Keymous+ blurs hacktivism & commerce amid 700 DDoS attacks
Keymous+ has gained significant visibility on channels such as Telegram and X, formerly known as Twitter, but little is known about its core motives or structure. The group identifies as "North African hackers" and targets a diverse range of countries and sectors, from government and education websites to telecom and financial services, yet appears to lack a unified ideological or political mission.
No clear priorities
The scope and selection of Keymous+ targets display considerable randomness. Attacks have been claimed across dozens of countries, with no clear pattern emerging around specific industries. Recent activity includes incidents against telecom providers in France and India, financial platforms in Morocco and the United Arab Emirates, education sites in Denmark, and manufacturing infrastructure in Israel.
The group sometimes adopts slogans such as "Hack for Humanity" and aligns with wider hacktivist campaigns like #OpIndia or #OpIsrael, but there is little consistency in its stated ideology.
Recent findings from Radware highlight this ambiguity. According to Radware, "One of the most striking features of Keymous+ is the randomness of their targets. The group self-identifies as 'North African hackers' and targets dozens of countries across multiple sectors."
Alliances and coordination
Keymous+ has also become notable for its collaboration with other hacktivist entities. The group often amplifies messages from allied actors and takes part in joint operations such as "Red Eye Op," alongside other groups including NoName057(16), Mr Hamza, AnonSec, Rabbit Cyber Team, Hunter Killerz, and Moroccan Dragons.
These alliances serve to widen Keymous+'s operational reach and enhance its reputation as a central figure within the current hacktivist ecosystem. Radware notes, "Another element that defines Keymous+ activity is its increasing collaboration with other hacktivist entities. Some of these collaborations may also serve as marketing opportunities for shared infrastructure."
This networked approach is becoming characteristic of modern hacktivism, where the visibility and affiliations of a group can be as significant as the tangible impact of its operations.
Internal structure
In public posts, Keymous+ describes itself as having a two-team structure: an "Alpha Team" responsible for breaches and leaks, which is currently inactive, and a "Beta Team" focused on DDoS operations. Radware explains, "Keymous+ describes itself as having a dual-team structure: an 'Alpha Team' responsible for breaches and leaks (currently inactive) and a 'Beta Team' focused on DDoS operations."
The Beta Team has been the more active component of the group in 2025, frequently publishing evidence of attacks using verification tools like Check-Host.net. While such evidence confirms activity, the true scope or effect of these attacks remains uncertain.
Potential commercial interests
There is growing suspicion that Keymous+ may have links to, or operate, a commercial DDoS-for-hire service named EliteStress. Although there is no public admission of ownership, one public statement on X by a Keymous+ representative alludes to involvement in running a "stressor platform," suggesting inside access or possible operational control.
Radware's analysis suggests, "Recent evidence also suggests that Keymous+ may operate—or be closely affiliated with—a commercial DDoS-for-hire service known as EliteStress. While the group does not publicly admit to ownership, a tweet shows a Keymous+ representative boasting about their role in a stressor platform, implying insider access or operational control."
This has led some to conclude that the Beta Team is not only responsible for attacks but may also act as a provider of DDoS-for-hire capabilities.
Marketing approach
Keymous+ is distinctive not only for the number of its claimed attacks but also for its strategic communication. Its messaging often focuses on "power", "uptime", and "stable performance", with recurring mentions of its bots, tools, and connections to external platforms.
These marketing tactics are evident in frequent posts about discounted services or support bots and invitations to Telegram handles like "Join_Elite", all of which align with commercial DDoS services.
Radware stated, "What makes Keymous+ stand out is not just the volume of claimed attacks, but also the tone. Many of their posts emphasize concepts like 'power', 'uptime', and 'stable performance', frequently referencing bots, tools, and links to external platforms."
EliteStress and commercial DDoS EliteStress is a dedicated stressor website that offers DDoS attacks as a service, with pricing tiers ranging from €5 per day to €600 per month. The platform includes a wide selection of vectors such as DNS amplification, UDP floods, HTTP/2 attacks, and spoofed SSH or ICMP traffic. Users can launch attacks by selecting a target IP, choosing a vector, and setting the attack duration.
