The war didn’t stop at Iran’s borders, it moved online

Cyber conflict has escalated beyond borders following US-Israeli strikes on Iran, with hacktivists and state-backed actors launching global attacks. The crisis has fuelled a cybercrime economy, creating cover and opportunity. Critical infrastructure like energy and aviation are in big threat. Financially motivated cybercrime has surged, targeting everyday users with sophisticated scams.

When Iran’s internet traffic dropped to just 1-4% of normal levels after coordinated US–Israeli strikes in late February, the country didn’t simply go offline — it all but disappeared from the global internet, according to network monitoring data cited by cybersecurity firms.

But even as connectivity inside Iran collapsed, the cyber conflict didn’t. It spilled outward. Operations continued beyond its borders, driven by a mix of state-backed actors, proxies and opportunistic hackers who don’t need a functioning domestic internet to keep going.

Also Read: ‘Everything can be weaponised’: Rajnath Singh cites Israel’s pager attacks to warn of new war

In the weeks since, researchers have tracked a sharp spike in global threat activity linked to the conflict — from coordinated campaigns by dozens of hacktivist groups to waves of phishing, scams and disruptive intrusions targeting organisations far outside the Middle East.

What’s emerging isn’t just a parallel cyberwar. It’s something messier: modern conflict is now feeding a shadow economy of cybercrime, where geopolitical crises double up as both cover and opportunity — and attacks keep moving even when countries themselves go dark.

Live Events

From missiles to malware

The latest escalation began on February 28, when the United States and Israel launched coordinated strikes on Iranian military and nuclear targets. Almost in parallel, a cyber offensive unfolded.

Websites were defaced. Government-linked platforms were disrupted. A widely used religious app, BadeSaba — with more than 5 million downloads — was hacked to display messages urging users to rise up and abandon the regime, according to Reuters.

News outlets and state-linked media platforms were also hit. Iranian state news agency IRNA was taken offline for a period, while the IRGC-linked Tasnim website faced disruptions and message defacements, according to The Jerusalem Post.

The scale suggested something more coordinated than isolated attacks. Western intelligence sources cited by The Jerusalem Post said the cyber operations were aimed at disrupting Iran’s ability to coordinate a response, including limiting communications and degrading command systems.

According to cybersecurity firm Palo Alto Networks’ Unit 42, the conflict quickly extended into cyberspace, pulling in both state-backed actors and loosely aligned hacktivist groups.

These attacks don’t begin when the first strike lands. By the time missiles hit, attackers are often already inside networks — mapping systems, gathering intelligence and identifying weak points they can exploit later.

“Cyber isn’t usually the decisive weapon on its own; it’s a force multiplier,” Tal Kollender, a former Israeli military cyber-defence specialist, told the BBC.

Also Read: White House weighs vetting AI models before public release: NYT

Early indicators suggest the cyber campaign may have been underway even before the strikes. Cybersecurity firm Anomali told Reuters that Iranian state-backed groups were already carrying out wiper attacks targeting Israeli systems ahead of the escalation.

CrowdStrike also observed activity consistent with Iranian-aligned actors conducting reconnaissance and initiating denial-of-service attacks, Adam Meyers, senior vice president of counter adversary operations, told Reuters.

At the same time, researchers observed a surge in hacktivist mobilisation. CloudSEK said it tracked more than 150 claimed hacktivist incidents between February 28 and March 1, largely involving DDoS attacks, website defacements and data breach claims tied to the conflict.

An already expanding baseline

This surge isn’t happening in a vacuum. It’s building on a cybercrime ecosystem that was already growing — and getting faster.

According to the World Economic Forum’s Global Cybersecurity Outlook 2026, 77% of organisations globally have reported a rise in phishing and fraud, while 73% of individuals have experienced cyber-enabled crime. At the same time, the average number of weekly cyberattacks per organisation has more than doubled in recent years, from 818 to 1,984.

The speed of attacks is also shrinking response windows. In some cases, breaches now move from initial access to data exfiltration in under 72 minutes.

That’s the baseline into which the US–Iran conflict has now landed.

Critical infrastructure in the crosshairs

What’s different this time is the scope — and the targets.

Beyond websites and media systems, the early cyber campaign appears to have targeted deeper infrastructure. CloudSEK said the attacks likely combined denial-of-service campaigns, electronic interference and network intrusions targeting sectors such as energy, aviation and government systems.

In late March, Unit 42 identified a new cluster of activity linked to a group known as Cyber Av3ngers, targeting industrial control systems used in manufacturing and utilities. The focus was on software from Rockwell Automation — the kind that quietly runs factories, energy grids and other critical infrastructure.

Researchers identified more than 5,600 internet-connected devices globally using such systems, underlining how exposed they are.

