The first bombs fell at 10:00 a.m. – the first cyberattack at 3:13 p.m.
The military strikes on Iran almost immediately triggered a second wave – this time online. Following the launch of the joint US-Israeli operation, hacktivist groups with ties to pro-Iranian and pro-Palestinian groups sharply increased their DDoS attacks in the Middle East. Government resources, banks, telecom companies, and major services were the main targets. Between February 28 and March 2, researchers counted 149 reports of attacks on 110 organizations in 16 countries. The majority of activity was concentrated in Middle Eastern countries, but some of the campaign quickly spread to Europe.
The digital escalation paralleled the military one. On February 27, Donald Trump authorized Operation Epic Fury. On the morning of February 28, at 6:30 UTC, the US and Israel launched a massive attack on Iranian territory. The operation involved over 100 American aircraft, ships armed with Tomahawk cruise missiles, and approximately 200 Israeli fighter jets. The targets included the Pasteur Street area of Tehran, home to the Supreme Leader's residence, command centers, air defense facilities, missile launch sites, and the IRGC naval component in Tehran, Isfahan, Qom, and Kermanshah.
Iran responded with hundreds of ballistic missiles and drones targeting Israel, American bases in the region, and targets in the Persian Gulf, including the UAE, Qatar, and Bahrain. Tehran also threatened to close the Strait of Hormuz. On March 1, Iranian media, as well as US and Israeli officials, reported the death of Ali Khamenei and several high-ranking military and government officials. Iran declared a 40-day mourning period. The US and Israel claimed to have hit over 2,000 targets in the first 48 hours, significantly weakening Iran's air defenses and gaining air superiority. Following this, the IRGC vowed revenge, and allied proxies, including Hezbollah, began firing rockets at Israel.
By March 2, the conflict had affected at least nine countries in the region. Recorded incidents included strikes on oil infrastructure, the explosion of an unmanned boat near a tanker in the Gulf of Oman, and incidents near a British base in Cyprus. The IAEA, however, has not confirmed damage to Iranian nuclear facilities, despite ongoing bombing of Tehran and other major cities. The Iranian Red Crescent Society reported more than 500 casualties. American and Israeli military estimates placed the death toll at over 1,000 Iranian troops.
To assess hacktivist activity, the researchers only considered DDoS attack claims . Defacements and reports of stolen data were not included, as such publications are too often used for disinformation and media hype. Each claim was additionally verified using Check-Host.net: They checked whether the specified resource existed, whether the group was repeating an old post, and whether the publication time matched the reported incident. Failure to verify the validity of the check was not considered evidence of actual damage. This approach primarily allows for an assessment of the intent, target selection, and pace of the campaign, but not the confirmed effectiveness of the attacks.
The first wave began on February 28th. Within 24 hours, 24 claims were made. At 15:13 UTC, the Hider Nex group, also known as the Tunisian Maskers Cyber Force, announced its first retaliatory DDoS attack. The target was Bezeq, one of Israel's largest telecom operators. Hider Nex is associated with a pro-Palestinian and pro-Tunisia agenda. The group emerged in mid-2025, when cyber tensions between Tunisia and Morocco escalated, and from the outset, it presented its campaigns as support for the Palestinian cause and a response to alleged Moroccan operations.
An hour and a half later, DieNet joined the campaign. At 16:47 UTC, the group announced an attack on a Qatari government website, and approximately thirty minutes later, expanded its target list to include Bahrain and the UAE. Government, transport, and infrastructure resources were targeted. DieNet emerged in March 2025 and quickly established itself as one of the most aggressive politicized groups. Its rhetoric centers on opposition to the United States, its military presence, sanctions, and Washington's foreign policy. When attacking Israeli targets, the group uses an anti-Zionist agenda, in Iraq it displays affinity with Shiite armed factions, and in campaigns against European companies, it switches to a more general anti-Western narrative.
