The self-proclaimed hacktivist group Dark Storm on Monday is claiming responsibility for an ongoing outage impacting X to protest the social media platform’s owner Elon Musk and US President Donald Trump.
Using the hashtag #takedowntwitter (the site’s former name before Musk bought the platform in October 2022), a Bluesky user who goes by the name ‘Puck Arks’ posted that a pro-Palestinian hacker group known as the Dark Storm Team has laid claim to Monday morning's interruptions.
“#DarkStorm has confirmed that the DDoS attack against Twitter will continue throughout the day as a protest against Musk and Trump,” they posted, stating the attacks are expected to last for at least another four hours.
Musk’s platform has been experiencing intermittent outages worldwide since about 6:00 a.m. Eastern Time, impacting roughly 40,000 users in the US at its 10:00 a.m. peak, and about 10,800 X users in the UK.
“Due to Elon Musks and Donald Trumps blatant fascism and lack of humanity we as a digital army for the people will continue our peaceful DDoS protests against X formerly known as Twitter. Thank you for your love and support," Puck Arks in said his third post addressing the disruptions.
Musk commenting on the outage said his platform was in the process of tracing the origin of the attacks, while, as typical, getting support and vitriol from users on both sides of the aisle.
"There was (still is) a massive cyberattack against X. We get attacked every day, but this was done with a lot of resources. Either a large, coordinated group and/or a country is involved," Musk said.
The alleged distributed denial-of-service (DDoS) attacks, which flood a target’s servers with thousands of traffic requests (often using automated bots), come after a weekend of live protests hit Tesla dealerships across the US decrying Musk and his latest DOGE policies.
Thousands of protestors (such as the woman pictured above) have been seen storming showrooms, graffitiing property, and in some cases, burning down Tesla charging stations, throwing Molotov cocktails, and firing gun shots. The, at times, violent crowds have led police in cities such as Chicago and Boston, and in Oregon state, to barricade dealerships and arrest agitators to protect the facilities and their employees.
Musk on his social media platform this weekend, blamed billionaires George Soros and LinkedIn founder Reid Hoffman of bankrolling the "Tesla Takedown" protests through their ActBlue organization, citing an unnamed investigation. Reid has denied any involvement, calling the accusations on X "Just one more of Elon's false claims about me."
'DDoS attack tactics have evolved dramatically'
David Mound, Senior Penetration Tester at SecurityScorecard, says that DDoS attack tactics have evolved dramatically over recent years with adversaries "leveraging increasingly sophisticated techniques to bypass traditional defenses."
Internet monitoring site Downdetector.com showed the numbers of X users impacted by the outage dropping to less than a thousand just before 11:00 a.m. However, it appears the rolling disruptions spiked again Monday afternoon, affecting about 35,000 users just after 1:00 p.m.
Around 60% of X users in the US reported issues with the app, 31% reported problems with the X website, and another 11% reported server connection issues, Downdetector said.
Mound explained that traditional DDoS attacks have shifted from “pure volumetric to application-layer (L7) floods, adaptive bot-driven traffic, and targeted API abuse” which can make mitigation that much more challenging.
“Attackers now distribute traffic across entire subnets (carpet bombing) and exploit high-amplification vectors like Memcached, DNS, and TCP reflection to overwhelm networks,” Mound said, adding that “large-scale botnets, often powered by IoT malware variants, enable Tbps-scale attacks, with some exceeding 10 Tbps, putting even well-protected organizations at risk.”
Who is Dark Storm?
According to a cyber risk intelligence report by SecurityScorecard from 2023, Dark Storm has been busy claiming attacks “on targets both inside Israel and out” since the war in Gaza, focusing on taking down Israeli infrastructure and boasting about its attacks on a Telegram channel it created in August 2023.
The Persian-speaking group has not only targeted the Israeli government, local municipalities, and sensitive industries, but is also known for claiming distributed denial-of-service attacks on John F. Kennedy Airport in New York and Los Angeles Airport (LAX), as well as Snapchat.
Dark Storm appears to follow a hacktivist playbook similar to the Killnet gang, which spent most of 2023 carrying out DDoS attacks against victims who supported Ukraine until it decided to commercialize its operations in favor of a DDoS hackers-for-hire model.
SecurityScorecard researchers say Dark Storm shows “commercial motivations in addition to political ones,” and like Killnet, has begun advertising itself as a “cybercrime-as-a-service,” complete with a menu of hacking services.
“For much of its history, it [Dark Storm] has targeted NATO member states and others that have declared their support for Ukraine,” suggesting Russian geopolitical interests, the researchers said.
It’s not clear the direct connection between Bluesky user Puck Arks and the Dark Storm Team except for their mutual support of hacktivist activities and other like-minded groups, such as Anonymous, and the dislike of US policies.
Beyond technique evolution, the research shows that DDoS motivations are shifting, Mound said. "Hacktivism has resurged, with groups like Killnet and Anonymous Sudan launching politically motivated disruptions against governments, financial institutions, and infrastructure providers," he said.
Mound further noted that ransom DDoS attacks, or RDDoS campaigns, have also become more prevalent among threat actors trying to profit financially from their criminal endeavors. In RDDoS attacks, the hacktivists will demand a ransom payment and threaten the victim with prolonged downtime if they don't pay up.
"Nation-state actors have also begun using DDoS as part of broader cyber influence and disruption campaigns, particularly in geopolitical conflicts,” Mound said. "With attackers continually refining their techniques, a proactive, adaptive security posture is essential to withstand modern DDoS threats," he added.
Your email address will not be published. Required fields are markedmarked