This platform differentiates itself with an accessible interface and integration with Telegram bots, a feature often highlighted in Keymous+ messaging.
Radware's research notes, "While many such services exist on the darknet, EliteStress is noteworthy for its sleek interface and integration with Telegram bots—a feature often promoted in Keymous+ announcements."
Evolving motivations
Keymous+ presents itself as a politically motivated hacktivist collective, but recent indications suggest a possible commercial agenda. Radware concluded, "Keymous+ presents itself as a politically motivated hacktivist collective, but recent indicators suggest it could be operating as—or closely tied to—a commercial DDoS-for-hire service. Their branding, collaborations, and tone shifted from ideological motives toward a more calculated strategy to build visibility, credibility, and possibly revenue. While their true structure remains opaque, the line between hacktivism and profit-driven operations appears increasingly blurred."
The group's trajectory highlights ongoing changes in the landscape of cyber-activism, where political and financial motivations may overlap or shift over time.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
3 days ago
- Techday NZ
LevelBlue & Akamai launch managed service for web app security
LevelBlue and Akamai have announced a partnership to deliver new managed web application and API protection services designed to aid organisations in consolidating, simplifying, and scaling their security operations. Service overview The partnership introduces LevelBlue Managed Web Application and API Protection (WAAP), a security service built to provide adaptive, continuous protection to help mitigate risks and reduce the operational demands linked with securing web applications and APIs. The service incorporates Akamai's App & API Protector technology, featuring web application firewall (WAF), distributed-denial-of-service (DDoS) mitigation, bot protection, and foundational API security. This technology is integrated with expertise from LevelBlue's dedicated WAAP Operations team. Against a backdrop of expanding application deployment and usage of APIs, organisations worldwide are facing increased challenges. Research from Enterprise Strategy Group highlights that the average number of web applications per organisation is expected to rise from 145 to more than 200 over two years. The proportion of organisations with over half of their applications using APIs is forecasted to climb from 32% to 80% over the same period. Challenges for security teams Security teams are contending with several critical challenges, including the need to discover application and API deployments, scale protections appropriately, swiftly identify and mitigate attacks, and ensure that security measures do not detract from performance. Added to these obstacles are staff shortages and a proficiency gap, with half of midmarket organisations reporting it is harder to secure web apps and APIs than it was two years ago. Many seek external support and more straightforward, consolidated solutions as environments grow more complex. LevelBlue Managed WAAP aims to tackle these requirements by delivering measurable outcomes in security and simplifying operational processes. Industry perspectives "Today, a surprising number of organisations rely on multiple tools that are not purpose-built for web application and API security - leading to complexity, silos, and rising costs," said Sundhar Annamalai, President of LevelBlue. "LevelBlue offers an alternative: proven services that consolidate and simplify protections with predictable investment. By combining LevelBlue's operational expertise with Akamai's proven technology, organisations can stay ahead of evolving threats and create cyber resilience for critical digital capabilities." The service is available in two tiers, Essential and Advanced, giving organisations flexibility to select the level of support most suited to their requirements. Key features include: Round-the-clock support and advisory from a fully operational team of WAAP specialists Automatic identification and classification of web applications and APIs, with scalable protection prioritised for exposed or sensitive data-handling assets AI-powered threat detection combined with global threat intelligence to identify anomalies and adapt to emerging attack vectors Expert-led, automated policy management to improve efficiency, reduce false positives, and align with contemporary DevOps workflows The prevalence and complexity of online threats continues to increase. In 2024, Akamai reported witnessing over 311 billion web application attacks, highlighting the need for robust protection as organisations accelerate digital adoption and AI-powered attacks become more sophisticated. "In 2024 alone, Akamai saw over 311 billion web app attacks. As AI accelerates, threats are harder to spot, and security is tougher to control," said Rupesh Chokshi, Senior Vice President and General Manager of Akamai's Application Security Portfolio. "Akamai and LevelBlue's partnership gives customers access to a trusted, reliable team that combines industry-leading technology with the deep operational expertise of one of the world's largest MSSPs. It's a powerful combination with a flexible solution that can fast-track organisations to resilient protection and compliance." Follow us on: Share on:
