Let us start with the bad news. The number of distributed denial-of-service (DDoS) attacks targeting Estonia continued to climb in 2025, reaching a record 756. This is more than a third higher than in 2024 and almost as many as in 2022 and 2023 combined.
The good news is that RIA’s DDoS protection services proved resilient. Despite the sharp rise in activity, the number of attacks with a tangible impact actually declined. Of the several hundred DDoS attacks recorded during the year, fewer than one hundred caused any harm to the targeted services, typically resulting in a short outage or reduced performance. As a result, attacks with an impact accounted for just 12.5 per cent of the total. This marks a significant improvement compared with 2024, when nearly every fifth attack was successful from the attackers’ perspective, or 2023, when the share of attacks with an impact stood at 27 per cent.
A key development last year was not only the growth in attack volumes and technical complexity but also the broadening range of attackers. Since 2022, many of the DDoS attacks against Estonia have been carried out by Russian hacktivist groups, but from early 2025, pro-Palestinian groups from the Middle East, North Africa and South-East Asia also began targeting Estonia’s cyberspace.
What is a DDoS attack?
A distributed denial-of-service (DDoS) attack is a cyberattack aimed at making a targeted digital service – such as a website, e-service, information system or network service – unavailable to users. The attacker sends an extremely large number of requests towards the target (a server, network device or intermediary system) from many different devices within a short period of time. As a result, the service is unable to handle regular traffic and becomes wholly or partially unavailable.
Why Estonia?
In terms of methods and motives , pro-Palestinian hacktivists resemble their Russian counterparts. In both cases, attacks are inherently destructive and directed against states they regard as ideological adversaries. Their campaigns are often aimed at critical infrastructure and seek to cause as much disruption and inconvenience as possible for the population of the targeted country.
In general, hacktivist activity is limited to DDoS attacks and simple compromise attempts. These attacks do not necessarily require advanced technical skills but can generate fear or confusion among the public and draw attention to the attackers.
While Russian hacktivists view Ukraine as their primary ideological target, with countries supporting Ukraine – mainly EU and NATO member states – seen as secondary adversaries, pro-Palestinian groups regard Israel as their principal adversary. Their secondary targets include states and institutions perceived as supporters of Israel. Estonia came into the focus of pro-Palestinian hacktivists largely because it is seen as part of the broader Western coalition.
Another important factor is the active cooperation between Russian and pro-Palestinian hacktivist groups. Although their primary targets differ, their interests overlap when it comes to EU and NATO member states. As a result, pro-Palestinian hacktivists often join attack campaigns against Europe initiated by Russian groups, and countries that have no direct connection to the Israeli–Palestinian conflict can also become targets.
Attacks against Estonia
The most significant attack campaigns by pro-Palestinian hacktivists against Estonia took place in April and May 2025. These were the largest and most disruptive DDoS attacks against the country during the year.
In April, a pro-Palestinian group originating from Algeria targeted Estonia’s cyberspace, carrying out three large-scale attack campaigns against websites in both the public and private sectors. Across the three waves, RIA identified 44 DDoS attacks, 20 of which disrupted services on the targeted websites. These were large-scale attacks of above-average technical complexity: after each wave, the hacktivists adjusted their tactics in an attempt to bypass defensive measures. Within three hours, they sent more than half a billion requests towards 15 targeted websites. In just 11 minutes, 84 million malicious requests were directed at a single website – a volume that would take almost 34 years to accumulate under normal conditions.
In May, a group from Morocco attacked the websites of Estonia’s security authorities. RIA identified ten attacks from this group, blocking nearly 225 million malicious requests. Compared with the April campaign, this was around half the total volume but notable for its intensity: these almost quarter of a billion requests were generated within just 39 minutes, meaning the May campaign was almost twice as intense as the April attacks.
Despite the scale and intensity of these campaigns, RIA’s DDoS protection blocked the majority of malicious traffic and prevented any tangible impact.
Last updated: 11.02.2026
