The escalating military conflict in the Middle East has created a parallel digital battleground, with cybercriminals exploiting geopolitical tensions to launch an unprecedented wave of attacks. Data from content delivery network provider Akamai reveals a 245 per cent jump in malicious activity since military strikes against Iran commenced on 28 February, transforming the conflict's cyber dimension into a global threat affecting banks, tech firms, and e-commerce platforms worldwide.
The spike is not straightforward Iranian retaliation. Instead, it reflects a more complex picture: geopolitically motivated hacktivists using infrastructure in Russia and China to launch billions of connection attempts designed specifically for abuse. This approach allows attackers to disguise their origin whilst scaling attacks beyond what Iranian actors alone could manage from a country experiencing a near-total internet blackout.
The financial sector has borne the brunt of the assault. Banks and fintech companies accounted for 40 per cent of malicious traffic tracked by Akamai since the conflict began, followed by e-commerce (25 per cent), video games (15 per cent), technology firms (10 per cent), and media services (7 per cent). Most activity involved infrastructure scanning and reconnaissance, with botnet-driven discovery traffic jumping 70 per cent and automated reconnaissance traffic up 65 per cent. Credential harvesting attempts and reconnaissance ahead of distributed denial of service attacks rose 45 and 38 per cent respectively.
The geographic sourcing of attacks reveals the proxy strategy at work. Although one unnamed US financial services company blocked 13 million packets originating from Iran over 90 days, Iran accounted for only 14 per cent of source IP addresses in Akamai's data. Russia generated 35 per cent and China 28 per cent, indicating that threat actors have shifted infrastructure to exploit the comparative anonymity these countries afford digital crime networks.
From a national security perspective, this represents a significant evolution in how geopolitical conflict translates to cyber operations. Rather than purely state-sponsored attacks, the data suggests a hybrid ecosystem where ideologically motivated hacktivists access proxy services and stolen credentials to conduct coordinated campaigns. Akamai notes that geopolitically motivated hacktivists are using proxy services in countries like Russia and China as a source for billions of designed-for-abuse connection attempts.
Security researchers have documented a parallel trend in pro-Russian hacktivist activity. Justin Moore, senior manager at Palo Alto Networks' Unit 42, highlighted an uptick in pro-Russian groups whose tactics are "effectively expanding the Middle East's attack surface, and potentially exposing regional infrastructure to high-disruption tactics historically used by these groups against NATO and European interests."
Some of these hacking crews operate with direct ties to government intelligence agencies. The group known as Handala, assessed to be a front for Iran's Ministry of Intelligence and Security, claimed responsibility for a destructive data-wiping attack against Stryker, a Michigan-based medical technology company. This blurs the line between criminal opportunism and state-directed cyber warfare, a dynamic that defence planners must account for when assessing threats to allied infrastructure.
The security implications extend beyond immediate financial losses. The ability to sustain a 245 per cent increase in attack volume whilst maintaining operational security suggests a shift in how non-state and quasi-state actors coordinate cyberattacks. The use of proxy infrastructure in allied nations like Australia's strategic partners creates both a technical and diplomatic challenge: defenders must harden systems against attacks originating from nominally neutral IP space, whilst intelligence and policy communities debate proportional responses.
For organisations operating critical infrastructure or handling sensitive financial data, the landscape has materially changed. Defenders cannot rely solely on geographic blocking or traditional threat intelligence. The convergence of hacktivist motivation, criminal-for-hire services, and state-adjacent infrastructure creates an attack surface that conventional security posture struggles to address. Akamai's recommendation to deny traffic from regions with no legitimate user base reflects a blunt instrument, but one increasingly necessary as the fusion of geopolitical and criminal cyber activity continues to accelerate.