Kaspersky researchers have published a new report, Signal in the Noise, analysing more than 120 hacktivist groups and over 11,000 hacktivist posts shared across surface and dark web channels in 2025. The study reveals that hashtags have become the connective tissue of hacktivist campaigns, serving as identifiers, coordination markers, and claims of responsibility. While distributed denial of service (DDoS) attacks remain the most common attack method.
The research shows that hacktivist activity is global in scope, extending well beyond conflict zones in the Middle East and North Africa to include targets across Europe, Asia, and the Americas. Another unique characteristic is that once hacktivists announce their intention to target a victim, they typically follow through quickly, launching attacks soon after declarations.
Key findings from the report:
- Hashtags as operational tools: Over 2,000 unique hashtags were tracked in 2025, with 1,484 appearing for the first time this year. While most tags last only about two months, “popular” ones persist longer when amplified through alliances.
- Global targeting: Victims span diverse regions including Europe, the United States, India, Vietnam, and Argentina, confirming hacktivists’ preference for reach and spectacle over localised focus.
- DDoS dominance: 61% of attack reports were linked to DDoS, and 90% of malicious outbound links pointed to third-party tools used to verify downtime.
- Short-term threat windows: Hacktivists typically act within days or weeks of issuing public threats, underscoring the importance of rapid monitoring and response.
- Alliances shape momentum: Hacktivist groups frequently collaborate, pooling resources to achieve greater impact. These alliances are often announced with new hashtags symbolising unity and shared campaigns.
“Hacktivist groups thrive on visibility rather than stealth, unlike typical cybercriminals. However, their craving for publicity can ultimately be turned against them,” said Kseniya Kudasheva, Digital Footprint Analyst at Kaspersky. “By continuously monitoring hacktivist groups, businesses and governments can gain early insights into where attacks may be directed next. That’s why it’s crucial for organisations to leverage tools like Kaspersky Digital Footprint Intelligence – to transform these signals into actionable threat insights,” she added.
To stay ahead of the threats, Kaspersky advises businesses and government institutions worldwide to:
- Prioritise DDoS mitigation with scalable defences and tested response plans.
- Invest in continuous monitoring of surface and dark web ecosystems to surface alliance announcements, threat posts, and cross-posted “proof” of attacks quickly.
- Treat hacktivist threats as short-term warnings and prepare defences accordingly.
- Recognise global exposure: Even organisations outside conflict regions should assume potential risk, as hacktivist campaigns seek attention rather than geographic precision.
