Hacktivism refers to cybercriminal attacks that often involve breaking into systems for politically or socially motivated purposes, usually to make a statement in support of a cause or against governments or organizations.
Derived from combining the words "hack" and "activism", the term “hacktivism” was first coined in 1996 by Omega, a member of the hacker collective Cult of the Dead Cow.
In the past, hacktivist actions were likened to symbolic, digital graffiti. Nowadays, hacktivist groups resemble urban gangs. Previously composed of low-skilled individuals, these groups have evolved into medium- to high-skill teams, often smaller in size but far more capable. The escalation in skill has directly increased the risks posed to organizations.
Hacktivist groups are defined by distinct political beliefs reflected in both the nature of their attacks and their targets. Unlike cybercriminals, hacktivists typically do not seek financial gain, though we have observed overlaps with cybercrime. For the most part, these groups focus on advancing their political agendas, which vary in transparency. Broadly, their motivations can be classified into four distinct groups: ideological, political, nationalistic, and opportunistic. While some groups strictly align with one category, others pursue multiple agendas, often with a primary focus supplemented by secondary causes.
Ideological motivations drive the most hacktivist activity. These groups target entities that challenge their worldviews, often focusing on religious beliefs or geopolitical conflicts. Recent conflicts reveal deep ideological divides.
For example, pro-Russian group “NoName057(16)” accuses those who help Ukraine as “supporting Ukrainian nazis”, while Russian critics “GlorySec” claim to “support Western society in every way” and therefore “oppose the Russian regime”. GlorySec, possibly a Venezuelan group self-described as anarcho-capitalists, “believe in individual freedom and free markets” and therefore oppose countries like Russia and China as well as what they label “their proxy regimes” such as Cuba, Nicaragua, Houthi, Hezbollah, and Hamas.
Some hacktivist groups seek to influence government policies or political outcomes, though such attacks are less common than ideological ones.
For example, “SiegedSec” targeted Project 2025, an initiative promoting conservative policies. They justified a hack and subsequent leak of a 200GB database by claiming that the project “threatens the right of abortion healthcare and LGBTQ+ communities in particular”. SiegedSec has also been active in #OpTransRights, targeting organizations they perceive as opposing transgender and transsexual rights in the US.
Figure 1. SiegedSec explaining their political motivations
Nationalistic hacktivist attacks are less common and often incorporate cultural symbols and patriotic rhetoric to justify their actions. For instance, the Indian “Team UCC” group claims to “amplify Hindu voices” by “exposing false narratives that claim Hindus are safe in Bangladesh”. They position themselves as defenders of Hindus worldwide, particularly in Bangladesh. They attack Pakistani government websites and organizations as efforts to “defend the Indian cyberspace”.
Similarly, many pro-Russia groups exhibit nationalistic motivations. Announcements of their attacks often feature Russian flags, bears as symbols of national pride, and expressions about defending Russia.
Some hacktivist groups act purely opportunistically, targeting organizations simply because they are easy to hack. For example, SiegedSec hacked into a messaging application’s website, citing that “it’s not secure at all”. The app being “made in China” might have compounded their motivation, but the group mentioned getting “access to their AWS S3 buckets”, suggesting that the attack required minimal effort rather than a justification. These groups often appear to consist of younger people driven by righteous anger, which manifests as entitlement and a belief that any hack is fair game.
Figure 2. SiegedSec describing their attack on a messaging app’s website
Modern hacktivist groups are typically led by a small core of trusted individuals, often online friends or acquaintances who share technical capabilities and a common political or religious ideology that defines the group’s alignment.
For instance, GlorySec’s supposed owner, using the alias “Charon Wheezy,” describes the group’s principles in a post that includes a selfie with others in a computer-filled room. SiegedSec’s founder, known as “Vio,” describes the group as “gay furry hackers” and identifies as “a former member of GhostSec and Anonymous Sudan”. These introductions are a common starting point for recruiting other hackers who share the same ideology and inclinations.
