On March 10, X, the social media company led by Elon Musk, suffered an outage that affected thousands of users. The outage came into the spotlight after Musk himself said on X that the company was experiencing a “massive cyberattack.”
The cyber incident has been identified as a distributed denial-of-service (DDoS) attack. A pro-Palestinaian group dubbed Dark Storm Team claimed responsibility for the attack via a Telegram post.
In this report, we break down what we know about the security incident. We also focus on how DDoS attacks have modernized and how this affects you, the end-user.
40,000 users report outages as X is hit with back-to-back DDoS attacks
According to Downdetector, a platform tracking real-time availability of websites and services, X suffered 3 outages on Monday. The first took place at 5:30 am ET. This was followed by another around 9:30 am. Outages continued past 1:30 pm.
In total, the X DDoS attack affected thousands of users, with 40,000 of them reporting the problem. While the security incident could have been much worse in terms of user impact, the incident took center stage in breaking world news due to the high-profile nature of X and Musk.
DDoS cyberattacks have been around for a long time. However, the DDoS attacks of the late 90s are nothing like modern DDoS attacks. Today, hacktivist groups like Dark Storm Team and other nation-state-supported hackers use DDoS attacks to shut down government sites. These groups seed chaos during elections, target financial institutions to cause market losses and disruptions, and go after popular websites that are critical to the general public.
Some cybercriminal organizations also use DDoS attackers to pressure companies into paying extortion sums to recover websites and online availability. But mostly, modern DDoS attacks are used for “political messaging.”
DDoS attacks do not breach an organization’s infrastructure. They cannot be used to steal user or company data or encrypt files. Rather, they simply flood a website with fake and malicious traffic (requests), causing it to go offline or malfunction.
Who is behind the DDoS attack on X?
The big question now is who is behind the cyberattacks against X.
Musk said on his platform that, due to the size of the cyberattack, the incident was most likely a nation-state-supported incident or had been run by a large cybercriminal organization.
Musk’s statement seemed to be prophetic. Only a couple of hours later, the pro-Palestinian hacktivist group Dark Storm Team claimed responsibility for the attack on Telegram. The issue seemed resolved, signaling that it was most likely related to the Middle East Israel-Gaza conflict.
However, Dark Storm Team did not provide evidence to prove that they were, as they claimed, behind the outages.
In an interview with Fox, Musk said there was evidence that some of the IPs that flooded X originated from the Ukraine area. These comments caused a shift in the narrative.
With Musk leading the Department of Government Efficiency (DOGE) and supporting President Trump — who recently clashed with President Zelensky as US aid for Ukraine faded — the conversation rapidly shifted away from the Middle East to Ukraine and Russia.
The plot thickened further as cybersecurity experts analyzed the information they had. Was the attack linked to pro-Palestine hackers or Ukraine IPs? Most concluded that it could be both.
A hacktivist group like Dark Storm Team could have launched a massive DDoS attack against X and used IP addresses from the Ukraine region. As any cybersecurity expert will agree, IPs in a DDoS attack do not imply attribution.
To understand this, let’s look at how modern DDoS attackers operate.
How modern DDoS attacks work
Modern DDoS cyberattacks have evolved not only in terms of scale and volumetric floods but also in the new technologies they utilize, such as multi-vector techniques that target various layers of network infrastructure.
Modern DDoS attacks are launched using botnets — global or regional networks of infected devices that generate traffic from different IPs to flood a site. Cybercriminals can also turn to malicious cloud server infrastructures. This can be even more resilient than infected computers or devices, moving away from traditional botnets altogether.
These new types of DDoS attacks are complex and sophisticated. They combine volumetric, protocol, and application-layer methods to overwhelm not just network bandwidth but also specific application resources, making detection, investigation, and mitigation far more challenging.
Technologies like peer-to-peer (P2P) botnet architectures, which eliminate single points of failure, make attackers even more effective. To make matters worse, in the malware-as-a-service industry, criminals and hacktivists can turn to gangs that offer “DDoS-for-hire” on the dark web. These gangs will do all the heavy lifting. The process dramatically lowers the technical bar required for organizations or individuals to wield these dangerous cyberweapons.
Fake traffic and IP address locations
As explained, fake traffic flooding a site in a DDoS can come from a botnet composed of thousands or millions of infected devices. It can also be from malicious infrastructure created by cybercriminals, as well as DDoS-for-hire groups that will use different resources. However, no matter which of these DDoS execution models is used, in all cases, the attacker needs a large number of IPs (infected bots or endpoints) to generate traffic and requests on a targeted site.
This is why it is possible that Dark Storm Team’s claims and Musk’s comments are not necessarily contradictory. The pro-Palestinian group could be behind the attack, and the IPs could have also originated from the Ukraine region. Like the father of quantum theory, Niels Bohr, once said, “The opposite of a profound truth is not a lie but may also be another profound truth.”
Do IPs imply attribution in DDoS cyberattacks? Do cybercriminals claim responsibility for attacks they did not commit?
In DDoS digital forensics, the IPs found to be generating traffic in no way signal attribution. A site might be flooded by malicious traffic from a specific country, but that does not mean that the attacker is based in that country.
In fact, a cybercriminal group could complicate an investigation by generating malicious traffic from a specific region different from that in which they operate. Cybercriminals engage in these types of fake-digital-bread-crumbs techniques to throw investigators off their tracks and complicate attribution.
It is also worth noting that Dark Storm Team’s claims could be false. Cybercriminal gangs and hacktivists have been known to take credit for large cyberattacks they did not commit. They do this simply because it’s a good opportunity to draw the spotlight to their cause, business, or message while strengthening their “bad boy” reputation.
The reality is, that at this point, without any hard evidence or the results of a robust investigation, it would be irresponsible to establish attribution to any group or individual. One thing is certain. X and Musk are now prime targets for nation-state-supported groups, hacktivists, cybercriminals, and criminal gangs, thanks to Musk’s position of power and place in the spotlight. These are 2 things cybercriminals often cannot resist.
How does the DDoS attack on X affect you, the end user?
A DDoS attack against a social media platform that causes an outage lasting a couple of hours and affecting only a small portion of its users, in reality, has little to no effect on you as an end user.
End users might have trouble signing in for a couple of hours. They might get stuck in a refresh or see an error page. But, as mentioned, end-user data is never at risk from a DDoS cyberattack because these attacks never breach the digital infrastructure or system of an organization. They just flood the gates from the outside. For someone running a business on X, the impact could be a bit more complex and might lead to momentary downtime costs.
This does not mean that modern, large-scale DDoS attacks do not pose a real danger. They can lead to millions in damages and can impact end users or the general public. For example, a DDoS attack targeting a government website, a financial organization, or technology that connects the world could lead to expensive costs in mitigation, public communications, investigation, and remediation, depending on the target and the duration of the outage.
The most common modern DDoS attacks usually happen during elections or are triggered by international geopolitical events. Again, these attacks seek to sow confusion among the population and disrupt those who provide critical services to the people.
Final thoughts
With only 40,000 users reporting disruptions, the X outage ranks as minor in the broader DDoS cyberattack scale. The only reason the world is talking about it is because of who and what these black hat hackers targeted.
Despite the media noise, this incident is a stark reminder and an early warning of the powerful capabilities that modern DDoS technologies have.
Large-scale DDoS cyberattacks are expected to play out throughout 2025, likely driven by geopolitical conflicts and executed by hacktivists or nation-state-supported gangs who have access to incredibly capable DDoS technologies.