Warnings from the US Cybersecurity and Infrastructure Security Agency echoed this, flagging attempts to exploit programmable logic controllers — small but critical components that automate everything from water supply systems to power grids.

These risks are no longer theoretical. Earlier in March, Reuters reported that an Iran-linked group deployed wiper malware against US-based medical technology firm Stryker Corporation, disrupting operations and delaying procedures. That kind of disruption can translate directly into real-world consequences — from postponed surgeries to interruptions in essential services.

Elsewhere, hackers have probed water and energy systems, raising concerns about vulnerabilities in everyday infrastructure.

Also Read: As Iran war shakes energy system, some see powerful argument for renewable energy

The rise of cyber opportunists

But the bigger shift may be happening outside state-backed operations.

Alongside these attacks, cybersecurity firms are tracking a parallel surge in financially motivated cybercrime — often piggybacking on the chaos.

Unit 42 recorded more than 7,300 conflict-themed phishing URLs across nearly 1,900 domains in March alone. These ranged from fake charity drives and crypto scams to spoofed telecom portals and banking sites.

Attackers are impersonating airlines, law enforcement and government systems, using increasingly polished techniques — rotating domains, chaining subdomains, mimicking official workflows — to slip past detection.

And it’s not just large organisations in the crosshairs. Much of this activity is aimed at everyday users, especially through mobile-first attacks.

The playbook is familiar: urgency, fear, and just enough plausibility. A bank alert. A utility warning. A government notice. Messages designed to look routine — and therefore easy to trust.

For users, that could mean anything from disrupted services to a spike in targeted scam messages playing on fears around fuel prices or government advisories.

The US Federal Trade Commission has flagged similar trends — from fraudsters posing as bank officials warning of “Iran-linked” transactions to fake military romance scams and sham charities.

“The details change, but the scammer’s goal is always the same,” the FTC noted — to extract money or sensitive data.

Blurring lines between war and crime

This overlap isn’t accidental.

The World Economic Forum says 91% of large organisations are already reworking their cybersecurity strategies in response to geopolitical instability.

What this conflict underscores is a trend that’s been building for years: the erosion of clear lines between state actors, proxies and criminals.

Cybersecurity analysts say Iran has increasingly relied on a mix of formal state-linked cyber units and loosely affiliated hacktivist or proxy groups — a model that allows it to extend operations while maintaining plausible deniability.

Also Read: Cyberattacks surge across UAE amid Iran conflict, businesses face disruptions and rising risks

Unit 42 has identified dozens of such groups active in the current conflict, carrying out everything from DDoS attacks to data leaks and infrastructure probing.

Some, like the Handala Hack group, have paired cyberattacks with psychological operations — leaking personal data or issuing threats to amplify pressure.

“This is about coercive signalling as much as disruption,” analysts say.

A global ripple effect

Cybersecurity firm CloudSEK notes that “second-order” countries — those not directly involved — are increasingly exposed. That includes major economies such as India, Japan and several European states.

The risks span espionage, ransomware, supply chain disruptions and disinformation. In a tightly connected global system, vulnerabilities don’t stay contained.

There are already early signs of spillover. Companies across finance, energy and transport have been targeted, while disruptions to shipping routes — particularly through the Strait of Hormuz — are starting to ripple into global trade.

In India, those risks are becoming more tangible. A March 2026 advisory by the Data Security Council of India warned that sectors ranging from energy and finance to IT services could face elevated cyber threats.

With a large share of India’s energy imports passing through the Strait of Hormuz, any cyberattack on Gulf infrastructure or shipping systems could worsen supply disruptions and hit domestic markets.

The report also pointed to the IT services sector as a potential weak link — where a breach at a single vendor could cascade across global clients. Financial institutions, meanwhile, face renewed exposure to ransomware and supply-chain attacks.

“Geographic distance offers no defence,” Sami Khoury, Senior Official for Cybersecurity at the Government of Canada, told the World Economic Forum.

The new normal of conflict

If there’s one takeaway, it’s this: cyber conflict doesn’t end when the fighting stops.

“The ceasefire does not end the cyber conflict; it changes its rhythm,” Alexander Leslie, a senior adviser at Recorded Future, told The New Yorker.

Unlike conventional warfare, cyber operations can linger — quietly probing systems, harvesting data, waiting for the next opening.

Also Read: Iran-linked hackers take aim at US and other targets, raising risk of cyberattacks during war

And increasingly, those openings aren’t limited to states.

The tools of cyberwar, once tightly held by governments, are now far more accessible. Add AI lowering technical barriers and global crises offering ready-made narratives, and even relatively low-skilled actors can mount convincing attacks.

The result is a threat landscape that’s more crowded, more chaotic and harder to predict.

War, in this sense, is no longer just destructive. It’s generative — creating new actors, new incentives and new risks. And as the US–Iran conflict shows, those risks rarely stay on the battlefield.