Following Operation Sindoor, a major Indian military response to the April 22nd, 2025, Pahalgam terror attack that took place on May 7th, 2025, a considerable increase in hacktivist cyber activity was observed, with more than 1.5 million cyberattacks reportedly targeting Indian infrastructure. This period saw a convergence of advanced persistent threat (APT) groups and ideologically driven hacktivist collectives, each deploying a variety of tactics against critical infrastructure, government entities, and public-facing services. Campaigns involved both pro-India and pro-Pakistan actors, with operations ranging from website defacements and distributed denial-of-service (DDoS) attacks to data leaks and sophisticated malware attacks. These incidents were often publicised and amplified through platforms such as Telegram, X, and underground forums, further escalating existing tensions.

In this blog, we will explore these operations in more detail and examine the impact of these hacktivist campaigns. Although the direct technical impact of these actions was typically limited, their psychological and symbolic significance, especially in reinforcing nationalist sentiment, makes them a significant threat to the region’s evolving cyber and physical landscape.

Observed Attack Types and Techniques in the India-Pakistan conflict

In the wake of Operation Sindoor, hacktivist groups employed a range of disruptive tactics to further their ideological and political aims. These techniques span from volumetric cyberattacks like DDoS attacks and website defacements to data leaks and malware attacks. The diversity of these methods reflects a calculated effort to exploit technical vulnerabilities, shape public perception, and erode trust in institutions, signalling an increasingly strategic approach to hacktivist operations.

Attack types observed targeting India and Pakistan from 22. April 2025 to 10. May 2025.

DDoS Attacks in the India-Pakistan conflict

A defining feature of hacktivist campaigns following Operation Sindoor, particularly under the #OpIndia banner, has been the use DDoS attacks. DDoS attacks surged considerably between April 22nd and May 10th, 2025, peaking on May 7th, with reports indicating up to seven attacks per hour. More than 75% of these attacks targeted Indian government entities, including the Prime Minister’s Office and central ministries, as well as entities in the defence, healthcare, and telecommunications sectors. The attacks prioritised volume over precision, with impact assessments revealing minimal disruption. Most targets remained accessible, with any downtime reportedly lasting less than five minutes. The limited impact of the attacks suggests that the primary objective was symbolic disruption, creating the illusion of power and psychological unease rather than causing lasting damage. Prominent actors like AnonSec and RipperSec were linked to these operations, with the latter responsible for over 30% of all DDoS claims against India during this period. RipperSec was notably observed using the MegaMedusa DDoS tool to enable even low-skilled supporters to participate in large-scale DDoS campaigns. Meanwhile, AnonSec orchestrated a series of DDoS attacks on May 7th, 2025, that targeted 20 websites in critical sectors, including defence, finance, aviation, urban development institutions, and state government portals. Following the attacks, the group posted screenshots on its Telegram channel claiming responsibility for the attacks, along with anti-India content.

Website Defacements in the India-Pakistan conflict

Following Operation Sindoor, website defacements also became a prominent tactic used by both pro-India and pro-Pakistan hacktivist groups. These attacks aimed to spread propaganda, disrupt online infrastructure, and demonstrate cyber capabilities. On the pro-Pakistan side, more than 1.5 million Indian websites were targeted, with approximately 150 successfully defaced. Groups such as Team Insane PK and Pakistan Cyber Force led these offensives, with one notable incident involving the defacement of the Armoured Vehicles Nigam website, where attackers displayed the Pakistani flag and Al Khalid tank imagery. In retaliation, Indian hacktivist groups launched counter-defacements, with the Indian Cyber Force claiming attacks on Habib Bank’s employee platform and over 1,000 surveillance cameras. Kerala Cyber Xtractors also targeted the Pakistan Ordnance Factory and major airport websites in Karachi and Islamabad. These defacements are largely symbolic and have allowed hacktivists to demonstrate their capabilities and attract attention rather than cause any significant damage.

Data leaks in the India-Pakistan conflict

Data leaks have also become a hallmark of hacktivist operations, serving both as a method of disruption and a tool for ideological messaging. Following Operation Sindoor, these leaks have been weaponised to maximise reputational damage and public exposure for targeted entities, regardless of the legitimacy of the leaks.