Techday NZ
08-08-2025
- Techday NZ
DDoS attacks surge 364% in APAC, driven by AI & hacktivists
Radware has reported a significant escalation in Distributed Denial of Service (DDoS) attack activity across the Asia-Pacific (APAC) region, with average attack volumes increasing by 364% compared to the previous year. The data from Radware's threat intelligence research, which encompasses information from the company's cloud and managed services along with publicly available data from the Telegram messaging platform, provides a detailed overview of recent trends and targets in network and application-based cyberattacks. Sharp escalation According to the company, the frequency and intensity of DDoS incidents are outpacing previous years in the region. Kenichiro Sasaki, Country Manager for Radware in Japan, noted the changing landscape of threats facing organisations: "Across APAC, there has been a sharp escalation in the frequency and intensity of cyberattacks and DDoS incidents are leading the charge. Multiple catalysts are driving the threat revolution, including geopolitical conflicts, bigger and more complex threat surfaces, and more sophisticated and persistent threats. Add to that the impact of Al, which is lowering barriers to entry, and what you have is a highly dynamic threat environment that demands equally dynamic defense strategies." The company's analysis reveals that, from 2023 to 2024, the average number of network DDoS attacks per customer increased by 72%. Service providers were the primary targets, receiving 55% of the attack volume, while the technology and gaming sectors followed with 21% and 11% respectively. Network-layer and application-layer attacks Network-layer DDoS attacks have increased threefold in average size during this period. Concurrently, Layer 7 (application-layer) DNS DDoS attacks have also grown considerably, with the number of DNS flood queries and malicious DNS volumes both rising by 93% over the previous year. The manufacturing sector was most impacted by these DNS flood activities, accounting for 43% of the malicious queries, while telecom and energy sectors comprised 40% and 14% respectively. Radware's research indicates that the broadening digital infrastructure in APAC, coupled with persistent global tensions and the emergence of advanced AI capabilities, are increasing the region's susceptibility to a diverse range of cyber threats. Hacktivist campaigns intensify Hacktivist-led cyberattack campaigns have maintained their momentum globally and regionally, with targeted DDoS attacks surging in response to ongoing political and ideological unrest. Data gathered from Telegram indicates a 20% global rise in hacktivist-claimed attacks between 2023 and 2024. Within APAC, India emerged as the most targeted country with 761 claimed attacks, followed by Indonesia with 614, Taiwan with 281, Thailand with 220, and Bangladesh with 188. The report identifies government institutions as the most commonly targeted group among hacktivists in the region, accounting for 17% of the activity. This was followed by the education sector at 12% and the finance sector at 9%. The threat actor known as Executor DDoS was the most active in APAC, laying claim to 513 DDoS attacks. This was followed by RipperSec with 467 attacks and NoName057(16) with 362 attacks. Industry perspectives The findings reflect broader industry concerns regarding the increasing complexity of cyberattacks and the involvement of AI, which is perceived as reducing the technical barrier of entry for attackers and enabling more frequent and complex campaigns. As the threat landscape evolves, the need for adaptable and advanced defensive strategies is highlighted across affected sectors such as service providers, technology, gaming, manufacturing, telecoms, and energy. Radware's intelligence underscores the ongoing challenges facing APAC organisations as they address the growing risks and implement strategies aimed at safeguarding their digital operations against a changing backdrop of cyber threats.