By the evening of February 28, the attacks had become more widespread and intense. At 19:31 UTC, Nation of Saviors, or NOS, announced an attack on the Israeli Alon Group and promised to maintain the DDoS load for over twenty hours. NOS is considered one of the pro-Palestinian and pro-Pakistani groups that actively participated in coordinated campaigns against Western and Indian targets in 2024 and 2025. At 20:04 UTC, Keymous+ joined the attackers. The group announced strikes against Israeli telecom and technology companies, including Bezeq, Partner Communications, ITC, NCT, Advantech Wireless, and Adagio Software. Keymous+ emerged in late 2023 and sharply increased its activity in 2025. Analysts associate the group with a North African context, most likely Algeria. In terms of style, he is a hybrid player: he combines ideological hacktivism with methods typical of commercial cybercrime.
On March 1, the tempo increased even further: 31 reports were filed in one day. At 18:47 UTC, the Conquerors Electronic Army, or CEA, joined the campaign. The group focused on Israeli retail and financial services. Among its targets was Terminal X, described as an AI platform for investment managers. CEA is considered a pro-Iranian group that significantly increased in strength in late 2024 and 2025. Ideologically, the group is close to the structures commonly referred to as the "axis of resistance," which base their operations around Iranian and pro-Shiite narratives.
Later that day, the Sylhet Gang joined the operation. The primary target was Saudi Arabia, specifically the HCM and internal control systems associated with the Ministry of Interior. The group explicitly explained its choice of target by citing Riyadh's alleged provision of bases and airspace to the US. Sylhet Gang has been active since July 2023, uses the Bengali language, and bases its campaigns on political and ideological motives. The name refers to the Sylhet region of Bangladesh. At the same time, the group publicly opposed the position of the Bangladeshi Foreign Ministry, which condemned Iran. This reversal is quite typical for the hacktivist community: members often turn against their own state if the government's policies clash with their ideology.
March 2nd was the busiest day of the three-day campaign, with 52 reported attacks. The key event was the involvement of the pro-Russian group NoName057(16). At 11:17 UTC, the group began attacks on Israeli government, telecommunications, and commercial resources. Not only the volume of activity but also the composition of the group's participants is significant. Until Monday, the pressure was primarily exerted by pro-Iranian and pro-Palestinian groups. The appearance of NoName057(16) demonstrated that external players with established DDoS infrastructure and extensive experience in campaigns against government services had begun to join the Middle East campaign.
The Middle East report reveals a very uneven distribution of activity. From February 28 to March 2, nine groups reported 107 attacks on 81 organizations in eight countries across the region. The bulk of these attacks were carried out by just a few groups. Keymous+ accounted for 35.5% of all reports, DieNet for 32.7%, and Conquerors Electronic Army for 11.2%. 313 Team and NoName057(16) each accounted for 6.5%, while Nation of Saviors accounted for 3.7%. This doesn't look like a chaotic stream of dozens of equally powerful channels, but rather like a campaign where the pace is set by a small circle of the most active participants.
Government agencies lead in terms of target type: nearly 53% of all attacks targeted them. This choice is understandable. Attacks on government resources yield maximum political impact, a significant information footprint, and a high chance of disrupting public services. The financial sector ranks second with 13.7%, and telecoms third with 8.8%. In essence, the groups targeted nodes that support governance, communications, and basic digital services.
The geography was also very concentrated. Kuwait accounted for 28% of all applications, Israel for 27.1%, and Jordan for 21.5%. The shares of the UAE, Bahrain, Qatar, Saudi Arabia, and Oman were 7.5%, 6.5%, 4.7%, 3.7%, and 1%, respectively. Together, Kuwait, Israel, and Jordan accounted for 76.6% of all Middle Eastern activity. This imbalance appears to be a deliberate choice of countries where an attack would both generate high publicity and send a significant political message.
