Hacking group NoName057(16) remains the most prolific DDoS player as automation, AI, and rogue LLMs make Tbps attacks a common occurrence

News
By published

NoName057(16) outpaces rivals with relentless strikes

Representational image of a hacker
Image Credit: Shutterstock (Image credit: Shutterstock)
  • Tbps-scale DDoS attacks have shifted from rare anomalies to constant threats
  • Hacktivist groups weaponize automation and botnets to destabilize fragile infrastructure
  • Political disputes increasingly spill online, triggering destructive waves of cyber aggression

The first half of 2025 marked another MAJOR escalation in distributed denial-of-service (DDoS) activity, with new NetScout research documenting more than eight million attacks worldwide in these six months.

More than three million attacks were recorded across Europe, the Middle East, and Africa, underscoring the regional strain.

It also noted terabit-per-second scale strikes, once rare anomalies, have become almost routine, with peaks reaching 3.12Tbps in the Netherlands and 1.5Gbps in the United States.

Political conflict drives digital aggression

These findings suggest DDoS attacks are no longer an occasional disruption, but an entrenched method of destabilizing essential networks, as geopolitical tensions remain a key trigger for major attack campaigns.

NetScout noted how disputes between India and Pakistan spurred extensive waves of hostile activity against Indian financial and governmental systems.

Similarly, during confrontations involving Iran and Israel, over 15,000 strikes targeted Iranian infrastructure in a matter of days, while fewer than 300 targeted Israel.

Even international forums were not spared, with events in Switzerland experiencing more than 1,400 incidents in a single week.

Much of this scale also relies on compromised devices operating as botnets.

In March 2025 alone, attackers launched an average of 880 botnet-driven incidents daily, with peaks of 1,600.

The compromised systems typically included routers, servers, and IoT devices, often relying on known flaws rather than undiscovered vulnerabilities.

Despite years of security warnings, these weaknesses remain consistently exploited, enabling short but impactful campaigns that disrupt dependent services.

For organizations relying only on basic antivirus or endpoint protection, such sustained botnet traffic presents challenges that overwhelm conventional safeguards.

Furthermore, the evolution of DDoS campaigns has been accelerated by automation and artificial intelligence.

Multi-vector strikes and carpet-bombing techniques now occur faster than defenders can respond, creating asymmetric pressure.

NetScout also pointed to the emergence of “rogue LLMs,” which provide hostile actors with accessible planning and evasion methods.

Combined with DDoS-for-hire platforms, these tools have significantly reduced the barriers for inexperienced attackers, enabling high-capacity strikes with minimal technical depth.

The outcome is that Tbps-scale incidents have shifted from rare spectacles to constant risks.

Among hacktivist collectives, NoName057(16) continues to execute the most frequent campaigns, far outpacing rivals.

In March, the group claimed more than 475 attacks, primarily directed at government portals in Spain, Taiwan, and Ukraine.

Their reliance on varied flooding techniques indicates both coordination and persistence, suggesting ideological motivations beyond opportunistic disruption.

While new players such as DieNet and Keymous+ entered the scene with dozens of attacks across multiple sectors, their activity still fell short compared with NoName057(16)’s scale.

“As hacktivist groups leverage more automation, shared infrastructure, and evolving tactics, organizations must recognize that traditional defenses are no longer sufficient,” stated Richard Hummel, director, threat intelligence, NetScout.

“The integration of AI assistants and the use of large language models (LLMs), such as WormGPT and FraudGPT, escalates that concern. And, while the recent takedown of NoName057(16) was successful in temporarily reducing the group’s DDoS botnet activities, preventing a future return to the top DDoS hacktivist threat is not guaranteed.”

You might also like

Efosa Udinmwen
Efosa Udinmwen
Freelance Journalist

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.