A new report from cybersecurity firm NETSCOUT reveals a record-breaking surge in distributed denial-of-service (DDoS) activity, with more than eight million global attacks recorded in the first half of 2025. Attackers are increasingly timing assaults to coincide with major political events to maximize disruption and public impact.
Nation-states and hacktivist collectives now regularly use DDoS attacks to degrade or disable essential services, including communications, transportation, and energy infrastructure. The report highlights a worrying trend: high-profile international gatherings and geopolitical flashpoints are prime targets for these digital sieges.
For example, when the World Economic Forum met in January, Switzerland experienced over 1,400 DDoS incidents—about double its normal rate—demonstrating how attackers concentrate efforts around major diplomatic and economic events. Well-known hacktivist groups such as NoName057(16) are responsible for many of these coordinated campaigns and continue to mount hundreds of attacks each month.
Regions across Europe, the Middle East, and Africa bore the brunt of the activity, enduring roughly 3.2 million attacks. NETSCOUT documented more than 50 assaults that exceeded one terabit per second (Tbps), including a peak event in the Netherlands that reached 3.12 Tbps. These volumetric attacks are massive floods of traffic intended to overwhelm even highly resilient online services.
One major driver behind the rise is the widespread availability of DDoS-for-hire services on underground markets. These services allow nearly anyone with a grievance and modest cryptocurrency funds to carry out sophisticated attacks, lowering the barrier to entry and empowering inexperienced actors to cause significant harm.
Attackers are also adopting advanced tactics, including AI-driven automation and “carpet-bombing” strategies that distribute traffic across many targets, rendering conventional defenses less effective. The combination of automation, shared infrastructure, and evolving techniques has produced a higher, more persistent level of cyber risk.
The backbone of many large-scale DDoS campaigns remains expansive botnets: tens of thousands of compromised IoT devices, servers, and routers operating in concert. These “zombie” networks sustain attacks for an average of more than 18 minutes—enough time to inflict substantial operational and financial damage. In March alone, there was an average of 880 bot-driven attacks per day, and one day even saw a spike to 1,600 attacks.
Geopolitical conflicts have quickly spilled into cyberspace. Following the recent escalation between Iran and Israel, NETSCOUT observed over 15,000 attacks targeting Iranian networks, while Israeli networks experienced 279 incidents. The report notes that nearly all of the attacks against Iran originated from networks outside the country, illustrating how DDoS traffic often traverses third-party infrastructure and can impose collateral effects on unrelated networks.
Hacktivist group NoName057(16) remains a dominant force. In March, the group claimed over 475 global DDoS operations—337% more than its nearest competitor—and targeted government websites in countries including Spain, Taiwan, and Ukraine.
New actors are appearing rapidly. The group DieNet emerged in March and has already launched more than 60 attacks against critical infrastructure using rented DDoS services. Another newcomer, Keymous+, has struck 73 targets across 28 industries in 23 countries, underscoring how quickly these threats proliferate and diversify.
Richard Hummel, Director of Threat Intelligence at NETSCOUT, warned that as hacktivist groups adopt more automation, shared tooling, and novel tactics, organisations must adjust their defensive posture. He also highlighted the increasing role of AI tools—such as malicious language-model-based assistants—in escalating attack sophistication. Hummel noted that while takedowns can temporarily disrupt groups like NoName057(16), those actions do not guarantee a permanent end to their activities.
As DDoS attacks become a normalized component of modern conflict, proactive defenses and real-time threat visibility are essential. Without continuous monitoring and adaptive mitigation, not only the intended targets but also countless third parties risk becoming collateral damage.
See also: Europe must adapt to Russia’s hybrid cyber war
Interested in learning more about cybersecurity and cloud technologies from industry experts? Attend Cyber Security & Cloud Expo, which takes place in Amsterdam, California, and London. The event runs alongside other major conferences covering digital transformation, IoT, blockchain, and AI and big data technologies, offering a broad program for IT and security professionals.
Explore other upcoming enterprise technology events and webinars organised by TechForge.