Recent distributed denial-of-service (DDoS) attacks targeting South African internet infrastructure providers, web hosting companies and connectivity services reflect a broader escalation in both the scale and sophistication of cyberthreats facing the country’s digital economy, according to NETSCOUT.
The warning follows a wave of high-profile local incidents that reportedly disrupted hosting providers, ISPs and internet infrastructure services across the country, raising concerns around increasingly coordinated and potentially extortion-linked DDoS activity.
“The recent incidents impacting South African infrastructure providers demonstrate how DDoS campaigns are evolving beyond isolated disruptions into broader attacks against critical digital ecosystems, states Bryan Hamman, area vice president for Africa, NETSCOUT. “Attackers are deploying multi-vector DDoS attacks, combining multiple techniques within a single incident to overwhelm defences. This continues the shift toward more adaptive and harder-to-mitigate attack strategies.”
Recent insights from NETSCOUT’s Threat Intelligence Report for the second half of 2025 showed that South Africa has become one of the most targeted countries globally for DDoS attacks against key several key industries. Notably, the country is listed as:
- #1 globally for attacks on other computer-related services;
- #1 globally for computer systems design services onslaughts;
- #1 globally for attacks on insurance agencies and brokerages;
- #1 globally for commercial banking targeting;
- #1 globally for strikes against portfolio management and investment advisory services;
- #4 globally for assaults on electronic computer manufacturing; and
- #10 globally for bombardments against all other telecommunications.
Between July and December 2025, South Africa recorded 171,812 DDoS attacks, highlighting the scale of the local threat landscape. The average attack duration exceeded 74 minutes, increasing the risk of prolonged service disruption.
Within the broader Europe, Middle East and Africa (EMEA) region, South Africa was also ranked as the fifth most targeted country for DDoS attacks over the period, stressing the country’s growing exposure within the regional cyberthreat landscape.
The recent spate of attacks against South African hosting and connectivity providers aligns closely with this trend, demonstrating how attackers are focusing on upstream infrastructure organisations where disruption can affect thousands of downstream businesses and users simultaneously.
Hamman notes that DDoS attacks are increasingly being used alongside intimidation and extortion tactics, particularly when targeting critical service providers.
“Attackers use sustained DDoS campaigns not only to disrupt services, but also to pressure organisations into making payments or complying with demands under the threat of prolonged outages. Infrastructure providers are particularly vulnerable to these tactics because attacks against a single operator can rapidly cascade across multiple customers, platforms and dependent services.”
The recent South African events highlight how attackers are seeking maximum operational and reputational impact by targeting organisations that sit at the centre of the digital ecosystem. The increase of AI-driven DDoS operations and dark web LLMs (large language models), persistent hacktivist and botnet activity and more accessible DDoS-for-hire services are lowering the barriers to entry, enabling a wider range of threat actors to launch high-impact attacks at scale.
“These findings highlight the urgent need for organisations to strengthen their cyber resilience strategies,” Hamman stresses. “The latest incidents affecting South African internet infrastructure providers highlight how critical resilience and rapid mitigation capabilities have become. With organisations becoming more and more interconnected, attacks against a single provider can rapidly affect entire business ecosystems. Real-time visibility, intelligence-led mitigation and proactive preparedness are essential components of operational continuity.”
NETSCOUT protects two-thirds of the routed IPv4 space, securing network edges that carried global peak traffic of over 800 Tbps, covering 376 industry verticals and 12,698 Autonomous System Numbers (ASNs) in the second half of 2025. It monitors tens of thousands of daily DDoS attacks by tracking multiple botnets and DDoS-for-hire services that leverage millions of abused or compromised devices.
