geopolitical tensions, elections, or other notable events, reflecting a calculated effort to exert influence. This we will investigate below (under Geopolitical impacts).
In September and October 2023, we see a significant increase in activity. Analysis of the message contents indicates that Germany, Finland, the Czech Republic, Canada, the United Kingdom and Sweden were particularly heavily impacted. This surge coincides with key events such as national holidays (e.g. Czech Republic's national day), international meetings (such as the Malta Peace Formula meeting) and high-profile scandals (such as the Canadian Parliament incident). The alignment allows the group to frame these cyber operations as symbolic acts of punishment.
Top 25 Targeted Countries
Our data shows that 42 distinct countries were targeted by this threat actor over two years, with 96% located in Europe. The attacks targeted countries rather than specific organizations. This becomes clear when analyzing the messages where the actors address the country they intended to impact, while at the same time posting a list of organizations that are meant to deliver the strategic message to a particular country and its civil society.
In the context of the war against Ukraine, Ukraine and Eastern European countries like Poland, the Czech Republic, and Lithuania are heavily targeted. Western European nations such as Germany, Italy, and France also faced significant attacks, reflecting their NATO and EU leadership roles.
In France, the group exploited social unrest, aligning with local farmer protest movements and public dissent. A surge in Spanish victims was triggered by the arrest of two individuals in Spain tied to the group. Similarly, attacks on Germany carried anti-government sentiment and opposition to its leadership.
"As the rallies continue to rage in France, we support the [farmers] protesters and put down the communes"
(26th of January 2024)
Finland and Moldova stand out for high attack volumes despite less direct involvement in the war against Ukraine. Finland's NATO membership and geographic proximity to Russia drew increased attention, but Moldova saw almost 200 attacks in Q2 2024, primarily DDoS attacks targeting state infrastructure and fueled by anti-government sentiment. Moldova's vulnerability due to Transnistria likely contributes to its ranking. Spain and Italy also face frequent attacks, apparently in retaliation for their military support of Ukraine. Attacks focus on critical infrastructure and exploit internal dissent and are often framed as responses to Russophobia and arrests of Russian sympathizers. Canada ranks unusually high among non-European targets, reflecting Russia's global cyber reach against NATO-aligned countries. The absence of the U.S. is notable, given its leading role in supporting Ukraine.
Pro-Russian hacktivists may focus on European countries due to their proximity to the conflict, where disrupting supply chains and infrastructure more directly impacts Ukraine.
Attacks on key transit hubs like Poland, or influential nations like Germany and France possibly offer more immediate strategic gains than targeting the U.S.
Geopolitical impacts
To analyze factors influencing target choices, we first identified relevant keywords linked to geopolitical events and extracted unique messages containing these keywords. Each message was then manually reviewed to confirm references to specific geopolitical events. This process enabled a focused analysis of how real-world developments have shaped the group's decisions.
Our analysis reveals consistent support for anti-EU protests. In particular, the Farmers' Protests in Poland, Belgium, and Germany. Multiple European elections (United Kingdom, France, Finland, Austria, Belgium and national independence days (Ukraine and Poland) were frequent themes. Election interference marked an escalation, aiming to disrupt democratic processes.
The group also reacted to international conferences, targeting host countries or responding to specific comments made at these events.
Election interference represents an escalation beyond typical DDoS attacks on infrastructure or military websites, as it directly targets the democratic process of a nation. By attacking election-related websites and portals, the hacktivist group aims to undermine public trust in the electoral system, disrupt the flow of information, and potentially influence the outcome of a key democratic process.
The group frequently responded to international conferences or summits by targeting the host country with cyberattacks. Occasionally, specific comments made during these events also triggered attacks against the countries involved. A summary of the events associated with selected keywords is depicted in the following graphic.
Summary
We observed this particular pro-Russian hacktivist group for 2.5 years, since it began operations following the beginning of Russia's war against Ukraine. Between August 2022 and August 2024, the group claimed over 6,600 attacks in more than 3,200 messages, with 96% of their victims in Europe, aligning with their anti-NATO and anti-Western stance. Surprisingly, despite frequent mentions, no attacks were observed on U.S. targets, possibly signaling an intentional avoidance. The group focuses on sectors providing essential services, such as financial, transportation, education, and government systems, with the aim of disrupting societal stability. Notably, voting systems in countries like France, the UK, Finland, Belgium and Austria were targeted during elections, threatening electoral integrity and sowing doubt about results. These attacks align closely with Russian state narratives, suggesting potential state influence.
Hacktivism has evolved from its early roots of ideological protest, with modern groups blurring the lines between hacktivism and state-sponsored cybercriminal activities. The pro-Russian group's actions are symbolically tied to their targets, amplifying political messages or undermining public trust. Their campaigns often coincide with significant geopolitical events such as elections and summits. Like cyber extortion groups that threaten to leak sensitive data, hacktivists wield coercion to manipulate public perception, seeking to shape political outcomes.
Indeed, several fundamental similarities between modern hacktivism and cyber extortion can be observed:
- Both invest heavily in building a brand and community for credibility.
- Both operate publicly, offering real-time commentary on platforms like Telegram.
- Both are tolerated or even supported by nation-states when aligned with political objectives.
- Both procure advanced tools or services in the dark economy to boost capabilities.
- Both justify target selection retroactively, shaping narratives post-attack to maintain control over the story.
- Both use coercion, with hacktivism aiming to influence political outcomes and cyber extortion threatening reputational damage through document leaks.
Defending against these threats requires not only robust technical defenses but also strategic communication to counter disinformation and maintain public trust. The cognitive element of these attacks underscores the need for a holistic approach that includes safeguarding information integrity and strengthening public resilience.
Recommendations
From a technical standpoint:
- Implement standard security controls like DDoS protection, vulnerability mitigation, and attack surface management.
- Continuously monitor evolving threats and use the latest threat intelligence.
- Develop incident response and crisis management plans that cover both technical recovery and public communications.
- Engage in strategies to counter cognitive attacks that target public perception and trust:
- Monitor social and media channels for disinformation and respond quickly to debunk false claims.
- Communicate proactively with transparent updates to maintain stakeholder trust.
- Collaborate with public relations experts to craft consistent, credible messaging.
- Educate the public to recognize disinformation, fostering resilience against manipulation.
Given the escalation of hacktivism, particularly pro-Russian attacks targeting the West and NATO, organizations in these regions should prepare for ongoing efforts to disrupt and destabilize.
This is just an excerpt of the coverage on current topics in cyber security. For the full story and more in-depth articles on the use and abuse of Generative AI, OT-targeted attacks, Vulnerability management and Cyber Extortion as well as CyberSOC statistics and security predictions you should check out the Security Navigator 2025! Head over to the download page and get a copy.
About the Authors:
- Diana Selck-Paulsson, Lead Security Researcher, Orange Cyberdefense: With a strong background in Criminal Science, Diana is a Lead Security Researcher for Orange Cyberdefense. Among other projects she heads the companie's efforts to track, analyze and report on current ransomware trends. Her primary interests and focus are on data analysis, researching cybercrime trends, victimology and the human element in cyber security.
- Ben Gibney, Security Analyst, Orange Cyberdefense: Ben Gibney is a Security Analyst working at Orange Cyberdefense. Studying a Liberal Arts and Science Degree focusing on Artificial Intelligence and then lecturing about digital technologies, including the history of the computer and computer networks. Joining Orange Cyberdefense as IT Workspace Specialist before changing to work as a Security Analyst. He has researched effective ways of implementing AI to improve education, concepts of intelligence in relation to chatbots, as well as the possibilities of creating security tools using AI.