Techday NZ
30-07-2025
- Techday NZ
Quadruple extortion ransomware rises in Asia Pacific region
The Akamai State of the Internet (SOTI) report has identified a shift in ransomware tactics in the Asia Pacific region, with quadruple extortion methods emerging alongside sustained use of double extortion techniques. The report, titled "Ransomware Report 2025: Building Resilience Amid a Volatile Threat Landscape," details how cybercriminals are incorporating an increasingly complex mix of threats and pressure on their victims. While double extortion ransomware, which involves encrypting a victim's data and threatening public release unless ransoms are paid, remains prevalent, the new quadruple extortion methods now include Distributed Denial of Service (DDoS) attacks and pressure exerted on customers, partners or the media to intensify the coercion. Steve Winterfeld, Advisory CISO at Akamai, outlined the expanding risk landscape facing organisations. "Ransomware threats today are not just about encryption anymore. Attackers are using stolen data, public exposure, and service outages to increase the pressure on victims. These methods are turning cyberattacks into full-blown business crises, and are forcing companies to rethink how they prepare and respond." Ransomware accounted for a significant share of total data breaches in Asia Pacific in 2024, with the report warning that organisations must enhance cyberdefence strategies and test resilience capabilities in order to prevent major disruptions. Regional impacts According to the report, groups such as LockBit, BlackCat/ALPHV, and CL0P continue to pose major threats in the region, although newcomers Abyss Locker and Akira are growing in prevalence. These syndicates have prioritised critical sectors, with healthcare and legal services identified as primary targets. High-profile incidents in recent months include the Abyss Locker breach, which resulted in the theft of 1.5TB of sensitive data from Australia's Nursing Home Foundation, and a USD $1.9 million extortion payout by a Singapore-based law firm following an Akira ransomware incident. Emergence of hybrid actors The report notes the growing activity from hybrid ransomware activist groups, some of which leverage ransomware-as-a-service (RaaS) to expand operational reach. Groups such as RansomHub, Play, and Anubis have been implicated in attacks on small and medium-sized enterprises, healthcare organisations, and educational institutions across Asia Pacific. Targets include an Australian in vitro fertilisation clinic and several medical practices affected by these syndicates. Compliance complexity A key theme highlighted is the increasingly complicated compliance landscape facing affected businesses. In Asia Pacific, uneven regulatory maturity and fragmented data protection laws have enabled cybercriminals to exploit gaps and delays in incident response. The report outlines how non-compliance risks differ significantly, citing Singapore's Personal Data Protection Act (PDPA) – with fines up to 10% of annual revenue – compared to potential criminal penalties in India, and the lack of formal financial penalties in Japan. These variations create a patchwork of obligations that multinational firms must navigate whilst managing the onset of a ransomware crisis. Zero Trust and defence strategies The report urges organisations to focus on the adoption of Zero Trust architectures and microsegmentation in order to address the challenges of modern ransomware threats. Case studies include a regional consulting firm in Asia Pacific deploying software-defined microsegmentation, which facilitated restrictive access controls and limited the spread of an attack within its network. Reuben Koh, Director of Security Technology and Strategy, Asia-Pacific & Japan at Akamai, commented on the regional context and the growing expectations on security teams. "Asia-Pacific's digital economy is one of the fastest growing in the world, largely due to its rapid pace of innovation. However, security teams are being challenged to keep up with a frequently expanding attack surface, and Ransomware attacks tend to target those blind spots. Organisations need to re-assess their security posture and double-down in their efforts to be more cyber resilient. Adopting Zero Trust architectures that are centred around verified access and microsegmentation are a good way to minimise the impact of a ransomware attack. Together with regular recovery drills and incident response simulations, these will become core essentials in improving cyber resilience against attacks like ransomware." Global trends On a global scale, the report identifies that the rise of generative artificial intelligence (GenAI) and large language models (LLMs) is accelerating both the frequency and sophistication of ransomware attacks by lowering the technical barriers for attackers. The use of ransomware-as-a-service is also broadening the base of active threat actors, with many campaigns motivated by political or ideological factors as well as financial gain. The research highlights that almost half of the cryptomining attacks analysed targeted nonprofit and educational organisations, indicating resource constraints make these sectors a frequent target. Additionally, the Trickbot malware family, used extensively by ransomware operators, has enabled the extortion of USD $724 million in cryptocurrency from victims globally since 2016.
