Cybersecurity researchers have documented a dramatic surge in retaliatory hacktivist activity following the U.S.-Israel coordinated military campaign against Iran, codenamed Epic Fury and Roaring Lion, with 149 distributed denial-of-service attacks recorded against 110 organisations across 16 countries between February 28 and March 2, 2026. According to Radware’s analysis, the hacktivist threat landscape is heavily concentrated, with just two groups—Keymous+ and DieNet—driving nearly 70 percent of all attack activity during this period. The campaign began when Hider Nex, also known as Tunisian Maskers Cyber Force, launched the first DDoS attack on February 28. Hider Nex is a shadowy Tunisian hacktivist collective that emerged in mid-2025, supporting pro-Palestinian causes through a combined hack-and-leak strategy involving both DDoS attacks and data breaches designed to advance geopolitical objectives.
The attacks were executed by 12 different hacktivist groups with the vast majority of attacks—107 in total—concentrated in the Middle East, disproportionately targeting public infrastructure and state-level organisations. Kuwait bore 28 percent of regional attacks, followed by Israel at 27.1 percent and Jordan at 21.5 percent. Nearly half of all targeted organisations globally belonged to the government sector, with finance and telecommunications sectors representing 11.9 percent and 6.7 percent respectively. Europe experienced 22.8 percent of total global hacktivist activity during the timeframe, demonstrating the geographic spread of these coordinated operations.
The cyber warfare campaign extended beyond DDoS attacks to include multiple sophisticated intrusion attempts and malware operations. Pro-Russian hacktivist groups Cardinal and Russian Legion claimed breaches of Israeli military networks including the Iron Dome missile defense system, while an active SMS phishing campaign deployed a fraudulent replica of the Israeli Home Front Command RedAlert application to deliver mobile surveillance malware. Iran’s Islamic Revolutionary Guard Corps targeted energy and digital infrastructure in Saudi Arabia and the United Arab Emirates, striking Saudi Aramco and an Amazon Web Services data center with the intent to inflict maximum global economic pain. Security firms observed Iranian state-sponsored groups including Cotton Sandstorm and UNC1549 intensifying operations against defense, aerospace, telecommunications, and regional government entities.