DDoS Attacks Surge 168% as NoName057 Sets Attack Record

Network-layer DDoS attacks increased 168% year-over-year in 2025, with peak volumes approaching 30 Tbps. Radware's 2026 Global Threat Report, released today, documents a resurgence of brute-force volumetric attacks alongside continued growth in application-layer threats.

The pro-Russia hacktivist group NoName057(16) set yet another record, claiming 4,693 attacks throughout 2025—solidifying its position as the most prolific hacktivist entity in recorded history.

Attack Metrics at a Glance

Category	Year-over-Year Change
Network-layer DDoS	+168.2%
Web DDoS attacks	+101.4%
Application/API attacks	+128%
Bad bot activity	+91.8%

In the second half of 2025, the average Radware customer experienced over 25,351 network-layer DDoS attacks—approximately 139 attacks per day. That's an attack every 10 minutes, sustained for six months.

Technology Sector Bears the Brunt

Industry targeting shifted dramatically. Technology companies absorbed 45% of all network-layer DDoS attacks, up from just 8.77% in 2024. Telecommunications and financial services rounded out the top three targeted sectors.

Geographically, North America remained the primary target, accounting for 63.1% of all network-layer DDoS attacks. The Middle East followed at 16.1%, with Europe at 13.7%.

Israel emerged as the world's top target for geopolitically-motivated cyberattacks, reflecting ongoing regional conflicts and the resulting hacktivist activity. CISA has previously warned about pro-Russia hacktivists targeting critical infrastructure worldwide, and the Radware data confirms these campaigns haven't slowed.

NoName057(16): The Most Active Hacktivist Group

NoName057(16) claimed responsibility for 4,693 DDoS attacks in 2025, an unprecedented volume for any hacktivist group. The pro-Russian collective has consistently targeted government websites, financial institutions, and transportation systems across NATO countries.

We covered one of their DDoS campaigns against French postal services during the Christmas period—a pattern of timing attacks for maximum disruption that characterizes their operations.

The group operates through a volunteer botnet called DDoSia, which recruits participants via Telegram with gamified incentives and cryptocurrency payments. This distributed model allows sustained attack capacity that's difficult to attribute to specific infrastructure.

Their operational tempo and consistency suggest either significant funding or effective crowdsourcing of attack resources—possibly both. Attribution to Russian intelligence remains contested, but the targeting aligns precisely with Russian foreign policy objectives.

What's Driving the Surge

Several factors contributed to the dramatic increases:

Geopolitical tensions: Conflicts in Ukraine, the Middle East, and disputed territories generate hacktivist activity on all sides. DDoS attacks serve as low-risk retaliation and publicity tools.

Cheap attack infrastructure: Booter services, compromised IoT devices, and cloud resource abuse make launching substantial attacks accessible to even unsophisticated actors.

Amplification techniques: DNS, NTP, and memcached reflection attacks allow attackers to multiply their bandwidth significantly, generating the 30 Tbps peaks Radware observed.

Ransomware diversification: Some ransomware operators now include DDoS as an additional extortion lever—refusing to pay results in both data publication and service disruption.

Application-Layer Attacks

While network-layer attacks grab headlines with their raw bandwidth, application-layer threats pose different challenges. The 128% increase in application and API attacks reflects attackers targeting specific endpoints rather than overwhelming network capacity.

Bad bot activity increased 91.8%, encompassing credential stuffing, inventory scraping, and automated fraud. These attacks often fly under DDoS detection thresholds while causing substantial business impact.

For organizations with API-dependent architectures—which increasingly means everyone—application-layer protection requires different strategies than volumetric defense. Rate limiting, behavioral analysis, and request validation become critical.

Defensive Implications

For security teams:

1. Review DDoS mitigation capacity against current attack volumes—30 Tbps peaks require cloud-based scrubbing
2. Implement application-layer protections alongside network-layer defenses
3. Monitor hacktivist Telegram channels for targeting intelligence
4. Ensure business continuity plans account for sustained multi-day attacks

For executives:

DDoS mitigation is no longer optional insurance. The attack frequency documented here means disruption attempts are a matter of "when," not "if." Organizations in heavily-targeted sectors—technology, telecommunications, finance—should assume adversaries are already mapping their infrastructure.

For geopolitically-exposed organizations:

Companies with presence in conflict zones, government contracts, or politically controversial business practices face elevated risk. Threat modeling should account for hacktivist targeting based on public perception, not just technical vulnerability.

Why This Matters

The 168% increase isn't just a bigger number—it represents a fundamental shift in threat economics. Launching significant DDoS attacks costs attackers relatively little while forcing defenders to maintain expensive mitigation capacity.

NoName057(16) averaging roughly 13 attacks per day for an entire year demonstrates sustained operational capability that would have seemed implausible a decade ago. The combination of ideological motivation, accessible tooling, and crowdsourced participation creates attack volumes that individual organizations cannot absorb without external mitigation services.

For the latest on emerging threats and attack trends, visit our hacking news coverage where we track significant developments as they unfold.

As organizations continue migrating services online and attackers continue refining their methods, the trajectory seems clear. Plan for more attacks, larger attacks, and attacks that combine volumetric, application, and extortion components simultaneously.