Botanic Hell: How DDoS Attackers destroyed Russia in 2025
In 2025, several records were set for the most powerful bot attacks. Hackers mainly attacked retail, as well as media, telecom, fintech, and industry sectors. Attackers began to actively use "surgical" DDoS attacks when a separate system is attacked, such as payments, authorization, or the order process. Experts' forecast of what to expect from cybercriminals in 2026 is in the Izvestia article.
Which segments were subjected to DDoS attacks
Last year, the total number of attacks on Russian businesses increased by about half, while the share of attacks at the application level is almost half of all incidents, cybersecurity companies told Izvestia.
A record-breaking AISURU botnet (a network of many infected computers and other Internet-connected devices) with a capacity of up to 29.7 Tbps appeared on the market, which in 2025 became the de facto "new standard" for hyper-volume attacks and affected the stability of large providers, said Danila Shcherbakov, Deputy CEO of Servicepipe.
"By the end of the year, the main targets in Russia were telecom, finance, retail and the public sector," he said. — In retail, APIs (data exchange between programs), online shopping carts, and payment scenarios were particularly affected.
At the global level, the leadership in workload is held by communication providers and critical infrastructure, at the application level — by fintech, AI services and digital platforms.
The number of attacks at network levels increased by 24.18% compared to 2024, Curator reported.
— The most powerful attack of the year peaked at 1.57 Tbps and was aimed at the Bookmaker segment. In second place is a 1.15 Tbit/s attack on "Online Retail", in third place — 1.03 Tbit/s on "Media, TV, radio and bloggers". For comparison, the record in 2024 was 1.14 Tbps, the company said.
The most frequently attacked segments in 2025 were Fintech (21.73%), E-commerce (15.95%), IT and Telecom (9.02%), Media (7.43%) and Industry (5.28%). The share of the industrial sector increased by 357%, while the share of the Educational Technologies segment, which was in the top 5 a year earlier, decreased by 79%.
Among the micro-segments, the leaders were Online Retail (7.65%), Banks (6.82%), Media, TV, Radio and Bloggers (6.60%), Payment Systems (6.44%), as well as Restaurants and Food Delivery (4.73%).
At the same time, on May 16, the company identified one of the largest botnets — for 4.6 million devices, but on September 1, an even more powerful one was fixed — for 5.76 million devices. They were directed to the "Public Resources" segment.
In addition, in 2025, there was an increase in complex multi-vector carpet attacks, Danila Shcherbakov said. Another trend last year was the use of artificial intelligence to control botnets: attack vectors change in seconds depending on success.
"Surgical DDoS attacks have also appeared," the expert added. — Instead of trying to completely disable the service, the attackers focus on specific business functions - payments, authorization, and order processing. The number of such targeted attacks has increased by about a third in a year.
The trend of last year was the growth in the number of "full stack bots" ‑ parsers that mimic human behavior and pass a captcha (verification code to protect against spam) with an exact match of human behavioral patterns, especially in e‑commerce and travel.
According to the Anti-DDoS service of the Solar group of companies, in 2025, the most powerful attack was recorded during the May holidays and amounted to 11 Tbit/s.
"This is a new record in terms of power, which indicates the activation of hackers during important events for the country and the need for Russian organizations to implement comprehensive solutions against layered DDoS attacks," said Sergey Levin, head of the service.
What attacks were carried out in 2025
In 2025, dozens of hacker groups carried out cyber attacks against Russian organizations, Kirill Mitrofanov, head of Kaspersky Lab's Cyber Threat Intelligence team, confirmed. Their number is increasing annually — the increase can reach a dozen per year.
"The greatest threat is posed by hacktivists, as well as groups that conduct multi—stage targeted cyber attacks," he said. — Attackers are evolving, and today we identify unique groups of hybrid hacktivism that have a fairly high level of technical training, participate in complex cyber operations, and at the same time seek to make their "achievements" public in order to pressure victims.
The attacks have become more destructive: attackers are actively using encryption programs, as well as vipers that destroy the infrastructure. In some cases, both.
"Coordinated campaigns are increasingly common, which are carried out by several groups at once, dividing roles and exchanging tools, which complicates the work of information security services," Kirill Mitrofanov added. — And a decrease in the activity of hacker groups is not expected.
On the contrary, attackers are now adapting faster to any changes, taking note of new technologies, increasingly developing their own tools, including using AI, and coordinating actions, which leads to an increase in the number, scale, and complexity of attacks.
What to expect in 2026
In the coming year, there is a possibility of encountering attacks in peaks of the order of 10 Tbps in Russian segments, and super-volume attacks may become the rule rather than the exception, Danila Shcherbakov noted.
The growth of multi‑vector attacks will continue, going immediately at the application level at the network level, as well as targeted attacks on critical business processes: payments, reservations, logistics. Attacking AI will become more accessible, the expert added.
The key trend will not be an increase in the "power" of DDoS attacks, but their complexity and application, says the technical director of MD Audit (SL Soft FabricaONE.AI, shareholder — Softline Group) Yuri Tyurin.
"Traffic records will continue to be updated, but for attackers, the volume itself is less important — the accuracy, duration and linking of the attack to the victim's business processes are more important," he said. — Retail remains at risk as it has a high online workload and a direct dependence of revenue on the availability of services.
We should expect further automation of DDoS campaigns, increased use of botnets from IoT devices (a network of physical objects with embedded sensors, software, and other technologies) and cloud infrastructure, as well as scheduled attacks. For example, during periods of sales, peak sales and reporting dates, Yuri Tyurin believes.
— The use of AI will enhance and scale bot attacks. Previously, bots were limited to mass automatic requests, but now AI allows them to reliably mimic human actions and communication. For example, attackers can use audio bots to make mass calls to retailers' call centers, confirming fictitious orders. As a result, companies will pay for advertising traffic and infrastructure load without getting real customers, Curator predicts.
Another risk factor is the growing dependence of companies on supply chains. The digital ecosystem is becoming so interconnected that the sustainability of a business is directly determined by the sustainability of its partners and providers. The likelihood of domino effects and cascading failures increases — when an incident at one supplier triggers a chain reaction of failures among its customers and their customers.
— In 2026, the sustainability of digital ecosystems will depend not so much on the strength of protection, but on the willingness to lose digital connections. It's not those who are best protected who will win, but those who are best prepared for failures," said Dmitry Tkachev, CEO of the company.
An important element of protecting organizations will be understanding the current threat landscape: the techniques, tactics, and procedures of intruders that a particular organization needs to protect itself from, taking into account the industry and region, the experts emphasized.
Переведено сервисом «Яндекс Переводчик»