In Europe, the picture was different. From February 28 to March 2, five groups attacked 23 organizations in five countries and published 34 statements. NoName057(16) was almost entirely dominant, accounting for 73.53% of all attacks. ServerKillers was a distant second, with 17.65%. The peak occurred on February 28, when 20 statements were issued, after which the intensity decreased to six and eight statements over the next two days. Denmark suffered the most, accounting for 55.9% of all European activity. Germany and Spain each accounted for 17.65%.
A comparison of the two approaches reveals differences not only in numbers but also in the campaign's structure. In the Middle East, several prominent groups with similar ideologies and targeting patterns were simultaneously active. In Europe, almost everything was concentrated on a single operator. In both regions, state resources remained the primary target, but in the Middle East, attacks on banks and telecoms were more prominent. In Europe, after state structures, industry was the most prominent target, with a share of 11.54%, while financial and telecom resources were not among the primary targets.
The global picture over these three days confirms the same imbalance. A total of 149 attacks on 110 organizations in 16 countries were reported. While 12 groups participated in the campaign, just three of them accounted for almost three-quarters of the activity. Keymous+ accounted for 26.8% of all global reports, DieNet for 25.5%, and NoName057(16) for 22.2%. Together, these three groups accounted for 74.6% of the total volume of observed DDoS campaigns. Among target types, government organizations once again led the way with a 47.8% share. Next came finance with 11.9%, telecommunications with 6.7%, transportation with 5.2%, manufacturing with 4.5%, and business services with 3.7%. Consumer services, holding companies, and the hospitality sector each accounted for approximately 3%.
The regional preponderance was even more pronounced. The Middle East received 71.8% of all reports, Europe 22.8%. North America and Asia appeared significantly calmer during the same days. Among the countries under the greatest pressure, Kuwait accounted for 29.1% of all global activity, Israel 19.5%, Jordan 15.4%, Denmark 12.8%, and the UAE 5.4%. The figures demonstrate a simple point: the digital aspect of the conflict no longer appears to be a sideline to the fighting. It is a distinct campaign of pressure on government and socially important services.
The military strikes on Iran almost immediately triggered a second wave – this time online. Following the launch of the joint US-Israeli operation, hacktivist groups with ties to pro-Iranian and pro-Palestinian groups sharply increased their DDoS attacks in the Middle East. Government resources, banks, telecom companies, and major services were the main targets. Between February 28 and March 2, researchers counted 149 reports of attacks on 110 organizations in 16 countries. The majority of activity was concentrated in Middle Eastern countries, but some of the campaign quickly spread to Europe.
The digital escalation paralleled the military one. On February 27, Donald Trump authorized Operation Epic Fury. On the morning of February 28, at 6:30 UTC, the US and Israel launched a massive attack on Iranian territory. The operation involved over 100 American aircraft, ships armed with Tomahawk cruise missiles, and approximately 200 Israeli fighter jets. The targets included the Pasteur Street area of Tehran, home to the Supreme Leader's residence, command centers, air defense facilities, missile launch sites, and the IRGC naval component in Tehran, Isfahan, Qom, and Kermanshah.
Iran responded with hundreds of ballistic missiles and drones targeting Israel, American bases in the region, and targets in the Persian Gulf, including the UAE, Qatar, and Bahrain. Tehran also threatened to close the Strait of Hormuz. On March 1, Iranian media, as well as US and Israeli officials, reported the death of Ali Khamenei and several high-ranking military and government officials. Iran declared a 40-day mourning period. The US and Israel claimed to have hit over 2,000 targets in the first 48 hours, significantly weakening Iran's air defenses and gaining air superiority. Following this, the IRGC vowed revenge, and allied proxies, including Hezbollah, began firing rockets at Israel.
By March 2, the conflict had affected at least nine countries in the region. Recorded incidents included strikes on oil infrastructure, the explosion of an unmanned boat near a tanker in the Gulf of Oman, and incidents near a British base in Cyprus. The IAEA, however, has not confirmed damage to Iranian nuclear facilities, despite ongoing bombing of Tehran and other major cities. The Iranian Red Crescent Society reported more than 500 casualties. American and Israeli military estimates placed the death toll at over 1,000 Iranian troops.
