Massive DDoS on X: Dark Storm or Cyber Fog?

Tags:

Massive DDoS on X hero
Pedro Umbelino
Written by Pedro Umbelino
Principal Research Scientist

I can’t tweet, erm, post!

Earlier this week, users of the X (formerly Twitter) social network were either unable to access the platform or experienced service degradation somehow. On March 10, 2025, reports emerged of users worldwide being unable to log in, post, or view content. This incident was later attributed to a large-scale distributed denial-of-service (DDoS) attack targeting X's infrastructure.

Naturally, Bitsight TRACE went to look at our available data sources and quickly confirmed that this was indeed a DDoS attack, mostly involving IoT devices (e.g. IP cameras, DVRs, routers). In the past, we’ve mentioned the dangers of having these kinds of devices exposed. Interesting to note that most of the traffic does indeed come from specific geographies. But no, it's not coming from Ukraine. One of the countries that seemed to be driving most IoT traffic attacking X is, well, South Africa, which I found somewhat ironic.

How it started

On Monday morning, some users started to notice they were unable to log in or refresh their X content. Downdetector, a website and service powered by user reports on websites that they have trouble accessing, began receiving an influx of reports.

twitter outage timeline
(Image source: DownDetector)

Shortly after, Elon Musk stated on X that there was in fact an ongoing attack and it was perpetrated by “either a large, coordinated group and/or a country.” Following that, Dark Storm, a cyber hacking group founded in 2023, took credit for the attack in a Telegram channel.

Dark Storm Team is known for selling DDoS as a service in underground channels and, for example, Telegram:

Dark Storm pricing

Dark Storm Team has collaborated with several politically motivated cybercriminal operations, including Russia-based Killnet, in addition to Islamist-oriented groups Anonymous Sudan, Ghosts of Palestine, and SN BlackMeta (aka DarkMeta). Based on these groups' timestamps and activity patterns, their members may operate in time zones associated with the Middle East/Eastern European (UTC+2 to UTC+4) and Moscow (MSK, UTC+3). Anonymous Sudan and SN BlackMeta share TTPs, and both groups' Telegram channels were created from within Russia.

Several security experts analyzing the incident identified it as a DDoS attack carried out by a botnet. They stated that the attackers exploited the fact that certain origin servers of X lacked adequate protection behind Cloudflare's DDoS mitigation services and were exposed to the Internet. Since those servers were not protected because of this misconfiguration, the attackers could direct the traffic straight to X server’s IP addresses, resulting in significant traffic loss and service disruption.

Our measurements

Some of the IP addresses that were affected are public. In a recent WIRED publication, there is even a mention and a link to Shodan about one such vulnerable IP: “independent security researcher Kevin Beaumont and other analysts see evidence that some X origin servers, which respond to web requests, weren't properly secured behind the company's Cloudflare DDoS protection and were publicly visible.“

Using that IP subnet as a base, we decided to look into traffic sample metadata to understand if we could have some additional visibility on the recent incident. As mentioned in studies we’ve conducted before, there are some caveats to this approach, such as collection bias, packet loss, and other issues that affect our visibility, but we consider our sample large enough to draw some conclusions.

Analyzing the dataset

The dataset for our analysis has a time period on March 10, 2025 between 00:00 and 23:59. For the reader to understand what we call “large enough,” it has the following overall counts:

Total number of packets: 2,983,876,847
Total number of unique IPs: 224,721
Total number of countries: 127

With a sample of almost three billion packets aimed at the X servers subnet and two hundred and twenty thousand unique IP addresses to process, we think it is likely that we will see something in the data.

Attribution challenges

A small word on attribution: while the IP addresses associated with the attack were traced to some specific regions, it is usually a mistake to make definitive attribution based solely on IP geolocation tracing. Attackers often use compromised devices and proxy networks to mask their true locations, making it challenging to accurately determine the origin of such attacks. This seems, in fact, to be the case.

Traffic spikes

IP and Traffic into x subnet

Looking at the traffic time series, there are obvious conclusions:

  1. There were spikes of traffic from IPs belonging to IoT devices (IP Cameras, NVR) and sending data to the X subnet at the same time users were reporting the website’s instability. You can see the red line jumping up a bit around that time, as new IoT devices joined the attack.
  2. The amount of traffic produced by those IoT devices was overwhelming, as you can see in orange.
  3. When the IoT devices were not sending traffic to the X servers, there were fewer complaints.

This direct relation clearly supports the thesis of a distributed denial-of-service attack, using a botnet that controls mostly infected IoT devices. Overlapping the two charts provides a clear image:

IP and Traffic into X subnet 2

(if you are wondering about the hours/minutes, I was using a different TZ when I generated the charts)

As for the geographies involved, in terms of total IoT traffic, pretty much only three are worth mentioning: Czech Republic, South Africa, and Brazil. Not that there aren’t other types of traffic (mostly from regular X usage), but compared to IoT traffic it is fairly negligible.

X DoS Traffic-IOT

 

Attribution

Bitsight doesn’t usually do attribution analysis, but we will state what we observed. We did, in fact, observe that the Dark Storm Team claimed the DDoS attack on their Telegram channel.

Dark Storm Telegram-screenshot

The attack continued, on and off, throughout the week. But here’s what I’ve noticed: the previous attacks by Dark Storm Team seem quite different. They were conducted mainly abusing vulnerable mikrotik routers together with some open proxies and tor. They also seemed to come from geographies like Switzerland, the US, and sometimes Tanzania and Indonesia.

The attack on X, however, was quite different. We already saw that the geography was different, but so were the types of devices that sustained the attack: IP Cameras and NVR (network video recorders). There are also some VPN, proxies, and mikrotik and tor traffic in that sample, but all of them with more than two orders of magnitude less traffic compared to the IP Cameras and NVRs.

One thing is for sure: if the Dark Storm Team did in fact conduct this attack—which several folks in underground forums find hard to believe—then their resources seemed to have significantly increased in the last weeks, as well as their fire power. Or… someone else can be lurking in the shadows. Meanwhile, on Thursday, a security researcher claimed to have found the identity of a Dark Storm head that goes by the alias MRHELL112.

Implications for cybersecurity

This incident underscores the importance of robust DDoS mitigation strategies and the need for continuous monitoring of network configurations. Organizations must ensure that all components of their infrastructure are adequately protected to prevent similar attacks. It is hard to protect assets that you don’t know about, so having an understanding of your organization exposure is paramount.

Update: Hacker group Anonymous has claimed the X DDoS attack on TikTok, strengthening our thesis that Dark Storm were indeed not the ones to conduct the attack.

A global view of the CISA KEV catalog: Prevalence and Remediation