Keeping Up With The Hacktivists
Examining How International Hacktivist Groups Pursue Attention, Select Targets, and Interact in an Evolving Online Landscape
Through our intelligence reporting, Graphika has monitored close to 700 active and inactive hacktivist groups since 2022. The groups include state-sponsored hacktivist personas, pro-Russia and pro-Ukraine groups, and groups based in the Middle East, North Africa, and South and Southeast Asia.
This report identifies and explains some of these dynamics to help organizations targeted by these groups better understand the online hacktivist landscape. Most notably:
- Due to their motivations, hacktivist groups regularly pick high-profile targets to attack or disrupt, such as banks, social media platforms, and government agencies. They also seek multiple means of promoting themselves, including using dedicated hashtags and logos, and celebrating mentions of their activities in the press.
- These groups engage in what we consider to be a form of perception hacking, often claiming without sufficient evidence that they have attacked high-profile targets or caused significant disruptions to bolster their name recognition and present their targets as easily compromised or lacking security.
- The hacktivists we monitor display an acute interest in developing new, more disruptive capabilities, signaling that the threat this community poses will almost certainly grow and that their attacks will become more complex and disruptive.
- Hacktivists attempt to monetize their online activities, using the publicity around their attacks to promote and sell external or self-made tools, services, and hacking courses.
- The hacktivist landscape includes more active and public members who set the tempo for attacks and hacking campaigns by naming specific targets and rallying others to their cause. Aligned groups often partner together to amplify claims or a campaign’s impact. However, they also engage in inter-community feuds, targeting each other and using their fights to generate even more content and garner attention.
- While hacktivist groups are most active on Telegram, some maintain accounts on mainstream social media platforms like Facebook, Instagram, and X. Even so, these groups have had to contend with increases in platform moderation. Some regularly re-emerge with new usernames and handles, while others stop posting publicly for months at a time.
Graphika is the most trusted provider of actionable open-source intelligence to help organizations stay ahead of emerging online events and make decisions on how to navigate them. Led by prominent innovators and technologists in the field of online discourse analysis, Graphika supports global enterprises and public sector customers across trust & safety, cyber threat intelligence, and strategic communications, spanning industries including intelligence, technology, media and entertainment, and global banking.
Download the complete PDF
The full report includes the complete network graph maps, raw attribution indicators, cross-platform topology analysis, and the full takedown timeline with platform-level data.
- Full network graph visualizations
- Attribution indicators with confidence scores
- Raw behavioral modeling data
- Takedown coordination timeline
Related Reports
Global Hacktivist Threats
This report contains selected insights from Graphika’s intelligence reporting on hacktivist actors and adjacent communities from February and March 2025.
Read the Report
Weaponized Social Media: The New Brand Reputation Challenge
This white paper from Graphika explores: What is weaponized social media? What are the indicators of an attack? How can businesses proactively prepare for and strategically respond in a crisis?
Read the Report
Get Rich or Cry Tryin’
How Scammers Pose as Crypto Coaches, Influencers, and Politicians Online to Lure People With Easy Cash and Scare Tactics
Read the ReportSee How Graphika Can Help Your Team Act on This Intelligence
This report is one of 600+ investigations Graphika’s team has published. Our platform gives your analysts continuous access to the same intelligence — plus the tools to apply it to your specific threat environment.