Anonymous Sudan Claims DDoS Attacks on UAE Entities and Global Online Services
The group calling itself Anonymous Sudan claimed responsibility for cyber attacks on UAE entities, adding to a pattern of disruptive operations previously attributed to the actor against major online platforms and services. Earlier incidents tied to the group included outages affecting Microsoft 365, UPS, Netflix, X, and ChatGPT, with victims reporting service disruptions consistent with distributed denial-of-service (DDoS) activity rather than data theft or network intrusion. In the ChatGPT incident, OpenAI said abnormal traffic patterns caused repeated outages, while Netflix also confirmed a temporary disruption that was later resolved.
Researchers cited across multiple reports assess that Anonymous Sudan is likely not a genuine Sudanese hacktivist movement and instead appears aligned with Russian interests, with links frequently drawn to Killnet and broader pro-Kremlin influence operations. Analysts said the group’s Russian-language origins, selective targeting, political messaging, and use of costly attack methods such as SYN flood and HTTP-based DDoS campaigns point to a well-supported disruption actor that blends hacktivist branding with geopolitical narratives, including anti-Western, anti-LGBTQ+, and Middle East conflict themes.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
U.S. charges Sudanese man over Anonymous Sudan operation
On 2024-10-16, U.S. authorities announced charges against a Sudanese man accused of running the Anonymous Sudan cyberattack-for-hire operation. This marked a law enforcement escalation beyond prior reporting on the group's claimed DDoS attacks.
Anonymous Sudan claims cyber attacks on UAE entities
A Digital Watch Observatory report published on 2024-02-02 said Anonymous Sudan claimed responsibility for cyber attacks targeting entities in the United Arab Emirates. No further technical or impact details were provided in the reference.
OpenAI says ChatGPT outages were caused by DDoS attack
On 2023-11-08, OpenAI reported that major ChatGPT and API outages were caused by abnormal traffic patterns consistent with a distributed denial-of-service attack. Anonymous Sudan claimed responsibility on Telegram and framed the attack as retaliation over perceived bias related to Israel and Palestine.
Netflix suffers DDoS disruption claimed by Anonymous Sudan
On 2023-09-28, Netflix experienced service disruptions in multiple countries, and Anonymous Sudan claimed responsibility, saying it was protesting LGBTQIA+ content. Netflix said some users could not access web and mobile services between 10:55 PM PT and 11:25 PM PT before engineers restored service.
Anonymous Sudan claims attacks on Microsoft 365, SAS, and UPS
By June 2023, Anonymous Sudan had claimed disruptive DDoS attacks against Scandinavian Airlines, Microsoft 365 services including Teams and Outlook, and UPS. Security researchers assessed the operations as relatively sophisticated and likely aligned with Russian interests rather than authentic Sudanese hacktivism.
Anonymous Sudan emerges as a Telegram channel
Researchers cited by Cybernews said Anonymous Sudan first appeared in mid-January 2023 as a Russian-speaking Telegram channel. Analysts later noted the group shifted toward Arabic-language presentation after scrutiny and found no verifiable Sudanese connection.
Sources
6 references tracked. Mallory keeps watching after this page renders.
