NETSCOUT recorded over 8 million DDoS attacks globally in the first half of 2025, including 3.2 million across EMEA. Attacks exceeded 3 Tbps in scale and increasingly targeted critical sectors. The research highlights how hacktivists, AI-driven automation, and DDoS-for-hire services are transforming attacks into geopolitical weapons, posing escalating risks for businesses, governments, and service providers.
The report outlines how DDoS attacks, once viewed primarily as a nuisance, have evolved into precision-guided digital weapons capable of destabilizing communications, transportation, energy, and defense sectors. Hacktivist groups such as NoName057(16) coordinated hundreds of strikes each month, leveraging automation, multi-vector strategies, and even AI-enhanced attack methods to overwhelm defenses. Botnets composed of compromised IoT devices, routers, and servers delivered sustained, high-volume traffic, while DDoS-for-hire platforms lowered barriers to entry, enabling inexperienced attackers to launch sophisticated campaigns at scale.
Key incidents highlighted in the research demonstrate the global impact of this threat landscape. NETSCOUT recorded more than 50 attacks exceeding one terabit per second in volume, with a peak 3.12 Tbps attack in the Netherlands and a 1.5 gigapacket-per-second event in the United States. Geopolitical conflicts further fueled attacks: India’s government and financial institutions faced waves of assaults during heightened tensions with Pakistan in May, while June’s conflict between Iran and Israel generated over 15,000 attacks targeting Iran and nearly 300 against Israel.
880 Daily Botnet DDoS Attacks
Botnet-driven campaigns also intensified. In March alone, NETSCOUT tracked more than 880 bot-powered attacks daily, peaking at 1,600, with durations averaging 18 minutes – long enough to disrupt operations but short enough to evade some mitigation strategies. New actors emerged alongside entrenched groups, including DieNet, which conducted over 60 attacks since March, and Keymous+, responsible for 73 incidents across 23 countries. NoName057(16) retained dominance, claiming 475 attacks in March alone, 337% more than the next most active group, with targets including government websites in Spain, Taiwan, and Ukraine.
“The reality is that traditional defenses are no longer sufficient,” said Richard Hummel, director of threat intelligence at NETSCOUT. “Hacktivists are adopting automation, shared infrastructure, and AI-driven tools like WormGPT and FraudGPT. Even after recent takedowns that disrupted major groups, there is no guarantee they won’t resurface. Organizations must adopt intelligence-driven, proven defenses capable of countering today’s sophisticated attack patterns.”
NETSCOUT’s findings are based on a unique vantage point across global networks, monitoring traffic at scale and securing two-thirds of the routed IPv4 space. With visibility into hundreds of thousands of attack attempts daily, the company underscores the growing urgency for enterprises and service providers to upgrade defenses. As AI-driven automation continues to lower the threshold for conducting DDoS campaigns, NETSCOUT warns that the risk to critical infrastructure, global connectivity, and digital trust will only increase without more advanced and intelligence-led security approaches.
