More than 40 hacktivist groups conducted coordinated cyberattacks against India following the April 22 terror attack in Pahalgam in the Indian state of Jammu and Kashmir, which in turn prompted India to respond with targeted strikes aimed at alleged terrorist infrastructure across the border and the Pakistan-Occupied Kashmir region (PoK).

Cyble Research & Intelligence Lab’s (CRIL) findings indicate that over the course of two weeks, several fundamentalist, pro-Pakistan, and Southeast Asian hacktivist groups launched a series of Distributed Denial-of-Service DDoS attacks and website defacements in isolation and in coordinated campaigns.

The cyber campaign escalated after India’s May 7 response, codenamed “Operation Sindoor,” where the aforementioned strikes on alleged terrorist camps inside Pakistan and Pakistan-administered Kashmir occurred (see cyberattack timeline below).

More Than 40 Hacktivist Groups Launch Cyberattacks

More than 40 hacktivist groups have been involved in the cyber campaign so far. According to our findings, some of the most active groups have been Keymous+, AnonSec, Nation of Saviors, and Electronic Army Special Forces. Attacks have focused on key government portals, healthcare infrastructure, cyber defense agencies, and urban civic bodies.

The specific sectoral targeting shows a concentration on government and law enforcement entities, with additional disruption directed at multi-sector services, education, banking and financial services, and critical industries such as healthcare, defense, and IT.

Our research indicates that the hacktivists’ claims prominently echoed Pakistan state-aligned narratives. They retaliated in real time in cyberspace in response to conflict-zone developments on the ground, signaling a hybrid warfare model blending digital disruption with physical escalation.

Cyber Campaign Rapidly Escalated

The cyber campaign escalated rapidly, starting two days after the Pahalgam terror attack. Cyble has observed a sharp rise in hacktivist groups’ claims through the final week of April, with sustained activity and propaganda peaking on April 30. Momentum continued through the first week of May, as hacktivist groups synchronized “their disclosures and operational rhetoric with the broader geopolitical context,” Cyble said.

The cyber campaign saw its biggest spike after the Indian Armed Forces launched the retaliatory “Operation Sindoor” in the early hours of Wednesday, May 7. This aligns with the stated objectives of hacktivist groups, who framed their cyber operations as part of a unified response to India’s escalation. Notable Threat Actors such as Keymous+, Electronic Army Special Forces, and AnonSec referred to the airstrikes directly in their defacements and DDoS announcements.

Keymous+ emerged as the most aggressive hacktivist group, launching sustained attacks against India’s public healthcare infrastructure and targeting municipal corporations across major metropolitan regions. AnonSec directed its activity toward symbolic government portals, including the Prime Minister’s Office, National Judicial Data Grid, and Election Commission. Electronic Army Special Forces claimed responsibility for attacks on national defense, justice, and cybersecurity portals.

Nation of Saviors launched two concentrated waves of DDoS attacks targeting India’s state infrastructure, focusing on defense, law enforcement, education, and e-governance. The group’s most critical targets included the Central Bureau of Investigation, the National Informatics Centre, and the Indian Air Force.

DDoS and Defacements Dominated Attacks

The hacktivism campaign – dubbed #OpIndia – was characterized by a dominance of disruption tactics aimed at undermining public-facing Indian infrastructure.

Distributed Denial-of-Service (DDoS) attacks accounted for 52.5% of all reported incidents, making them the primary method used to disrupt availability and cause reputational damage. These attacks frequently targeted ministries, healthcare systems, cyber defense agencies, and municipal platforms.

Website defacements made up 36.1% of the campaign activity. Defacement payloads often displayed anti-India statements, references to retaliation, and branding from threat actor groups. “These operations were used to deliver propaganda, religious slogans, and political messaging tied to the Kashmir conflict and Operation Sindoor,” Cyble said.

Data breach claims represented 8.2% of attacks. Most breach attempts lacked verifiable data exfiltration, indicating that the objective may have been to signal penetration capability and amplify psychological pressure.

Unauthorized access attempts made up 3.3% of the campaign, targeting login portals and administrative panels of state, medical, and judicial systems. These activities further reflected our conclusion that these attacks are opportunistic probing rather than persistent access or exploitation.

Government and Law Enforcement Biggest Targets

Based on our present findings, the attack mix suggests a campaign calibrated for maximum visibility and disruption rather than long-term persistence or covert access. The preference for DDoS and defacement highlights the operation’s symbolic, retaliatory nature.

Government and law enforcement entities were the most affected, accounting for 36.1% of all incidents. These included central and state government portals, defense agencies, and law enforcement bodies, often targeted through both DDoS and defacement. Multi-sector attacks represented 13.1% of attacks. These included portals aggregating services across departments or jurisdictions, perhaps chosen to amplify the appearance of hacktivist disruption.

Cyble was able to verify DDoS and defacement claims, but data breach claims lacked credible proof and were thus rated “possibly true.”

Tensions continued into May 8^th and the morning of May 9^th as well, with missile systems, drones, and both nations’ armed forces continuing limited operations along the International Border. Cross-border shelling has been reported on both sides of the Line of Control

As both nations mobilize along the International Border and the military situation escalates, it is safe to assume at this stage that these cyberattacks will continue, potentially prompting retaliatory cyberattacks.

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.