The term itself may have been coined in the late 1990s, but hacktivism is still thriving in the mid-2020s. In fact, what were once loosely connected and decidedly amateur activist groups are increasingly evolving into more highly skilled, focused and formidable “digital militias”. And they are determined to make an impact.
The bad news for corporate network defenders is that hacktivists can always contrive a pretence to attack. That means no organisation is safe. It’s time to expect the unexpected.
From activism to impact
For many years, hacktivism was associated with groups like Anonymous and LulzSec. These organisations mainly used distributed denial of service (DDoS) attacks and web defacement to make political points. Although their rhetoric may have been fierce, these highly distributed collectives mainly worked to raise awareness of political causes. Notably, these included the Occupy movement, the Arab Spring, and the treatment of Julian Assange. Their campaigns rarely caused significant financial, reputational or operational harm to the chosen victims. Websites soon came back online, defaced pages were returned to normal, and the world quickly forgot about any non-sensitive information that may have been leaked.
That’s certainly not the case in 2025. The hacktivist groups we encounter today are usually focused on impact as well as attention. They want to hack and leak sensitive information, destabilise governments and businesses, and even disrupt critical services. As a result, they’re more likely to be made up of a tighter inner circle of skilled operatives. These operatives then recruit carefully in secret and focus on operational security (OpSec) to evade the authorities.
Understanding the drivers for hacktivism
Their motivation could be ideological, political, nationalist or simply opportunistic—and in some cases, a blend of more than one of these drivers. Most tend to be ideologues focused on religious or geopolitical conflicts. Think: pro-Russian “NoName057(16)”, which accuses its detractors of “supporting Ukrainian nazis”, or GhostSec, which claims fight for a free Palestine.
Then there are the politically motivated groups that seek to influence government policy. SiegedSec has targeted conservative initiative Project 2025, while being a vocal participant in #OpTransRights. GlorySec, a likely South American group of self-described anarcho-capitalists, aligned with Taiwan in its attempt to break free from China’s sphere of influence.
Nationalist groups are less common but often go heavy on cultural symbols and patriotic rhetoric to justify their actions. The Indian “Team UCC” likes to position itself as a defender of persecuted Hindus worldwide, especially in Bangladesh. Several pro-Russian groups also fit the nationalist mould, with prominent Russian flags and jingoistic pronouncements about defending the motherland.
Opportunistic groups, on the other hand, seem to target victims simply because they are easy to hack. SiegedSec hacked into a Chinese messaging application’s website, claiming that “it’s not secure at all”, for example.
The whole picture gets more confusing still, when one peers closer. The Israel-Hamas conflict has drawn in other groups for which this fight is not their main focus, such as TeamUCC (pro-Israel). Pro-Russian groups often side with China in disputes, for example. Also, GlorySec aligns with Ukraine, NATO, and Israel but seems unsupportive of trans rights. The bottom line is that these loose cannons could theoretically find a reason to turn their firepower on any potential target.
Hacktivism, cybercrime and state-level attacks
They do this using many familiar TTPs. DDoS is a favourite, with attacks now fairly straightforward to launch given the number of booter sites open for business. Although these attacks have become more advanced of late, incorporating multiple attack vectors to bypass traditional mitigations, they are relatively low impact. Likewise, web defacements are usually short-lived, even though some more recent attacks include malicious code injections to compromise victim networks.
More concerning for organisations caught in the hacktivist crossfire are hack-and-leak campaigns. These campaigns are designed to exfiltrate and publish sensitive data via file-sharing platforms. Iranian state-aligned group Cyber Av3ngers was a prolific exponent of this, sharing details of SCADA systems from an Israeli facility, which were subsequently assessed to be recycled.
The same group has been pegged for attacks on critical infrastructure systems, an increasingly popular tactic for hacktivists. Its compromise of Israeli-made industrial control devices in utilities facilities led to much hand-wringing from American security experts, and residents in Ireland going without drinking water for two days.
Perhaps most concerning is the increasingly blurred lines between hacktivism and cybercrime activity. Some groups, like CyberVolk, are using ransomware to fund their operations. Others have promoted a variant dubbed “SMTX_GhostLocker”, which seems to be developed by GhostSec. And some hacktivists, like Ikaruz Red Team, use ransomware to target their victims, although not ostensibly to generate profits.
An equally concerning development is the alignment of state activity with hacktivism. This is most obvious in Russia, where groups like NoName and KillNet have long been suspected of government direction or arms-length involvement. The UK’s NCSC has warned about the potential for destructive attacks by such groups.
Playing the long game
Against this fast-evolving backdrop, the best response for CISOs is to get back on the front foot through investment in DDoS mitigation, and documenting and patching external systems to reduce the risk of defacements. For more sophisticated threats, the best approach is attack surface risk management (ASRM). This approach continuously monitors assets for security gaps and then recommends remediation steps. Combined with extended detection and response (XDR), it provides both resilience and rapid discovery and containment of threats before they can cause harm.
Above all, plan for the long term. These digital militias aren’t going anywhere.
- Cybersecurity