Figure 3. Personal profile of SiegedSec’s founder
Recruitment strategies vary. Some groups such as CyberVolk openly advertise for members, partnerships, and paid promotions. Others, like GlorySec, seek insiders (“moles”) from rival nations such as China, Venezuela, or Russia, to access “government or company management systems”. They mention that they have US$200,000 to pay for this, also offering that the mole “can be reallocated” (we understand this to mean relocated) “if any problems arise”.
The groups’ leaders, which appear to be very few, vet members personally and recruit directly via announcement channels. They perceive their actions as defending ideals rather than committing crimes. However, fear of legal repercussions is common. Groups often disband, rebrand, or take evasive actions when under scrutiny, particularly if they are based in the US or Europe. SiegedSec, for instance, disbanded in July 2024, acknowledging their actions as cybercriminal and citing fear of “the eye of the FBI”.
Hacktivist groups typically rely on DDoS and web defacement attacks, which are orchestrated by the group and executed by volunteers using HTTP stress tools. Originally designed for web administrators to test server capacity, these tools are abused to flood servers with malicious traffic, causing disruptions.
Taking down a target web site is a favored tactic due to its simplicity, though its impact is often limited. DDoS attacks are time-bound, and their effects on organizational websites are usually short-lived. While sustained attacks on revenue-generating sites (e.g., online shops, casinos), during peak times can cause significant harm, most targets are government or corporate websites, resulting in minimal reputational damage.
Figure 4. Indian Cyber Forces targeting a Hamas site with DDoS
Malware attacks are rare among hacktivist groups, likely because creating and deploying malware is more complex than quick, reputation-focused attacks. Still, some groups develop ransomware to fund their activities.
An example is the pro-Ukraine “Twelve” reportedly operating like a ransomware group. Unlike cybercriminals asking for ransom, the malware they use encrypts, deletes and exfiltrates data, with the stolen information shared on a Telegram channel. However, we have not found this channel or verified the group’s deeper motivations.
In another case, GlorySec placed malware on USB sticks in a Venezuelan city and allegedly gained access to systems in “100 different companies”.
Figure 5. GlorySec explaining their malware attack
Doxing which is short for “dropping dox” (“dox” being slang for documents), is the malicious practice of gathering and publicly releasing someone’s personal information, such as their home addresses, phone numbers, financial information, or other personal details, without the victim's consent.
With the rise of social media and readily accessible online data, doxing has become a popular tactic that is often used to harass, intimidate, or harm individuals. This is typically motivated by personal vendettas, ideological conflicts, or a desire to cause harm to the victim.
Today’s hacktivist groups increasingly engage in “hack-and-leak” attacks, which are more sophisticated than DDoS, and web defacements. They hack networks and servers to exfiltrate data, which is then shared publicly via file-sharing platforms. These attacks are frequently promoted on the group’s Telegram channel. The advanced nature of these operations suggests a more complex recruitment process, prioritizing members with more offensive hacking skills.
Russian critics “GlorySec” claim to “support Western society in every way” and therefore “oppose the Russian regime”. GlorySec, possibly a Venezuelan group self-described as anarcho-capitalists, “believe in individual freedom and free markets” and therefore oppose countries like Russia and China as well as what they label “their proxy regimes” such as Cuba, Nicaragua, Houthi, Hezbollah, and Hamas.
GlorySec aligned as well with Taiwan in their efforts to disengage from China, initiating #OpPRC to attack Chinese companies. They stated that “The PRC is a fake country; it should be the ROC”, referring to the self-designations of China (PRC) and Taiwan (ROC). GlorySec is neither Chinese nor Taiwanese. Ironically, Russian hackers have conducted #OpTaiwan for the opposite reason, supporting China.
You’ve probably heard about the group known as Anonymous, a collective of clandestine – and yes, anonymous – hackers who have taken down and infiltrated computer systems belonging to companies and governments with whom they have political disagreements.
From 2008 to 2012, Anonymous managed to execute a number of hacks, with effects that ranged from inconsequential to critical. One of their most infamous, dubbed “Operation Tunisia”, involved recruiting a number of Tunisian hackers to help take down eight government websites using DDoS (Distributed Denial of Service Attacks) attacks in support of Arab Spring movements in 2010.
This table compiled some hacktivism groups spanning multiple conflicts:
Figure 6. Hacktivist groups with overlapping motivations