U.S. charges Sudanese man with running huge cyberattack-for-hire gang - The Washington Post
washingtonpost.com
Open sourceAnonymous Sudan claims responsibility for cyber attacks on UAE entities | Digital Watch Observatory
dig.watch
Open sourceBehind the Mask of Anonymous Sudan: An Analysis
cyberint.com
Open sourceChatGPT Down As Anonymous Sudan Hackers Claim Responsibility
forbes.com
Open sourceNetflix Taken Down by Hackers Over LGBTQ+ Content - Newsweek
newsweek.com
Open sourceAnonymous Sudan: neither anonymous nor Sudanese | Cybernews
cybernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Anonymous Sudan Claims DDoS Attacks on AP, Cloudflare, and AO3
Anonymous Sudan, also tracked as **Storm-1359**, claimed distributed denial-of-service attacks that disrupted parts of **The Associated Press**, **Cloudflare’s website**, and **Archive of Our Own (AO3)**. AP said **APNews.com** and some links suffered technical issues while its mobile apps continued to operate, and Cloudflare confirmed intermittent connectivity problems on `www.cloudflare.com` but said its products and customer-facing services were unaffected because they run on separate infrastructure. AO3 experienced intermittent `503 Service Unavailable` errors as volunteer administrators worked to restore access. The group framed the operations as part of a broader campaign against U.S.-registered organizations and, in AO3’s case, paired ideological messaging about LGBTQ+ and NSFW content with a **$30,000 bitcoin ransom** threat to prolong the outage. The incidents fit a wider pattern of high-profile DDoS activity attributed to Anonymous Sudan against targets including Microsoft, X, PayPal, Reddit, Tumblr, Kenya’s digital government portal, and ChatGPT, while multiple researchers and vendors have assessed that the group is likely **pro-Russian** and shares similarities with **Killnet**, despite presenting itself as a Sudanese Islamist hacktivist collective.
May 25, 2026
Hacktivist Cyber Operations Escalate Amid Geopolitical Tensions
A newly formed Russian-aligned hacktivist coalition calling itself **Russian Legion** (reportedly comprising Cardinal, The White Pulse, Russian Partizan, and Inteid) announced “**OpDenmark**,” a campaign of **DDoS attacks** intended to disrupt Danish government services and critical infrastructure and pressure Denmark to reverse military support for Ukraine. Reporting indicates the group issued an ultimatum tied to Denmark’s planned **1.5 billion DKK** aid package, followed by service disruptions across multiple Danish organizations, including repeated targeting of the **energy sector**; analysts characterized the actor as *state-aligned but not state-funded*, using disruption and psychological pressure rather than confirmed destructive intrusions. Separately, a new hacktivist group, **Punishing Owl**, claimed a breach of a Russian government security agency, publishing stolen documents and using DNS manipulation to redirect traffic to attacker-controlled infrastructure hosting the leak and a manifesto. The operation reportedly expanded into **business email compromise** against partners/contractors and included tooling such as the **ZipWhisper PowerShell stealer**, with lures using password-protected ZIPs and disguised LNK files to execute PowerShell downloaders. An additional opinion piece highlighted a broader rise in **energy infrastructure** cyber operations (including referenced events affecting Poland and Venezuela) but did not provide corroboration or direct linkage to the Denmark DDoS campaign or the Punishing Owl intrusion.
Mar 21, 2026
Anonymous Expanded From Arab Spring Operations to Anti-ISIS Cyber Campaigns
Anonymous shifted from prank-driven activity into overtly political hacktivism by targeting state and extremist online infrastructure during major geopolitical crises. During the Arab Spring, participants launched operations against Tunisian and Egyptian government websites, using **DDoS attacks**, defacements, and censorship-circumvention support as protests spread. Reporting tied **OpTunisia** to efforts to bypass surveillance and keep information flowing after the uprising sparked by Mohamed Bouazizi’s self-immolation, while **OpEgypt** targeted Egyptian government sites and reacted after Hosni Mubarak’s regime shut down internet access during the Tahrir Square demonstrations. The collective later turned its attention to the Islamic State through **#OpISIS**, a decentralized campaign aimed at disrupting propaganda, recruitment, and communications online. Anonymous-linked volunteers and affiliated groups including **GhostSec** and the **@CtrlSec** network used mass reporting, bot-assisted account tracking, website takedowns, **DDoS**, **SQL injection**, and intelligence gathering to target ISIS-linked Twitter accounts, videos, forums, and websites. Accounts of the campaign said activists flagged roughly **101,000** Twitter accounts, identified **5,900** propaganda videos, dismantled about **149** websites, and in some cases passed intelligence to authorities, even as the effort exposed internal debate over free speech and the limits of hacktivist counterterrorism.
May 25, 2026