Malicious traffic on the internet has increased 245% since the attacks on Iran by Israel and the United States began on February 28, according to one of the world’s largest content delivery network providers.
Akamai Technologies reported that, during the period, automated reconnaissance traffic increased by 65%, credential-harvesting attempts jumped by 35%, infrastructure scanning for exposed services grew by 52%, botnet-discovery traffic climbed by 70%, and denial-of-service reconnaissance rose by 38%.
The conflict in the Middle East has sent ripple effects across travel, hospitality, and energy sectors of the global economy, noted blog authors Sandeep Rath, Nitin Singla, Ankita Kharya, and Ryan Gao.
Even more concerning, they added, is the significant increase in cybercrime emanating from nation-state actors and ideologically motivated hacktivists, who might operate from an entirely different part of the planet to orchestrate highly sophisticated attacks.
“Akamai has observed a significant increase in malicious cyber activities across multiple areas since February 2026,” Director of Product Development Kharya told TechNewsWorld. “The timing of the increased activity suggests that the recent spike could be linked to the conflict in the Middle East.”
She added that several hacktivist groups, including Noname057(16), Server Killers, 313 team, Keymous+, and others have claimed increased activity, but Akamai was unable to independently confirm those claims.
Middle East Conflict Sparks Cyberattack Surge
“The conflict is undeniably the catalyst for this surge,” declared Alex Pembrey, senior manager for operational threat intelligence at the NCC Group, a global cybersecurity consultancy.
“Following the launch of Operations Epic Fury and Roaring Lion on February 28, there was a massive mobilization of the Electronic Operations Room, a coordination hub established specifically to synchronize [Iran’s Islamic Revolutionary Guard Corps]-backed hacktivist operations,” he told TechNewsWorld.
Pembrey added that more than 70 hacktivist groups, including international collectives like the pro-Russian NoName057(16), pivoted their focus to target any nation perceived as aligned with the U.S. or Israel.
“The 245% increase reflects a spillover effect where geopolitical retaliation is no longer confined to the immediate theater of war but is directed at the global digital supply chain and critical infrastructure of allied nations,” he said.
“The conflict is the catalyst but it’s not the sole driver,” added Michael Bell, CEO of Suzu Labs, a provider of AI-powered cybersecurity services, in Las Vegas.
Iran’s own cyber groups are active, he explained. Handala, for example, hit medical-technology company Stryker with a wiper attack, and hacktivist proxies have been running DDoS and credential campaigns since the strikes landed.
“But 86% of the source IPs Akamai tracked came from outside Iran,” he told TechNewsWorld. “The conflict created the conditions for a broader surge, not just an Iranian one.”
Crippling Kinetic Attacks
Akamai noted that Iran-attributed IPs accounted for a minority of the malicious traffic observed since the conflict began, while larger shares originated from Russia (35%) and China (28%).
“Since the start of the conflict, Iran has effectively shut down close to 99.5% of its internet infrastructure,” Akamai’s Kharya explained. “That could explain why we observe a smaller percentage of malicious traffic originating from Iranian IPs.”
“However,” she added, “cybercriminals often use proxy networks and services from inadequately protected IoT devices and botnets of other countries to orchestrate malicious attacks. This could explain why we are observing a majority of the attacks originating from IP spaces in Russia and China.”
NCC’s Pembrey explained that Israel’s initial cyber offensive successfully collapsed Iran’s domestic internet connectivity to between 1% and 4% of normal levels by targeting BGP routing and DNS infrastructure. “This initially decreased Iran’s ability to launch high-volume attacks from within its own borders,” he said.
“However,” he continued, “Iran’s near-total internet blackout is assessed to be largely self-imposed, with the state deliberately reducing connectivity to control information flow rather than as a result of infrastructure damage from kinetic or cyber operations.”
Degraded but Still Dangerous
Despite domestic disruptions, Pembrey noted, Iran’s cyber capabilities appear degraded but remain operational, supported by pre-positioned access in foreign networks, use of external infrastructure, and activity by front companies and proxy actors.
“The retention of core backbone internet connectivity indicates that Iran is preserving the capacity to scale its cyber operations if required,” he said. “However, the extent to which physical infrastructure damage has constrained this capacity remains uncertain due to limited visibility.”
He added that the war appears to be creating a convergence of strategic interests. “Pro-Russian groups have actively joined Iranian-aligned actors in retaliatory DDoS and wiper attacks,” he explained.
“Furthermore,” he continued, “state-sponsored actors like Russia’s Sandworm and China’s Volt Typhoon are using the regional chaos as a smoke screen. They are pre-positioning themselves within Western energy and telecommunications grids, not necessarily to launch an immediate strike, but to secure long-term strategic leverage while defensive teams are distracted by the high-volume Iranian hacktivism.”
Russia and China are taking a “never let a good crisis go to waste” approach, Bell noted. “Both countries host massive proxy infrastructure that threat actors use specifically because those governments don’t interfere as long as the targets are Western,” he said.
“When a conflict draws the attention of every SOC and government cyber team toward Iran, that’s the perfect window for Russian and Chinese operators to increase scanning and mapping of targets they’ve been interested in all along,” he continued. “The conflict didn’t create their intent. It created their opportunity.”
Lines Blur Between State and Hacktivists
Bell argued that the 245% increase understates the actual risk because Akamai’s data is heavily weighted toward reconnaissance rather than destructive attacks.
He pointed out that botnet discovery traffic is up 70% and automated recon is up 65%. “That’s the mapping phase,” he said. “The adversaries are building target packages right now, and the organizations that treat this period as a warning instead of a crisis are the ones that will be ready when the reconnaissance turns into action.”
“We’re witnessing the birth of a truly unified hybrid front, where the traditional boundaries between state-sponsored warfare and grassroots hacktivism have completely dissolved,” Pembrey added.
“The most critical takeaway from the current situation isn’t just the volume of attacks, it’s the strategic synchronization of over 70 disparate hacktivist groups through the Electronic Operations Room,” he maintained. “This represents a shift from chaotic, independent actors to a coordinated plan of action.”
He warned that noisy attacks, like the one on Stryker, are often just a smoke screen for more dangerous strategic pre-positioning. “While the world is distracted by the visible conflict, sophisticated actors like Volt Typhoon and Sandworm are living off the land within global critical infrastructure, embedding themselves into the telemetry links and edge devices of power grids and water systems,” he observed.
“Organizations can no longer afford to treat cybersecurity as a defensive support function,” he said. “It’s a survival function.”