- TBPS-SCALA DDOS attacks have been changed from rare deviations to constant threats
- Hacktivist groups weapon automation and botnets to destabilize fragile infrastructure
- Political disputes are increasingly spilling online and triggers destructive waves of cybergression
The first half of 2025 marked another major escalation in distributed denial of service (DDOS) activity, with new Netscout research documenting more than eight million attacks around the world in these six months.
More than three million attacks were registered across Europe, the Middle East and Africa, which emphasized the regional tribe.
It also noted that Terabit-Per-Second-Scale strikes, once rare anomalies, have become almost routine, with tops reaching 3.12 Tbps in the Netherlands and 1.5 Gbps in the United States.
Political conflict drives digital aggression
These findings suggest that DDOS attacks are no longer an occasional disturbance, but an anchored method of destabilizing essential networks as geopolitical tension remains a key trigger for larger attack campaigns.
Netscout noted how disputes between India and Pakistan spurred extensive waves of hostile activity against Indian economic and state systems.
Similarly under confrontations involving Iran and Israel, targeting over 15,000 strikes the Iranian infrastructure in a few days, while fewer than 300 targeted Israel.
Even international forums were not spared with events in Switzerland that experienced more than 1,400 events in a single week.
Much of this scale also depends on compromised devices that act as botnets.
In March 2025 alone, attackers launched an average of 880 botnet-driven events daily with tops of 1,600.
The compromised systems typically included routers, servers and IoT devices that are often dependent on known deficiencies rather than undiscovered vulnerabilities.
Despite many years of security warnings, these weaknesses remain consistently exploited, enabling short but effective campaigns that interfere with dependent services.
For organizations that depend only on basic antivirus or endpoint protection, such a sustained botnet -traffic presents challenges that overwhelm conventional security measures.
Furthermore, the development of DDOS campaigns has been accelerated by automation and artificial intelligence.
Multi-vector strikes and carpet bombing techniques now occur faster than defenders can respond, creating asymmetrical pressure.
Netscout also pointed to the emergence of “Rogue LLMS”, giving enemy actors available planning and evasion methods.
Combined with DDOS-For-Hire platforms, these tools have significantly reduced barriers to inexperienced attackers, allowing strike with high capacity with minimal technical depth.
The result is that TBPS-scale events have changed from rare glasses to constant risks.
Among hacktivist collective, Noname057 (16) continues to carry out the most frequent campaigns that far exceed rivals.
In March, the group claimed more than 475 attacks, primarily aimed at government portals in Spain, Taiwan and Ukraine.
Their dependence on different flooding techniques indicates both coordination and persistence, suggesting ideological motivations beyond opportunistic disturbance.
While new players like Dienet and Keymous+ went into the stage with dozens of attacks across multiple sectors, their activity still came short compared to Noname057 (16 )’s scale.
“As hacktivist groups utilize more automation, shared infrastructure and evolving tactics, organizations must acknowledge that traditional defense is no longer sufficient,” said Richard Hummel, director, threat information, netscout.
“The integration of AI assistants and the use of large language models (LLMs), such as Wormgpt and swindling, escalates this concern. And while the recent dismantling of Noname057 (16) was successful with temporarily reducing the group’s DDOS botnet activities, which prevents a future return to the top DDOS HACTIVIVS threat.”
