According to one of the world’s major content delivery network providers, malicious internet traffic has gone up 245% since Israel and the US started attacking Iran on February 28.Akamai Technologies said that during that time, automated reconnaissance traffic went up by 65%, credential-harvesting attempts went up by 35%, infrastructure scanning for exposed services went up by 52%, botnet-discovery traffic went up by 70%, and denial-of-service reconnaissance went up by 38%.
Sandeep Rath, Nitin Singla, Ankita Kharya, and Ryan Gao said on their blog that the war in the Middle East has had an impact on the tourism, hospitality, and energy sectors of the global economy.
They also said that the rise in cybercrime by nation-state actors and ideologically driven hacktivists is even more worrying. These criminals might be based in a completely different region of the world and carry out very complex attacks.
TechNewsWorld spoke with Kharya, the Director of Product Development at Akamai, who said, “Akamai has seen a big rise in bad cyber activities in many areas since February 2026.” “The timing of the increased activity makes it likely that the recent spike is connected to the conflict in the Middle East.”
She said that various hacktivist organizations, such as Noname057(16), Server Killers, 313 team, Keymous+, and others, have claimed to be more active, but Akamai was unable to verify those assertions on its own.
Middle East Conflict Sparks Cyberattack Surge
“The conflict is undeniably the catalyst for this surge,” said Alex Pembrey, senior manager for operational threat intelligence at the NCC Group, a global cybersecurity consultancy.
“After the start of Operations Epic Fury and Roaring Lion on February 28, the Electronic Operations Room was put into action on a large scale. This room was set up to coordinate hacktivist operations backed by Iran’s Islamic Revolutionary Guard Corps,” he told TechNewsWorld.
Pembrey also said that more than 70 hacktivist groups, including multinational groups like the pro-Russian NoName057(16), changed their aim to target any country that was thought to be friendly to the U.S. or Israel.
He remarked, “The 245% increase is a spillover effect where geopolitical retaliation is no longer limited to the immediate theater of war but is aimed at the global digital supply chain and critical infrastructure of allied nations.”
Michael Bell, CEO of Suzu Labs, an AI-powered cybersecurity company in Las Vegas, said, “The conflict is the catalyst, but it’s not the only driver.”
He said that Iran has its own cyber groups that are active. For example, Handala targeted the medical technology business Stryker with a wiper attack, and hacktivist proxies have been operating DDoS and credential operations ever then.
“But 86% of the source IPs Akamai tracked came from outside Iran,” he told TechNewsWorld. “The war made it possible for a bigger surge to happen, not just in Iran.”
Crippling Kinetic Attacks
Akamai said that IPs linked to Iran made up a small part of the bad traffic seen since the crisis started. Most of it came from Russia (35%) and China (28%).
Akamai’s Kharya said, “Since the start of the conflict, Iran has effectively shut down close to 99.5% of its internet infrastructure.” “That might be why we see a smaller percentage of bad traffic coming from Iranian IPs.”
“However,” she went on, “cybercriminals often use proxy networks and services from poorly protected IoT devices and botnets in other countries to plan attacks.” This could be why most of the attacks are coming from IP addresses in Russia and China.
NCC’s Pembrey said that Israel’s first cyber attack on Iran’s internet infrastructure brought its domestic internet access down to between 1% and 4% of normal levels by targeting BGP routing and DNS infrastructure. He said, “This made it harder for Iran to launch large-scale attacks from within its own borders at first.”
“However,” he went on, “Iran’s near-total internet blackout is thought to be mostly self-imposed. The government is intentionally limiting connectivity to control the flow of information, not because of damage to infrastructure from kinetic or cyber operations.”
Worse but Still Dangerous
Pembrey said that even though there are problems at home, Iran’s cyber capabilities seem to be getting worse but are still working. This is because they have access to overseas networks, use of external infrastructure, and activity by front businesses and proxy players.
He said, “Keeping core backbone internet connectivity shows that Iran is keeping the ability to grow its cyber operations if it needs to.” “However, it’s not clear how much damage to physical infrastructure has limited this capacity because we can’t see it well enough.”
He also said that the battle seemed to be bringing together different strategic interests. He said, “Pro-Russian groups have worked with Iranian-aligned groups to carry out DDoS and wiper attacks in response.”
“Moreover,” he went on, “state-sponsored groups like Russia’s Sandworm and China’s Volt Typhoon are utilizing the disarray in the region as a cover. They are getting into Western energy and telecommunications networks ahead of time, not necessarily to attack right once, but to gain long-term strategic advantage while defensive teams are busy with the high-volume Iranian hacktivism.
Bell said that Russia and China are using a “never let a good crisis go to waste” strategy. He remarked, “Both countries have huge proxy networks that threat actors use because those governments don’t get involved as long as the targets are Western.”
“When a conflict makes every SOC and government cyber team focus on Iran, that’s the perfect time for Russian and Chinese operators to scan and map targets they’ve always been interested in,” he said. “The conflict didn’t make them want to do it.” It gave them a chance.
Lines Between State and Hacktivists Are Blurred
Bell said that the 245% rise doesn’t show the real risk because Akamai’s data is more about reconnaissance assaults instead of destructive ones.
He said that traffic for finding botnets is up 70% and automated recon is up 65%. “That’s the mapping phase,” he remarked. “The enemies are putting together target packages right now. The groups that see this time as a warning instead of a crisis will be ready when the reconnaissance turns into action.”
Pembrey went on to say, “We’re seeing the birth of a truly unified hybrid front, where the lines between state-sponsored warfare and grassroots hacktivism have completely disappeared.”
He said, “The most important thing to take away from the current situation is not just the number of attacks, but also the Electronic Operations Room’s ability to coordinate over 70 different hacktivist groups.” “This is a change from having a lot of people acting on their own to having a coordinated plan of action.”
He said that loud attacks, like the one on Stryker, are often merely a cover for more deadly strategic pre-positioning. “While the world is focused on the obvious conflict, advanced actors like Volt Typhoon and Sandworm are living off the land in important global infrastructure, hiding in the telemetry links and edge devices of power grids and water systems,” he said.
He remarked, “Companies can no longer afford to see cybersecurity as just a way to protect themselves.” “It’s a function of survival.”