Pro-India hacktivist groups, notably the Indian Cyber Force, have claimed responsibility for breaches targeting key Pakistani institutions. These include the Federal Board of Revenue, from which they allegedly exfiltrated 150GB of sensitive data, as well as universities such as the University of Balochistan, where student records including CNICs, passwords, and addresses were reportedly exposed. Indian Cyber Force also shared footage from compromised IP cameras, aiming to highlight Pakistan’s digital vulnerabilities. Meanwhile, pro-Pakistan hacktivists increased attacks on India’s critical infrastructure, targeting government IT systems, telecommunications firms, and hospitals. Between May 7th and May 10th, 2025, over 650 cyber incidents were reported, many involving claims of large-scale data leaks.

However, not all claimed leaks are legitimate. Multiple hacktivist entities, including Sylhet Gang SG and DieNet, claimed the exfiltration of over 247GB of data from India’s National Informatics Centre, though the actual data amounted to just 1.5GB of publicly available media files. Alleged breaches of the Andhra Pradesh High Court were limited to case metadata already accessible online. Other supposed attacks on the Indian Army and Election Commission have also been revealed to be either outdated or fabricated. According to CloudSEK, much of the attention surrounding the supposed breaches was fuelled by Pakistan-linked accounts on X. These include P@kistanCyberForce and CyberLegendX, which amplify unverified claims and linked them to ongoing operations like Operation Sindoor and Bunyan Al Marsous to elevate the propaganda value of their operations.

Malware Attacks in the India-Pakistan conflict

Malware attacks have also been used to target critical infrastructure, with the Pakistan-linked APT group APT36 using Pahalgam terror attack-themed PDF documents to target Indian government and defence personnel. The campaign leveraged both credential phishing and the deployment of malicious payloads, including the Crimson remote access trojan (RAT), as well as fake domains impersonating Jammu & Kashmir Police and the Indian Air Force. This activity is consistent with APT36’s established pattern of targeting India’s critical infrastructure. In December 2024, the group was observed deploying CurlBack RAT, Spark RAT, and Xeno RAT against Indian government agencies, defence contractors, maritime operations, and academic institutions, demonstrating both technical adaptability and broad operational reach. APT36’s ongoing targeting demonstrates how the group continues to exploit geopolitical events and tensions to escalate and legitimise its cyber operations.

Hacktivist activity targeting India and Pakistan from 07. May 2025 to 01. June 2025.

Migration of targeting to other conflicts – Israel-Iran

Following Operation Sindoor, many hacktivists and threat actors have redirected their focus to new geopolitical flashpoints, most notably the escalating Israel-Iran conflict.

In recent weeks, cyber activity targeting both nations has surged, driven by mounting regional tensions and retaliatory motives. After Israel launched Operation Rising Lion on June 13th, 2025, pro-Iranian cyber operations have increased considerably. One actor operating under the #OpIsrael banner claimed to have targeted Tzofar, Israel’s public alert system for missile attacks, while another group, Arabian Ghosts, claimed responsibility for disrupting Israeli radio broadcasts. These attacks appear designed not only to disrupt services, but also to exert psychological pressure and shape regional perceptions. Some groups have also issued broader warnings beyond Israel. Mysterious Team Bangladesh, for example, threatened cyberattacks on the infrastructure of Jordan and Saudi Arabia if they choose to support Israel. Radware suggest that Iran, constrained in its conventional military capabilities, is more likely than ever turning to cyberattacks as a means to retaliate and reassert power.

The APTiran hacking collective has also claimed responsibility for a large-scale campaign targeting Israeli critical infrastructure. Framing its actions as retaliation for Israeli military operations, the group alleges it infiltrated systems across government ministries, hospitals, universities, and financial institutions. The group also threatened to build a ‘zombie’ network from infected devices belonging to both government entities and ordinary citizens. According to its own statements, APTiran has leaked over 350,000 Israeli government login credentials, approximately 300 stolen internal databases, and credentials from various academic institutions. The group also claims to be deploying ransomware strains such as ALPHV and LockBit as part of its offensive toolkit.

The shift in focus from Operation Sindoor to the Israel-Iran conflict highlights the agility and opportunism of hacktivist networks. These actors often operate independently of state control but remain highly responsive to global events, seizing moments of geopolitical tension to assert ideological agendas and increase their influence. Their actions serve not only as tools of disruption but also as a means of controlling and shaping narratives surrounding significant geopolitical conflicts, blurring the lines between physical warfare and strategic influence operations.

If you would like to know more about how intelligence from Silobreaker can help you keep up to date with ongoing geopolitical issues and understand how they feed into the cyber threat landscape, download our latest report Global Conflicts in the Digital Age – How Geopolitics Influence Cyber Operations