Hacktivist Threats Turn to Action in Days: Kaspersky Finds 61% of Attacks are DDoS and Follow Public Threats Swiftly
Hacktivists typically move from words to action within a matter of days or weeks after issuing their public threats. This conclusion was drawn by the Kaspersky Lab research team, which analyzed the activities of 120 groups across the META region (Turkey, the Middle East, and Africa) and more than 11,000 messages published in 2025 across open sources and the dark web. The findings formed the basis of the report titled “Signal in the Noise.”
The study revealed that hacktivist groups operate globally — from Russia and Europe to India, Vietnam, and Argentina — seeking maximum publicity by selecting targets and themes likely to capture widespread attention.
Unlike cyberespionage collectives, hacktivists tend to act on their threats far more swiftly — most often within days or weeks of making them public. Analysts emphasize that it is therefore crucial to closely monitor such signals and respond to them promptly.
In 2025, more than 61% of cyberattack reports mentioned by hacktivists and marked with hashtags referred to DDoS attacks. This attack vector remains the most common means of exerting pressure, as it can disrupt websites and online services without requiring sophisticated breaches.
Kaspersky experts identified over 2,000 unique hashtags associated with cyberattack-related posts throughout the year, with roughly 1,500 appearing for the first time. Hashtags serve as a tool for malicious actors to claim responsibility, promote their campaigns, and generate public attention.
Most of these tags have a short lifespan — averaging about two months — since messaging platform administrators frequently remove the channels belonging to such groups. However, popular combinations tend to persist longer, often resurfacing in new communities created to replace the deleted ones.
Hacktivist groups also form alliances to amplify their impact, publicly announcing joint operations, often through shared hashtags.
According to Kaspersky analysts, observing hacktivist activity within the META region has helped identify key behavioral patterns valuable for cybersecurity professionals. Unlike other cybercriminal alliances, hacktivists pursue maximum publicity, a trait reflected in their open style of communication. Continuous monitoring of their publications allows defenders to extract actionable intelligence, transforming the torrent of online noise into meaningful signals that help safeguard critical infrastructure.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
