09-07-2025
Keymous+ blurs hacktivism & commerce amid 700 DDoS attacks
Cybersecurity analysts are examining the activities of a group calling itself Keymous+, which has claimed responsibility for over 700 distributed denial of service (DDoS) attacks since late 2023 across regions including Europe, North Africa, the Middle East, and parts of Asia.
Keymous+ has gained significant visibility on channels such as Telegram and X, formerly known as Twitter, but little is known about its core motives or structure. The group identifies as "North African hackers" and targets a diverse range of countries and sectors, from government and education websites to telecom and financial services, yet appears to lack a unified ideological or political mission.
No clear priorities
The scope and selection of Keymous+ targets display considerable randomness. Attacks have been claimed across dozens of countries, with no clear pattern emerging around specific industries. Recent activity includes incidents against telecom providers in France and India, financial platforms in Morocco and the United Arab Emirates, education sites in Denmark, and manufacturing infrastructure in Israel.
The group sometimes adopts slogans such as "Hack for Humanity" and aligns with wider hacktivist campaigns like #OpIndia or #OpIsrael, but there is little consistency in its stated ideology.
Recent findings from Radware highlight this ambiguity. According to Radware, "One of the most striking features of Keymous+ is the randomness of their targets. The group self-identifies as 'North African hackers' and targets dozens of countries across multiple sectors."
Alliances and coordination
Keymous+ has also become notable for its collaboration with other hacktivist entities. The group often amplifies messages from allied actors and takes part in joint operations such as "Red Eye Op," alongside other groups including NoName057(16), Mr Hamza, AnonSec, Rabbit Cyber Team, Hunter Killerz, and Moroccan Dragons.
These alliances serve to widen Keymous+'s operational reach and enhance its reputation as a central figure within the current hacktivist ecosystem. Radware notes, "Another element that defines Keymous+ activity is its increasing collaboration with other hacktivist entities. Some of these collaborations may also serve as marketing opportunities for shared infrastructure."
This networked approach is becoming characteristic of modern hacktivism, where the visibility and affiliations of a group can be as significant as the tangible impact of its operations.
Internal structure
In public posts, Keymous+ describes itself as having a two-team structure: an "Alpha Team" responsible for breaches and leaks, which is currently inactive, and a "Beta Team" focused on DDoS operations. Radware explains, "Keymous+ describes itself as having a dual-team structure: an 'Alpha Team' responsible for breaches and leaks (currently inactive) and a 'Beta Team' focused on DDoS operations."
The Beta Team has been the more active component of the group in 2025, frequently publishing evidence of attacks using verification tools like While such evidence confirms activity, the true scope or effect of these attacks remains uncertain.
Potential commercial interests
There is growing suspicion that Keymous+ may have links to, or operate, a commercial DDoS-for-hire service named EliteStress. Although there is no public admission of ownership, one public statement on X by a Keymous+ representative alludes to involvement in running a "stressor platform," suggesting inside access or possible operational control.
Radware's analysis suggests, "Recent evidence also suggests that Keymous+ may operate—or be closely affiliated with—a commercial DDoS-for-hire service known as EliteStress. While the group does not publicly admit to ownership, a tweet shows a Keymous+ representative boasting about their role in a stressor platform, implying insider access or operational control."
This has led some to conclude that the Beta Team is not only responsible for attacks but may also act as a provider of DDoS-for-hire capabilities.
Marketing approach
Keymous+ is distinctive not only for the number of its claimed attacks but also for its strategic communication. Its messaging often focuses on "power", "uptime", and "stable performance", with recurring mentions of its bots, tools, and connections to external platforms.
These marketing tactics are evident in frequent posts about discounted services or support bots and invitations to Telegram handles like "Join_Elite", all of which align with commercial DDoS services.
Radware stated, "What makes Keymous+ stand out is not just the volume of claimed attacks, but also the tone. Many of their posts emphasize concepts like 'power', 'uptime', and 'stable performance', frequently referencing bots, tools, and links to external platforms."
EliteStress and commercial DDoS EliteStress is a dedicated stressor website that offers DDoS attacks as a service, with pricing tiers ranging from €5 per day to €600 per month. The platform includes a wide selection of vectors such as DNS amplification, UDP floods, HTTP/2 attacks, and spoofed SSH or ICMP traffic. Users can launch attacks by selecting a target IP, choosing a vector, and setting the attack duration.
This platform differentiates itself with an accessible interface and integration with Telegram bots, a feature often highlighted in Keymous+ messaging.
Radware's research notes, "While many such services exist on the darknet, EliteStress is noteworthy for its sleek interface and integration with Telegram bots—a feature often promoted in Keymous+ announcements."
Evolving motivations
Keymous+ presents itself as a politically motivated hacktivist collective, but recent indications suggest a possible commercial agenda. Radware concluded, "Keymous+ presents itself as a politically motivated hacktivist collective, but recent indicators suggest it could be operating as—or closely tied to—a commercial DDoS-for-hire service. Their branding, collaborations, and tone shifted from ideological motives toward a more calculated strategy to build visibility, credibility, and possibly revenue. While their true structure remains opaque, the line between hacktivism and profit-driven operations appears increasingly blurred."
The group's trajectory highlights ongoing changes in the landscape of cyber-activism, where political and financial motivations may overlap or shift over time.