To assess hacktivist activity, the researchers only considered DDoS attack claims . Defacements and reports of stolen data were not included, as such publications are too often used for disinformation and media hype. Each claim was additionally verified using Check-Host.net: They checked whether the specified resource existed, whether the group was repeating an old post, and whether the publication time matched the reported incident. Failure to verify the validity of the check was not considered evidence of actual damage. This approach primarily allows for an assessment of the intent, target selection, and pace of the campaign, but not the confirmed effectiveness of the attacks.
The first wave began on February 28th. Within 24 hours, 24 claims were made. At 15:13 UTC, the Hider Nex group, also known as the Tunisian Maskers Cyber Force, announced its first retaliatory DDoS attack. The target was Bezeq, one of Israel's largest telecom operators. Hider Nex is associated with a pro-Palestinian and pro-Tunisia agenda. The group emerged in mid-2025, when cyber tensions between Tunisia and Morocco escalated, and from the outset, it presented its campaigns as support for the Palestinian cause and a response to alleged Moroccan operations.
An hour and a half later, DieNet joined the campaign. At 16:47 UTC, the group announced an attack on a Qatari government website, and approximately thirty minutes later, expanded its target list to include Bahrain and the UAE. Government, transport, and infrastructure resources were targeted. DieNet emerged in March 2025 and quickly established itself as one of the most aggressive politicized groups. Its rhetoric centers on opposition to the United States, its military presence, sanctions, and Washington's foreign policy. When attacking Israeli targets, the group uses an anti-Zionist agenda, in Iraq it displays affinity with Shiite armed factions, and in campaigns against European companies, it switches to a more general anti-Western narrative.
By the evening of February 28, the attacks had become more widespread and intense. At 19:31 UTC, Nation of Saviors, or NOS, announced an attack on the Israeli Alon Group and promised to maintain the DDoS load for over twenty hours. NOS is considered one of the pro-Palestinian and pro-Pakistani groups that actively participated in coordinated campaigns against Western and Indian targets in 2024 and 2025. At 20:04 UTC, Keymous+ joined the attackers. The group announced strikes against Israeli telecom and technology companies, including Bezeq, Partner Communications, ITC, NCT, Advantech Wireless, and Adagio Software. Keymous+ emerged in late 2023 and sharply increased its activity in 2025. Analysts associate the group with a North African context, most likely Algeria. In terms of style, he is a hybrid player: he combines ideological hacktivism with methods typical of commercial cybercrime.
On March 1, the tempo increased even further: 31 reports were filed in one day. At 18:47 UTC, the Conquerors Electronic Army, or CEA, joined the campaign. The group focused on Israeli retail and financial services. Among its targets was Terminal X, described as an AI platform for investment managers. CEA is considered a pro-Iranian group that significantly increased in strength in late 2024 and 2025. Ideologically, the group is close to the structures commonly referred to as the "axis of resistance," which base their operations around Iranian and pro-Shiite narratives.
Later that day, the Sylhet Gang joined the operation. The primary target was Saudi Arabia, specifically the HCM and internal control systems associated with the Ministry of Interior. The group explicitly explained its choice of target by citing Riyadh's alleged provision of bases and airspace to the US. Sylhet Gang has been active since July 2023, uses the Bengali language, and bases its campaigns on political and ideological motives. The name refers to the Sylhet region of Bangladesh. At the same time, the group publicly opposed the position of the Bangladeshi Foreign Ministry, which condemned Iran. This reversal is quite typical for the hacktivist community: members often turn against their own state if the government's policies clash with their ideology.
