Cyberattacks Surge 245% Amid Iran War, Targeting Banks and Fintech Sectors
Since the onset of the Iran war, cyber activity associated with the conflict has surged dramatically. Akamai reports a staggering 245% increase in malicious traffic, encompassing various categories such as credential harvesting, automated reconnaissance, and denial-of-service preparations. This spike has particularly impacted sectors that are integral to the financial infrastructure of modern economies.
Banking and Fintech Under Siege
The banking and fintech sectors have borne the brunt of this cyber onslaught, followed closely by e-commerce, gaming, technology, and media platforms. This distribution highlights a critical trend: cyber operations linked to geopolitical tensions are not solely targeting symbolic government entities. Instead, they are increasingly focused on the digital frameworks that facilitate payments, consumer engagement, and everyday commercial activities.
This shift aligns with broader warnings from cybersecurity analysts that armed conflicts now rapidly extend into private infrastructure. As organizations transition more operations to cloud environments and public-facing platforms, periods of geopolitical escalation exert pressure on civilian networks that are far removed from any physical battlefield. Unit 42 has indicated that Iranian-linked and pro-Iran hacktivist groups are active in this environment, with campaigns potentially extending beyond direct military participants to regional and Western-linked targets.
Preparatory Actions Over Immediate Sabotage
Much of the observed cyber activity appears to be preparatory rather than overtly destructive. Akamai’s analysis reveals significant increases in botnet-driven discovery traffic, automated reconnaissance, infrastructure scanning, credential harvesting, and initial probing ahead of distributed denial-of-service attacks. This indicates that the internet is increasingly populated by actors searching for exposed services, weak credentials, and systems that could become more serious targets in the future.
The initial stages of cyber conflict often manifest as mapping rather than dramatic breaches. Attackers identify reachable targets, exposed vulnerabilities, and weak defenses. By the time an organization experiences a more visible disruption, much of the groundwork may already have been laid.
This pattern has become familiar to security teams during international crises. Unit 42 has documented how pro-Iran and aligned hacktivist ecosystems employ disruptive tactics, influence operations, and destructive campaigns that can swiftly broaden the attack surface. Additionally, opportunistic cybercriminal groups may exploit public unrest through phishing and other social engineering tactics, using the crisis itself as bait.
The Role of Proxy Infrastructure
A notable detail in Akamai’s report is that only a minority of the source IP addresses were traced back to Iran. A larger proportion appeared to originate from Russia and China, which are being utilized as proxy infrastructures for numerous malicious connection attempts.
This does not imply that the operators are necessarily Russian or Chinese. In the realm of cyber conflict, the origin points and actual authorship rarely align. Proxy networks, permissive hosting environments, and abuse-friendly services can obscure the true geography of cyber activities. What is operationally significant is that attackers have access to infrastructure that allows them to scale quickly and mask their origins.
Security researchers have long cautioned that geopolitically motivated groups often route their activities through jurisdictions where cybercriminal ecosystems operate with relative impunity. Unit 42 has also highlighted the risks of false-flag and proxy-style operations during periods of tension, including the potential for actors outside Iran to exploit Iranian-linked infrastructure or branding to achieve their own objectives.
From Digital Threats to Corporate Disruption
The implications of this surge in scanning and probing extend beyond the digital realm. A recent incident involving Stryker, a global medical technology company, exemplifies this risk. An Iran-linked group named Handala claimed responsibility for a destructive cyber operation that disrupted internal systems, affected employee devices, and interfered with ordering, manufacturing, and shipping processes. Although Stryker reported that patient-related services and connected medical products remained unaffected, the incident caused significant business disruption across a company operating in 61 countries.
This case underscores a growing concern among security officials: the boundary between geopolitical signaling and commercial disruption is increasingly blurred. A campaign may commence with scanning and credential theft, but the immediate consequences are often felt by hospitals, banks, utilities, and multinational firms whose systems are integral to daily life.
For businesses, the lesson is clear: cyber risk escalates during wartime, but this increase is uneven and often unpredictable. Organizations under the greatest strain are not always those closest to the conflict. Instead, they are often those with visible networks, essential services, and disruptions that can send the most significant signals.
According to publicly available the420.in reporting, the current landscape necessitates heightened vigilance and preparedness among organizations, particularly those in critical sectors.
Follow the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
