The Dark Storm hacktivist group has claimed to be behind a series of DDoS attacks on the social media site X.

While one user linked the attacks to “protests against DOGE” and physical attacks on Tesla stores, saying “I wouldn’t rule out the possibility that this downtime is the result of an attack on 𝕏,” owner Elon Musk confirmed “there was (still is) a massive cyberattack against 𝕏.”

“We get attacked every day, but this was done with a lot of resources,” Musk said. “Either a large, coordinated group and/or a country is involved.”

Dark and Stormy

According to Bleeping Computer, Dark Storm is a pro-Palestinian hacktivist group that launched in 2023 and has previously targeted organisations in Israel, Europe, and the US.

The group posted to their Telegram channel that they were conducting DDoS attacks against Twitter, sharing screenshots and links [1, 2] to the check-host.net site as proof of the attack.

Largely Anonymous

David Mound, senior penetration tester at SecurityScorecard, said that DDoS attack tactics have evolved dramatically, with adversaries leveraging increasingly sophisticated techniques to bypass traditional defenses.

He said: “The shift from pure volumetric attacks to application-layer (L7) floods, adaptive bot-driven traffic, and targeted API abuse has made mitigation more challenging. Attackers now distribute traffic across entire subnets (carpet bombing) and exploit high-amplification vectors like Memcached, DNS, and TCP reflection to overwhelm networks. 

“Beyond technique evolution, DDoS motivations are shifting. Hacktivism has resurged, with groups like Killnet and Anonymous Sudan launching politically motivated disruptions against governments, financial institutions, and infrastructure providers. Meanwhile, ransom DDoS (RDDoS) campaigns have increased, with attackers extorting businesses by threatening prolonged downtime. Nation-state actors are also employing DDoS as part of broader cyber influence and disruption campaigns, particularly in geopolitical conflicts. Additionally, DDoS-for-hire (booter/stresser) services remain a persistent threat, despite law enforcement efforts to dismantle them.”

Jake Moore, global cybersecurity advisor at ESET, said DDoS attacks are a clever way of targeting a website without having to hack into the mainframe, and therefore the perpetrators can remain largely anonymous and difficult to point a finger at.

“This also makes it that much more difficult to protect from when the landscape is completely unknown apart from having generic DDoS protection” he said. “However, even with such protection, each year threat actors become better equipped and use even more IP addresses such as home IoT device to flood systems making it increasingly more difficult to protect from.

"Unfortunately, X remains one of the most talked about platforms making it a typical target for hackers marking their own territory. All that can be done to future proof their networks is to continue to expect the unexpected and build even more robust DDoS protection layers."

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.