March 2nd was the busiest day of the three-day campaign, with 52 reported attacks. The key event was the involvement of the pro-Russian group NoName057(16). At 11:17 UTC, the group began attacks on Israeli government, telecommunications, and commercial resources. Not only the volume of activity but also the composition of the group's participants is significant. Until Monday, the pressure was primarily exerted by pro-Iranian and pro-Palestinian groups. The appearance of NoName057(16) demonstrated that external players with established DDoS infrastructure and extensive experience in campaigns against government services had begun to join the Middle East campaign.
The Middle East report reveals a very uneven distribution of activity. From February 28 to March 2, nine groups reported 107 attacks on 81 organizations in eight countries across the region. The bulk of these attacks were carried out by just a few groups. Keymous+ accounted for 35.5% of all reports, DieNet for 32.7%, and Conquerors Electronic Army for 11.2%. 313 Team and NoName057(16) each accounted for 6.5%, while Nation of Saviors accounted for 3.7%. This doesn't look like a chaotic stream of dozens of equally powerful channels, but rather like a campaign where the pace is set by a small circle of the most active participants.
Government agencies lead in terms of target type: nearly 53% of all attacks targeted them. This choice is understandable. Attacks on government resources yield maximum political impact, a significant information footprint, and a high chance of disrupting public services. The financial sector ranks second with 13.7%, and telecoms third with 8.8%. In essence, the groups targeted nodes that support governance, communications, and basic digital services.
The geography was also very concentrated. Kuwait accounted for 28% of all applications, Israel for 27.1%, and Jordan for 21.5%. The shares of the UAE, Bahrain, Qatar, Saudi Arabia, and Oman were 7.5%, 6.5%, 4.7%, 3.7%, and 1%, respectively. Together, Kuwait, Israel, and Jordan accounted for 76.6% of all Middle Eastern activity. This imbalance appears to be a deliberate choice of countries where an attack would both generate high publicity and send a significant political message.
In Europe, the picture was different. From February 28 to March 2, five groups attacked 23 organizations in five countries and published 34 statements. NoName057(16) was almost entirely dominant, accounting for 73.53% of all attacks. ServerKillers was a distant second, with 17.65%. The peak occurred on February 28, when 20 statements were issued, after which the intensity decreased to six and eight statements over the next two days. Denmark suffered the most, accounting for 55.9% of all European activity. Germany and Spain each accounted for 17.65%.
A comparison of the two approaches reveals differences not only in numbers but also in the campaign's structure. In the Middle East, several prominent groups with similar ideologies and targeting patterns were simultaneously active. In Europe, almost everything was concentrated on a single operator. In both regions, state resources remained the primary target, but in the Middle East, attacks on banks and telecoms were more prominent. In Europe, after state structures, industry was the most prominent target, with a share of 11.54%, while financial and telecom resources were not among the primary targets.
The global picture over these three days confirms the same imbalance. A total of 149 attacks on 110 organizations in 16 countries were reported. While 12 groups participated in the campaign, just three of them accounted for almost three-quarters of the activity. Keymous+ accounted for 26.8% of all global reports, DieNet for 25.5%, and NoName057(16) for 22.2%. Together, these three groups accounted for 74.6% of the total volume of observed DDoS campaigns. Among target types, government organizations once again led the way with a 47.8% share. Next came finance with 11.9%, telecommunications with 6.7%, transportation with 5.2%, manufacturing with 4.5%, and business services with 3.7%. Consumer services, holding companies, and the hospitality sector each accounted for approximately 3%.
The regional preponderance was even more pronounced. The Middle East received 71.8% of all reports, Europe 22.8%. North America and Asia appeared significantly calmer during the same days. Among the countries under the greatest pressure, Kuwait accounted for 29.1% of all global activity, Israel 19.5%, Jordan 15.4%, Denmark 12.8%, and the UAE 5.4%. The figures demonstrate a simple point: the digital aspect of the conflict no longer appears to be a sideline to the fighting. It is a distinct campaign of pressure on government and socially important services.
