Israeli, US strikes against Iran triggers a surge in hacktivist activity

On Feb. 28, 2026, the U.S. and Israel launched coordinated strikes against Iran, marking the start of open conflict after months of escalating tensions. Iran retaliated with its own large-scale missile and drone attacks against military and civilian targets located across the Persian Gulf. This included entities in Bahrain, Iraq, Jordan, Kuwait, Oman, Qatar, Saudi Arabia and the United Arab Emirates (UAE). Iranian forces also fired missiles toward military locations in Cyprus, prompting air defense responses and heightened security alerts. Meanwhile, inside Iran, authorities sought to restrict the flow of information and imposed a widespread internet shutdown. Within hours of the initial strikes, numerous hacktivist actors and groups took to the underground to proclaim their position. While the majority of hacktivist attacks observed were against targets in Israel, the U.S. and the Gulf region, in support of and in solidarity with Iran, groups also targeted Iranian assets.

Intel 471 distributed denial-of-service data snapshots

Our internal distributed denial-of-service (DDoS) data aggregated via automated tracking of check-host.net verification links, which are a standard for "proof of compromise" within the hacktivism community, displayed a significant increase in attacks on Feb. 28, 2026. We have since seen a sustained level of alleged DDoS attacks.

Figure 1: This graph depicts the number of DDoS claims observed in the week of Feb. 27, 2026 through March 3, 2026.

In the week of Feb. 27, 2026 to March 6, 2026, Israel was by far the most impacted region, followed by Kuwait and Jordan. Additionally, Bahrain, Qatar and the UAE also landed in the top ten most impacted regions for the week. Moreover, the top three most impacted industries were national government, aerospace and defense, and technology.

Figure 2: The image depicts a density map based on the top-level domains (TLDs) of victims, where identifiable, from our coverage Feb. 27, 2026 to March 6, 2026.

Observed hacktivist claims

Pro-Iran

Pro-Iranian and Iran-aligned nation-state-associated actors quickly positioned themselves as part of the broader retaliation narrative. Associated hacktivist activity largely targeted the U.S., Israel and neighboring nations, and consisted of a mix of data breach claims and DDoS attacks that included:

• Members of the Iranian Handala Hack nation-state group claimed to compromise multiple oil and gas organizations, spanning locations such as Israel, Jordan and Saudi Arabia.[1] The group also allegedly compromised an Israel-based research institute.[j]
• Members of the Iranian hacktivist group WeAreUst claimed to collaborate with the Anonymous Sana’a group to the compromise of an Israel-based defense and security technology company.[1]
• Members of the Iranian UniT 313 group claimed responsibility for DDoS attacks targeting military and government entities in Bahrain and Saudi Arabia.[1]
• Members of the Cyber ​​Islamic Resistance group claimed to compromise home routers belonging to an Israel-based fiber optics and communications company as well as a control systems manufacturer. The group also claimed responsibility for a DDoS attack targeting the U.S. military online directory.[1]
• Members of the Iraqi hacktivist group FAD Team claimed responsibility for attacks against supervisory control and data acquisition (SCADA) systems impacting Israel and allied countries.[1]
• Members of the North African Keymous hacktivist group allegedly carried out DDoS attacks against several Israeli telecommunication companies.[1]
• Members of the DieNet hacktivist group claimed responsibility for DDoS attacks targeting various Kuwait-based government websites.[1]
• The Iranian actor Mr. Soul threatened to start independent activities against Israel. The actor later claimed access to Israel's power transmission infrastructure and allegedly targeted and disabled Israel’s warning sirens.[h][i]
  • Comment: We previously reported the actor was a member of the Cyber Av3ngers nation-state group.
• The Cyber Isnaad Front claimed to have attacked the Israeli government and military communications infrastructure.[g]

Pro-Russian hacktivist groups show support to Iran

On March 2, 2026, the highly active pro-Russian hacktivist group NoName057(16) pledged its solidarity with Iran and claimed to begin DDoS attacks against Israel-based entities under the operational tag #OpIsrael. Targets included websites of political parties, local authorities and telecommunications companies.[2] We have since observed several other pro-Russian groups claim and/or threaten attacks likely in support of or in solidarity with Iran. This included:

• The Hider_Nex group joined #Op_Israel_USA and allegedly disrupted the availability of an Israel-based telecommunications company.[a]
• The PalachPro group expressed a desire to assist Iranian hackers in attacks against Israeli and U.S. entities.[b]
• The Z-Pentest Alliance group claimed to have obtained full control of a pump control and water supply management system in Israel.[c]
• The RuskiNet Group claimed to have taken down the website of KPMG Israel via a DDoS attack.[d]
• The Dark Storm Team claimed to have carried out DDoS attacks against several Israeli banks.[e]
• The Cardinal and Russian Legion groups jointly claimed responsibility for attacks against Israeli military systems, including claims breaching Iron Dome radar and interception systems.[f]

Anti-Iranain

Meanwhile, we also observed anti-Iranian hacktivist attack claims. However, these incidents were far less in volume and appeared to focus more on a psychological and/or political impact within Iran. Claims included:

• Members of the Anonymous - אַנונִימִי hacktivist group shared personally identifiable information (PII) allegedly belonging to members of the Islamic Revolutionary Guard Corps (IRGC) and Iranian military operatives. The group also claimed responsibility for a DDoS attack targeting Iranian regime-affiliated news agencies.
• The 𝑨𝑵𝑶𝑵𝒀𝑴𝑶𝑼𝑺 𝑺𝒀𝑹𝑰𝑨 𝑯𝑨𝑪𝑲𝑬𝑹𝑺 group announced a campaign against Iran and claimed to have targeted the database of an e-commerce website, leaking PII, login credentials and PayPal account information.

Assessment, outlook

The recent surge in pro-Iranian hacktivist activity currently is providing the Iranian regime with a greater ability to project perceived power in a time where domestic connectivity is highly constrained. The aforementioned groups almost certainly are attempting to distract regional adversaries — mainly Israel and their western allies — by employing DDoS attacks and other disruptive cyber tactics. While the actual damage was likely negligible, the aim of the attacks likely was to serve as a show of resistance.

Meanwhile, pro-Russian groups almost certainly are seizing the opportunity to expand their influence by collaborating with pro-Iran and pro-Palestinian collectives. This behavior is not new, as these groups often supported one another in the past following geopolitical flare-ups. These collaborations can be mutually beneficial since groups often re-post activity to their followers amplifying the effect of their actions. Furthermore, for pro-Russian groups, participating in hacktivist activity in support of Iran allows them to extend their reach into the Middle East, maintain their anti-Western geopolitical alignment, and promote themselves as high-profile actors and/or groups in the hacktivist ecosystem by continuing to target critical infrastructure and government entities.

Nevertheless, it is important to emphasize that while the surge in DDoS attacks, website defacements and other aforementioned disruptive cybercrime is real, these groups frequently exaggerate the actual impact and/or depth of their activity in an attempt to maximize psychological impact and media attention. Looking ahead in the near term, we expect regional tensions to persist resulting in continued attacks from both pro-Iranian and pro-Russian collectives against the U.S., Israel and other Gulf nations. These likely will remain in the form of varying disruptive actions including DDoS attacks and claims of data breaches, focused on entities in industries such as banking, government, oil and gas, telecommunications and other critical national infrastructure. In the medium to long term, we typically see a reduction in attacks as actor interest wanes but devout and state-associated adversaries likely will persist in their activity.

How Intel 471 can help

Intel 471 can support customers during periods of heightened geopolitical tension and fast-moving hacktivist activity by combining real-time collection, curated analytic context and operationally actionable outputs.

The Intel 471 Geopolitical Intelligence team is tracking Israel and U.S. attacks on Iran and responses via Situation Report (SITREPs) and follow-on reporting in subsequent Spot Reports. Geopolitical Intelligence customers can track the event in Verity471 by searching and alerting on the text “SITREP 3.X.” We continue to monitor and assess discussions in the underground ecosystem and regional news relating to the latest activity on this event topic.

For access to Intel 471’s Geopolitical Intelligence module, please contact us at sales@intel471.com .