Dark Storm Hacktivist Group Claims Responsibility for X Platform Disruption - Blockonomi
by Oliver Dale · BlockonomiTLDR
- Pro-Palestinian hacktivist group Dark Storm claimed responsibility for DDoS attacks against X (formerly Twitter), causing outages affecting tens of thousands of users
- Elon Musk suggested Ukraine might be behind the attack, claiming IP addresses originated from “the Ukraine area” during a Fox News interview
- The outages impacted approximately 40,000 US users and 10,800 UK users, with intermittent disruptions throughout Monday
- Dark Storm has previously targeted entities supporting Israel, as well as airports and other infrastructure, and has begun offering “cybercrime-as-a-service”
- Security experts note DDoS attack tactics have evolved from simple volume-based attacks to more sophisticated methods using application-layer floods and targeted API abuse
A major cyberattack hit social media platform X on Monday, causing widespread outages for tens of thousands of users. The self-proclaimed hacktivist group Dark Storm claimed responsibility for the attack, which they described as a protest against platform owner Elon Musk and US President Donald Trump.
X users experienced intermittent outages worldwide beginning around 6:00 a.m. Eastern Time. At its peak around 10:00 a.m., the disruption affected roughly 40,000 users in the US and about 10,800 users in the UK, according to monitoring site Downdetector.
A Bluesky user going by “Puck Arks” posted that the pro-Palestinian hacker group Dark Storm Team was behind the interruptions. Using the hashtag #takedowntwitter, the user stated the distributed denial-of-service (DDoS) attacks would continue throughout the day.
“Due to Elon Musks and Donald Trumps blatant fascism and lack of humanity we as a digital army for the people will continue our peaceful DDOS protests against X formerly known as Twitter,”
the user wrote. This was the third post from Puck Arks addressing the disruptions.
Elon Musk commented on the outage, saying the platform was working to trace the origin of the attacks. “There was (still is) a massive cyberattack against x. We get attacked every day, but this was done with a lot of resources. Either a large, coordinated group and/or a country is involved,” Musk stated on X.
Later, during an interview on Fox News with Larry Kudlow, Musk pointed to Ukraine as a possible source. He claimed the hackers had “IP addresses originating in the Ukraine area,” though he did not provide evidence for this assertion.
The attacks came after a weekend of protests at Tesla dealerships across the US. Demonstrators were seen storming showrooms, graffitiing property, and in some cases, engaging in more destructive acts, according to reports.
Musk blamed billionaires George Soros and LinkedIn founder Reid Hoffman for funding the “Tesla Takedown” protests through their ActBlue organization. Hoffman denied any involvement, calling the accusations “Just one more of Elon’s false claims about me.”
David Mound, Senior Penetration Tester at SecurityScorecard, explained that DDoS attack tactics have become much more sophisticated in recent years. Traditional attacks have shifted from “pure volumetric to application-layer (L7) floods, adaptive bot-driven traffic, and targeted API abuse,” making them harder to mitigate.
“Attackers now distribute traffic across entire subnets and exploit high-amplification vectors like Memcached, DNS, and TCP reflection to overwhelm networks,”
Mound said. Large-scale botnets, often powered by IoT malware, can enable attacks exceeding 10 Tbps in scale.
According to a 2023 cyber risk intelligence report by SecurityScorecard, Dark Storm has been active in claiming attacks on targets both inside and outside Israel since the war in Gaza began. The Persian-speaking group has targeted Israeli government entities, municipalities, and sensitive industries.
The group has also claimed responsibility for DDoS attacks on John F. Kennedy Airport in New York, Los Angeles Airport (LAX), and Snapchat. SecurityScorecard researchers say Dark Storm shows “commercial motivations in addition to political ones” and has begun advertising itself as a “cybercrime-as-a-service.”
For much of its history, Dark Storm has targeted NATO member states and others that have expressed support for Ukraine, suggesting possible Russian geopolitical interests, according to the researchers. The exact connection between Bluesky user Puck Arks and the Dark Storm Team is unclear beyond their mutual support for hacktivist activities.
Mound noted that hacktivism has seen a resurgence, with groups like Killnet and Anonymous Sudan launching politically motivated disruptions against governments, financial institutions, and infrastructure providers. Ransom DDoS attacks have also become more common among threat actors seeking financial gain.
“Nation-state actors have also begun using DDoS as part of broader cyber influence and disruption campaigns, particularly in geopolitical conflicts,”
Mound added. He emphasized that a proactive, adaptive security approach is essential to withstand modern DDoS threats.
By Monday afternoon, the number of X users impacted had dropped to around 1,000, according to Downdetector. Musk later confirmed that X was back up when asked about the state of the platform around 4:30 p.m. ET, simply replying: “It’s up.”
Nicholas Reese, an adjunct instructor at the Center for Global Affairs in New York University’s School of Professional Studies, expressed doubt about state involvement. He told the Star Tribune that a state actor “doesn’t make a lot of sense” given the outages’ short duration, as state-backed attacks usually aim to remain undetected rather than causing obvious disruptions.
“There are kind of two types of cyber attacks — there are ones that are designed to be very loud and there are ones that are designed to be very quiet,” Reese explained. “And the ones that are usually the most valuable are the ones that are very quiet.”
Reese acknowledged that while a group may have been trying to make a statement with the attack, such a short outage “is not much of a statement to me.”