What is Hacktivism?
Hacktivism Meaning
Hacktivism describes cyberattacks performed with the goal of advancing political or social objectives. These acts often involve unauthorized system access, used not for financial profit, but to voice support for or opposition to causes, governments, or institutions.
The term is a fusion of “hack” and “activism” and was introduced in 1996 by a Cult of the Dead Cow member known as Omega. Since its inception, the term has come to represent a blend of digital protest and cyber interference.
What motivates Hacktivists
Modern hacktivists operate in well-organized, small teams with moderate to advanced technical skills. Their motivations can be broadly categorized into four primary drivers:
Ideological
Ideological motivations are the primary reason for hacktivism activity. These groups usually target those they consider a threat to their beliefs, whether it be religious, ethical, or geopolitical. Ongoing global conflicts highlight how deeply rooted these ideological divides are.
For example, the pro-Russia collective NoName057(16) brands Ukraine’s supporters as allies of “Ukrainian nazis.” Meanwhile, GlorySec—a group reportedly originating from Venezuela—claims allegiance to Western values and brands itself as anarcho-capitalist. Their stated principles, centered on freedom and market liberalism and therefore place them in opposition to Russia, China as well as what they label “their proxy regimes” such as Cuba, Nicaragua, Houthi, Hezbollah, and Hamas.
Political
Although less frequent than ideological campaigns, politically motivated cyberattacks aim to alter policies or shape political narratives. One such example is SiegedSec’s attack on Project 2025—a conservative think tank. The group hacked and leaked a 200GB database, claiming that the initiative endangers abortion rights and the LGBTQ+ community. SiegedSec has also participated in operations like #OpTransRights, targeting U.S. institutions deemed hostile to transgender rights.
Figure 1. SiegedSec explaining their political motivations
Nationalistic
Nationalistic hacktivist attacks are less common and often incorporate patriotic imagery or cultural references to justify their actions. For example, the Indian group Team UCC has declared its mission to “amplify Hindu voices” and debunk what it sees as false narratives about Hindu safety in Bangladesh. They have targeted Pakistani government assets under the banner of defending Indian cyberspace.
Similarly, many Russian-aligned hacktivist campaigns often include national emblems like bears and flags, framing their attacks as acts of national defense.
Opportunistic
Opportunistic hacktivism is often driven by ease of access rather than ideology. Targets are chosen not for political relevance but for their vulnerability. For example, SiegedSec once compromised a messaging platform simply because its infrastructure was poorly secured. Although the app’s Chinese origin may have played a secondary role, the attackers were primarily motivated by its easily exploitable Amazon S3 buckets. These actors often exhibit youthful indignation, viewing unauthorized access as a justified protest.
Figure 2. SiegedSec describing their attack on a messaging app’s website
How Hacktivism Works
Modern hacktivist groups usually consist of a small core of trusted individuals, who are often online friends or acquaintances that share both technical capabilities and a similar political or religious ideology, which defines the group's alignment.
GlorySec’s founder, under the alias “Charon Wheezy,” described the group's core values in a Telegram post that included a group photo with members at workstations. Meanwhile, SiegedSec’s creator, "Vio," openly identifies as part of the LGBTQ+ community and describes the group as “gay furry hackers” with past affiliations to GhostSec and Anonymous Sudan. These introductions are often a starting point for recruiting other like-minded hackers.
Figure 3. Personal profile of SiegedSec’s founder
Other groups like CyberVolk advertise publicly for new members, paid collaborations, and other opportunities. In contrast, GlorySec seeks insiders from nations like China, Russia, and Venezuela, and can offer as much as $200,000 for access to internal government or corporate systems. The promise of relocation is included as an incentive should any problems arise.
In most groups, a small leadership team is responsible for vetting new members and recruiting directly using their announcement channels. While these hackers often see themselves as defenders of truth or freedom, the reality of legal risks remains a concern. Under pressure, some of these groups, especially those operating in the West, will disband, rebrand, or take evasive action if they are under investigation. SiegedSec, for example. disbanded in July 2024, admitting to cybercrime and citing fear of "the eye of the FBI".
Types Of Hacktivism
DDoS
One of the most common tactics employed by hacktivists is the distributed denial-of-service (DDoS) attack. These campaigns are often coordinated by the core group and carried out by volunteers using HTTP stress tools. Originally designed for testing server capacity, these tools are abused to flood sites with malicious traffic to cause disruptions.
Website takedowns are a favored tactic due to their simplicity, however, DDoS disruptions are typically brief and pose a limited threat to well-defended infrastructures. Significant harm can occur if attacks are timed strategically, like hitting revenue-generating sites such as online casinos or retail platforms during peak hours.
Figure 4. Indian Cyber Forces targeting a Hamas site with DDoS
Malware
Malware isn’t a go-to method for most hacktivist groups, largely due to its complexity. That said, a few exceptions exist. Some groups develop their own ransomware to fund their operations.
The pro-Ukraine group Twelve reportedly mirrors the tactics of ransomware gangs. However, unlike traditional cybercriminals, they do not request payment. Instead their malware encrypts, exfiltrates, and sometimes deletes data, which is then shared through their Telegram channel.
In another instance, GlorySec is believed to have distributed malware via USB drives in Venezuela and successfully infiltrated systems across approximately 100 organizations.
Figure 5. GlorySec explaining their malware attack
Doxing
“Doxing,” which is short for “dropping dox,” refers to the malicious practice of gathering and exposing a person's personal information, such as addresses, phone numbers, and financial data, without the victim's consent. It’s a tactic used to harass, intimidate or harm individuals by making private data public. This approach has gained traction in the age of social media, where vast amounts of personal information are readily available online. While motivations vary, they usually stem from ideological disputes, personal vendettas, or desire to discredit a public figure.
Hack and leak
Hack-and-leak attacks are becoming increasingly common among today’s hacktivist groups. These attacks involve hacking networks and servers to exfiltrate sensitive data, which is then leaked publicly through file-sharing platforms. This type of attack is usually promoted on a group's Telegram channel. The complexity in this type of attack suggests that there is an advanced recruiting process that prioritizes potential recruits who are skilled in offensive hacking techniques.
Hacktivism Examples
GlorySec
GlorySec identifies as a pro-Western, anti-authoritarian group with roots potentially in Venezuela. The group has openly opposed Russian and Chinese governance and claims to support individual liberty and economic freedom. Their actions target entities they consider authoritarian or repressive, including allies and proxies of these governments, such as Cuba and Hezbollah.
They have also thrown their support behind Taiwan, launching #OpPRC to attack Chinese businesses. They argue that “the PRC is a fake country,” advocating instead for Taiwan’s independence. Meanwhile, Russia-aligned hackers launched a counter-operation, #OpTaiwan, siding with China’s claims.
Anonymous
Anonymous is perhaps the most recognizable hacktivist group, known for its loosely organized structure and iconic Guy Fawkes mask. The collective has attacked both governmental and corporate systems in alignment with various political causes.
Between 2008 and 2012, Anonymous conducted several high-profile attacks. One of their most notable efforts, “Operation Tunisia,” saw the group join forces with local hackers to disrupt eight Tunisian government websites using DDoS attacks. The campaign was part of the broader Arab Spring movement and contributed to global awareness of digital activism.
Figure 6. Hacktivist groups with overlapping motivations