Trending

ee-track">
Link copied!

India Experiences Surge in Hacktivist Group Activity Amid Military Tensions

40+ hacktivist groups united in cyberattacks against India after a terror attack in the Indian state of Jammu & Kashmir and India’s retaliatory strikes.

May 9, 2025 · 4 min read
India Experiences Surge in Hacktivist Group Activity Amid Military Tensions

More than 40 hacktivist groups conducted coordinated cyberattacks against India following the April 22 terror attack in Pahalgam in the Indian state of Jammu and Kashmir, which in turn prompted India to respond with targeted strikes aimed at alleged terrorist infrastructure across the border and the Pakistan-Occupied Kashmir region (PoK).

Cyble Research & Intelligence Lab’s (CRIL) findings indicate that over the course of two weeks, several fundamentalist, pro-Pakistan, and Southeast Asian hacktivist groups launched a series of Distributed Denial-of-Service DDoS attacks and website defacements in isolation and in coordinated campaigns.

The cyber campaign escalated after India’s May 7 response, codenamed “Operation Sindoor,” where the aforementioned strikes on alleged terrorist camps inside Pakistan and Pakistan-administered Kashmir occurred (see cyberattack timeline below).

image 20

More Than 40 Hacktivist Groups Launch Cyberattacks

More than 40 hacktivist groups have been involved in the cyber campaign so far. According to our findings, some of the most active groups have been Keymous+, AnonSec, Nation of Saviors, and Electronic Army Special Forces. Attacks have focused on key government portals, healthcare infrastructure, cyber defense agencies, and urban civic bodies.

The specific sectoral targeting shows a concentration on government and law enforcement entities, with additional disruption directed at multi-sector services, education, banking and financial services, and critical industries such as healthcare, defense, and IT.

Our research indicates that the hacktivists’ claims prominently echoed Pakistan state-aligned narratives. They retaliated in real time in cyberspace in response to conflict-zone developments on the ground, signaling a hybrid warfare model blending digital disruption with physical escalation.

report-ad-banner

Cyber Campaign Rapidly Escalated

The cyber campaign escalated rapidly, starting two days after the Pahalgam terror attack. Cyble has observed a sharp rise in hacktivist groups’ claims through the final week of April, with sustained activity and propaganda peaking on April 30. Momentum continued through the first week of May, as hacktivist groups synchronized “their disclosures and operational rhetoric with the broader geopolitical context,” Cyble said.

The cyber campaign saw its biggest spike after the Indian Armed Forces launched the retaliatory “Operation Sindoor” in the early hours of Wednesday, May 7. This aligns with the stated objectives of hacktivist groups, who framed their cyber operations as part of a unified response to India’s escalation. Notable Threat Actors such as Keymous+, Electronic Army Special Forces, and AnonSec referred to the airstrikes directly in their defacements and DDoS announcements.

Keymous+ emerged as the most aggressive hacktivist group, launching sustained attacks against India’s public healthcare infrastructure and targeting municipal corporations across major metropolitan regions. AnonSec directed its activity toward symbolic government portals, including the Prime Minister’s Office, National Judicial Data Grid, and Election Commission. Electronic Army Special Forces claimed responsibility for attacks on national defense, justice, and cybersecurity portals.

Nation of Saviors launched two concentrated waves of DDoS attacks targeting India’s state infrastructure, focusing on defense, law enforcement, education, and e-governance. The group’s most critical targets included the Central Bureau of Investigation, the National Informatics Centre, and the Indian Air Force.

DDoS and Defacements Dominated Attacks

The hacktivism campaign – dubbed #OpIndia – was characterized by a dominance of disruption tactics aimed at undermining public-facing Indian infrastructure.

Distributed Denial-of-Service (DDoS) attacks accounted for 52.5% of all reported incidents, making them the primary method used to disrupt availability and cause reputational damage. These attacks frequently targeted ministries, healthcare systems, cyber defense agencies, and municipal platforms.

Website defacements made up 36.1% of the campaign activity. Defacement payloads often displayed anti-India statements, references to retaliation, and branding from threat actor groups. “These operations were used to deliver propaganda, religious slogans, and political messaging tied to the Kashmir conflict and Operation Sindoor,” Cyble said.

Data breach claims represented 8.2% of attacks. Most breach attempts lacked verifiable data exfiltration, indicating that the objective may have been to signal penetration capability and amplify psychological pressure.

image 21
Data breach claim by Team Insane Pakistan

Unauthorized access attempts made up 3.3% of the campaign, targeting login portals and administrative panels of state, medical, and judicial systems. These activities further reflected our conclusion that these attacks are opportunistic probing rather than persistent access or exploitation.

Government and Law Enforcement Biggest Targets

Based on our present findings, the attack mix suggests a campaign calibrated for maximum visibility and disruption rather than long-term persistence or covert access. The preference for DDoS and defacement highlights the operation’s symbolic, retaliatory nature.

Government and law enforcement entities were the most affected, accounting for 36.1% of all incidents. These included central and state government portals, defense agencies, and law enforcement bodies, often targeted through both DDoS and defacement. Multi-sector attacks represented 13.1% of attacks. These included portals aggregating services across departments or jurisdictions, perhaps chosen to amplify the appearance of hacktivist disruption.

Cyble was able to verify DDoS and defacement claims, but data breach claims lacked credible proof and were thus rated “possibly true.”

Tensions continued into May 8th and the morning of May 9th as well, with missile systems, drones, and both nations’ armed forces continuing limited operations along the International Border. Cross-border shelling has been reported on both sides of the Line of Control

As both nations mobilize along the International Border and the military situation escalates, it is safe to assume at this stage that these cyberattacks will continue, potentially prompting retaliatory cyberattacks.

AI Threat Intelligence

Stop Executive Threats
Before They Strike

Monitor dark web chatter, detect lookalike domains, and protect your C-suite from targeted impersonation — in real time, across 50+ countries.

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams