Hacking group NoName057(16) remains the most prolific DDoS player as automation, AI, and rogue LLMs make Tbps attacks a common occurrence
The first half of 2025 marked another major escalation in distributed denial-of-service (DDoS) activity, with new NetScout research documenting over eight million attacks worldwide in these six months. This surge in DDoS activity highlights the growing threat landscape, as more than three million attacks were recorded across Europe, the Middle East, and Africa, underscoring the regional strain.
These findings suggest that DDoS attacks are no longer an occasional disruption but have become a common method of destabilizing essential networks. Geopolitical tensions remain a key trigger for major attack campaigns, with disputes between India and Pakistan spurring extensive waves of hostile activity against Indian financial and governmental systems. Similarly, during confrontations involving Iran and Israel, over 15,000 strikes targeted Iranian infrastructure in a matter of days, while fewer than 300 targeted Israel.
Even international forums were not spared, with events in Switzerland experiencing more than 1,400 incidents in a single week. The use of compromised devices operating as botnets has played a significant role in these attacks, with attackers launching an average of 880 botnet-driven incidents daily in March 2025 alone.
These compromised systems typically included routers, servers, and IoT devices, often relying on known flaws rather than undiscovered vulnerabilities. Despite years of security warnings, these weaknesses remain consistently exploited, enabling short but impactful campaigns that disrupt dependent services. For organizations relying only on basic antivirus or endpoint protection, sustained botnet traffic presents challenges that overwhelm conventional safeguards.
The evolution of DDoS campaigns has been accelerated by automation and artificial intelligence. Multi-vector strikes and carpet-bombing techniques now occur faster than defenders can respond, creating asymmetric pressure. NetScout also pointed to the emergence of "rogue LLMs," which provide hostile actors with accessible planning and evasion methods.
Combined with DDoS-for-hire platforms, these tools have significantly reduced the barriers for inexperienced attackers, enabling high-capacity strikes with minimal technical depth. The outcome is that Tbps-scale incidents have shifted from rare spectacles to constant risks.
NoName057(16) continues to execute the most frequent campaigns
Among hacktivist collectives, NoName057(16) continues to execute the most frequent campaigns, far outpacing rivals. In March, the group claimed over 475 attacks, primarily directed at government portals in Spain, Taiwan, and Ukraine.
Their reliance on varied flooding techniques indicates both coordination and persistence, suggesting ideological motivations beyond opportunistic disruption. While new players such as DieNet and Keymous+ entered the scene with dozens of attacks across multiple sectors, their activity still fell short compared with NoName057(16)'s scale.
Experts warn that traditional defenses are no longer sufficient
"As hacktivist groups leverage more automation, shared infrastructure, and evolving tactics, organizations must recognize that traditional defenses are no longer sufficient," stated Richard Hummel, director, threat intelligence, NetScout. "The integration of AI assistants and the use of large language models (LLMs), such as WormGPT and FraudGPT, escalates that concern."
And while the recent takedown of NoName057(16) was successful in temporarily reducing the group's DDoS botnet activities, preventing a future return to the top DDoS hacktivist threat is not guaranteed," Hummel added.
About the author
Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking.
His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, Efosa is also focused on B2B security products. He can be contacted at this email: udinmwenefosa@gmail.com