Profiling DieNet: A New Hacktivist Threat

Executive Summary

In the last two months, DieNet, a new hacktivist group, has claimed more than 60 distributed denial-of-service (DDoS) attacks, targeting critical infrastructure from U.S. transit systems to Iraqi government websites. This group announced itself on March 7, 2025, via a now-banned Telegram channel. NETSCOUT assesses that DieNet leverages DDoS-as-a-service infrastructure, shared with groups such as OverFlame and DenBots Proof, to launch ideologically driven attacks against the U.S., Iraq, Israel, Sweden, and Egypt to date. DieNet’s targets span transportation, energy, medical systems, and digital commerce. Although the group claims some success, it often is difficult, if not impossible, to validate whether the attacks had any impact on the targets. However, their scale and frequency expose the ease with which new actors can exploit rented infrastructure to launch their own DDoS campaigns.

Key Findings

• Attack frequency: DieNet has claimed more than 60 attacks within less than two months of the group’s debut.
• Preferred targets: The group targets critical infrastructure, particularly in the U.S. and Iraq, both in the form of digital communications and in physical infrastructure such as transportation or energy.
• Attack platform: DieNet likely employs rented, DDoS-as-a-service infrastructure shared by a number of threat actors. Observations of the usage of the infrastructure predate DieNet itself.

Threat Actor Overview

DieNet first announced its existence in a now-banned Telegram channel in early March and was quickly promoted by three other active threat actor organizations: Mr.Hamza, Sylhet Gang-SG, and LazaGrad Hack. Ever since its initial announcement, DieNet has been consistently active, launching frequent DDoS attacks against key infrastructure in multiple countries. As of this writing (April 28, 2025), the group has taken credit for at least one attack every day since its creation. However, many attacks the group has taken credit for appeared to have no impact on the targets. DieNet’s targeting seems to be ideologically driven.

These targets span a wide range of industries, but all seem to be aimed at maximizing visible disruptions by targeting key infrastructure. In the U.S., DieNet has targeted the Los Angeles Metropolitan Transportation Authority, Port of Los Angeles, and Chicago Transit Authority, as well as the North American Electric Reliability Corporation, and in Iraq, it has targeted the Ministry of Foreign Affairs. The group also has targeted large centers of digital commerce and communication, such as X, medical websites such as MediTech and Epic, the Internet Archive, NASDAQ, and other large ecommerce and software-as-a-service (SaaS) providers.

DieNet’s attacks are characterized by a mixture of attack vectors such as TCP RST, DNS amplification, TCP Syn, and NTP amplification. The chosen vectors and attack patterns vary between targets.
 

Figure 1: attack types by infrastructure

Although DieNet claims to have amassed its own “very large botnet,” this contradicts the evidence we have observed. 

Figure 2: Daily attack count prior to and following Dienet’s launch This graph was created by grouping on unique GUID count per day from Attacks with matching DieNet infrastructure.csv.

Analysis of the attack sources reveal no discernable pattern or cluster of devices that would indicate an owned/controlled botnet. In fact, some of the individual sources of attack traffic that DieNet attacks used have also been used by other threat groups—OverFlame and DenBots Proof—in their attacks, including before DieNet first announced itself. 

This underscores the growing threat of DDoS-as-a-service attacks because organizations such as DieNet can spin up and begin launching a flurry of attacks overnight, all without having to rely on capturing their own infrastructure.

Conclusion and Recommendations for Protection

DieNet’s rapid rise underscores the growing threat of DDoS as a service, enabling ideologically driven groups to disrupt critical infrastructure such as U.S. transit, Iraqi governmental ministries, and global commerce hubs overnight. Without robust defenses, such actors can paralyze essential systems with minimal effort.  Organizations must adopt real-time visibility, automated mitigation, and intelligence-driven defenses, leveraging tools such as NETSCOUT’s Arbor Sightline, Arbor Threat Mitigation System (TMS), Arbor Edge Defense (AED), and ATLAS Intelligence Feed (AIF) to stay ahead. In an era where cyberthreats emerge with unprecedented speed, only proactive measures can safeguard our interconnected world.

To keep protected from these rapidly emerging threats, we recommend the following:

• Real-time visibility into botnet behavior and attack patterns. Tools such as NETSCOUT Arbor Sightline can help surface early signs of trouble.
• Proactive mitigation with automated systems such as Arbor TMS or Arbor AED. These can stop both volumetric floods and more-complex, multivector attacks.
• Intelligence-driven defense with feeds such as NETSCOUT’s AIF. These provide information about context, what’s trending, who’s being targeted, and how actors are evolving.

Staying ahead of threat actors is an ever-changing job and requires a broad view of where these attacks come from, how they operate, and where they could strike next.