Why the growth of Hacktivist armies should worry us all

COMMENTARY: In May 2024, the notorious NoName057(16) hacktivist group announced that it and an alliance of eight other groups would disrupt elections to the European Parliament, due to take place in early June.

What they meant by disrupt was launching DDoS attacks against multiple official government and election websites. Between June 6 and 10, NoName057(16) claimed to have conducted 35 attacks, with a further 36 claimed by others.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

For anyone who follows hacktivism closely, none of this was terribly surprising. NoName057(16) is avowedly pro-Russian which meant that attacking western European targets was second nature. It’s been like this since at least the start of the titanic conflict between Russia and Ukraine in 2022, which groups such as NoName057(16) see as a proxy war between Russia and the EU, the US, and anyone else that opposes the invasion.

Hacktivists love a war and the hotter and more kinetic the better. While the bombs and bullets fly, they summon large volumes of data to disrupt digital platforms. When hacktivism came to prominence in the 2010s with Anonymous and LulzSec, many scoffed. What serious harm could a bunch of hackers in a back room possibly do?

Today, people are feeling less sanguine. In addition to NoName057(16) and other prominent names such as Killnet, and Anonymous Sudan (the two alleged masterminds of which were arrested last October by the FBI), Radware now tracks up to 400 smaller groups in a steadily expanding field. Whether this sounds like a lot will depend on one’s perspective. For those who remember the 2010s and Anonymous, the idea that there are hundreds of groups might sound alarming. Then again, this might just be the start.

Rebels with a cause

A big inflection point for today’s hacktivism was the Ukraine war, and not simply because it birthed a range of pro- and anti-Russian groups that remain highly active to this day. It also showed how hacktivism was becoming self-sustaining. It’s arguably one of biggest trends of the post-pandemic hacktivist scene.

There was a time when groups came and went, burning brightly for a while before declining. Now some of these groups are more like organizations that can constantly reinvent themselves, even as personnel change behind the scenes. Just this past week, SC Media posted a story in which Cyble recently reported that hacktivists have now expanded beyond low-level DDoS attacks to targeting critical infrastructure. These type of evolutions will continue.

War and geo-political conflict constantly re-fuels hacktivism. Witness the way that in Q1 2025, the U.S. now finds itself the top target for DDoS hacktivism, ahead of Ukraine, with Israel, India and Taiwan also in the top 10. Spotting what these countries have in common isn’t difficult. While hacktivism has always been avowedly ideological, today, it’s on a hair trigger. If a conflict erupts in any sphere, hacktivism is there almost instantly.

Hackers have merch

What’s intriguing is how all of this has been paid for. After all, as with any expanding endeavor, this generates bigger bills for activists. There’s an assumption that hacktivists borrow and steal infrastructure and sometimes that’s true. But as DDoS defenses improve, even hacktivists are having to turn their hand to previously unthinkable strategies such as old-fashioned brand marketing to sustain their campaigns.

In the last three years, Radware has tracked the growth in hacktivist merchandise used to fund the activities of mostly Russian groups. Presumably, this started out as a sideline but was so successful that the range of items expanded to meet demand. The most infamous example was the news that in 2022 a supporter of the Killnet hacktivist group started selling jewelry promoting the group’s brand, handmade in Russia. This has since expanded into t-shirts, hoodies and other collectibles offered by NoName057(16).

Merchandise generates funds and helps to build the brand while building the brand helps to generate interest. It’s a model every small business understands. This need for acolytes and camp followers should not be underestimated. Discussion of hacktivism often focuses on technical means and effects but, this subculture is just as significant. It marks out today’s hacktivism as a psychological campaign as much as a digital one.

Cybercrime is all about intention – what’s in it for the attackers? In most cases, the answer is profit or, alternatively, in the case of nation- states, the pursuit of national advantage. Hacktivism increasingly serves the latter, but it’s at root about something more fundamental that anyone familiar with social media will understand: attention. Hacktivism understands what matters to ordinary citizens, and what they care about. Think of this as a form of theatre where the stage is someone else’s public-facing website or service. But it’s always a performance for an audience whose interest and involvement serves to amplify the message.

The problem for defenders: the stage keeps expanding and the “productions” grow in ambition.

It’s easy to dismiss hacktivism as a low-level, attention-seeking nuisance. Please do not underestimate the hacktivists. Indeed, some of their actions merge with nation-state activity. As cybercrime grows in its disruptive potency, so hacktivists will pioneer new ways to turn the marvel of the digital world against us.

Pascal Geenens, director of threat intelligence, Radware

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.