149 Hacktivist DDoS Attacks Hit 110 Organizations Across 16 Countries

• .What: 149 DDoS attacks by 12 pro-Iranian hacktivist groups in 3 days.
• .Who: 110 organizations across 16 countries - banks, airports, telecoms, government.
• .Top Groups: DieNet (59 claims), Keymous+ (51 claims), NoName057(16).
• .Most Targeted: Kuwait (28%), Israel (27.1%), Jordan (21.5%).

On February 28, 2026, the United States and Israel launched coordinated military strikes on Iran - Operation Epic Fury and Operation Roaring Lion.

Within hours, twelve pro-Iranian hacktivist groups activated a pre-planned DDoS campaign against civilian infrastructure across the Gulf and broader Middle East.

The first wave of attacks struck financial institutions and government portals in Kuwait, which absorbed 28% of total targeting.

DieNet, the most active group, published structured target lists on Telegram before launching attacks - indicating that targeting packages had been prepared in advance of the kinetic escalation.

Between February 28 and March 6, the groups executed 149 DDoS attacks against 110 distinct organizations in 16 countries.

DieNet led with 59 attack claims, followed by Keymous+ with 51. The attacks used volumetric flooding (UDP/TCP amplification), application-layer HTTP/HTTPS floods, and DNS query floods to overwhelm targets.

The UAE Cybersecurity Council confirmed intercepting between 90,000 and 200,000 attacks per day at peak volume.

Notably, NoName057(16) - a Russian-linked hacktivist group typically focused on European and Ukrainian targets - participated in the campaign, indicating cross-pollination between pro-Russian and pro-Iranian hacktivist ecosystems.

Targets spanned critical infrastructure sectors: Riyad Bank and Al Rajhi Bank in Saudi Arabia, Kuwait International Airport, Batelco in Bahrain, du in the UAE, and electricity and water authorities across multiple GCC states.

Of 21 threat groups tracked by researchers, 15 (71.4%) were identified as state-sponsored. The campaign represented the most intense period of hacktivist cyber operations the Gulf region has experienced.

• .Riyad Bank and Al Rajhi Bank (Saudi Arabia) - two of the Kingdom's largest financial institutions
• .Kuwait International Airport - primary international gateway handling 15+ million passengers annually
• .Batelco (Bahrain) - the country's incumbent telecommunications provider
• .du (UAE) - one of two major telecoms serving the Emirates
• .Government ministries across Qatar, Bahrain, UAE, Kuwait, Saudi Arabia, and Jordan
• .Electricity and water authorities in multiple GCC states

The targeting was not random. DieNet published structured target lists on Telegram before launching attacks, indicating pre-planned targeting rather than opportunistic attacks. Kuwait absorbed the highest share (28%), followed by Israel (27.1%) and Jordan (21.5%).

DieNet (59 attack claims): The most active group. Published structured target lists on Telegram prior to attacks. Operational tempo of nearly 10 attacks per day suggests significant botnet resources.

Keymous+ (51 attack claims): The second most active group, with documented history of targeting Middle Eastern infrastructure in alignment with Iranian geopolitical interests.

NoName057(16): A Russian-linked hacktivist group that pivoted from its typical focus on European and Ukrainian targets - indicating coordination between pro-Russian and pro-Iranian hacktivist ecosystems.

The DDoS attacks used a combination of volumetric flooding (UDP/TCP amplification), application-layer attacks (HTTP/HTTPS floods), and DNS query floods. The UAE Cybersecurity Council confirmed intercepting 90,000 to 200,000 attacks per day at peak.

71.4% of tracked threat actors (15 of 21 groups) were identified as state-sponsored.

Threat Actor Groups (12 total):

• .DieNet (59 claims), Keymous+ (51 claims), NoName057(16) (pro-Russian)
• .Nation of Saviors, Conquerors Electronic Army, Sylhet Gang, 313 Team
• .Handala Hack, APT Iran, Cyber Islamic Resistance, Dark Storm Team, FAD Team

Campaign Statistics:

• .149 DDoS attacks in ~72 hours (Feb 28 - Mar 6, 2026)
• .110 organizations across 16 countries
• .90,000-200,000 attacks per day intercepted (UAE Cybersecurity Council)
• .71.4% of tracked actors identified as state-sponsored

Geographic Distribution:

• .Kuwait: 28%, Israel: 27.1%, Jordan: 21.5%

Coordination:

• .Telegram (primary operational channel and target list distribution)

1. Always-On DDoS Protection - not on-demand scrubbing

2. Geographic Traffic Filtering during elevated geopolitical tension

3. Cross-Sector Threat Sharing between banks, telecoms, airports, and government

4. Redundant DNS and CDN with automatic failover

The Hacker News, Palo Alto Unit 42, SOCRadar, AGBI, UAE Cybersecurity Council