Cybercrime has skyrocketed 245% since the start of the Iran war
Summary
Akamai reports a 245% surge in cybercrime since the Iran conflict began, covering activities from credential harvesting to automated reconnaissance targeting banks and other critical businesses. Banking and fintech have been the primary targets (40% of malicious traffic), followed by e-commerce, gaming, tech firms and media. Most activity is automated scanning and reconnaissance driven by botnets, with large increases across multiple attack vectors. Many attacks originate via proxy services based in Russia and China rather than directly from Iran. Akamai recommends denying traffic from high-risk regions for organisations unlikely to have legitimate users there.
Key Points
- Akamai measured a 245% overall increase in malicious activity since the conflict began.
- Sectors most affected: banking/fintech 40%, e-commerce 25%, video games 15%, technology 10%, media/streaming 7%.
- Attack-type increases: botnet-driven discovery +70%, automated reconnaissance +65%, exposed-service scanning +52%, credential harvesting +45%, recon ahead of DDoS +38%.
- Source IP distribution: Russia ~35%, China ~28%, Iran ~14% — many attacks use proxies hosted in other countries.
- Example: a US financial services firm blocked 13 million packets from Iran in 90 days, including a >2 million packet spike before military strikes.
- Some hacktivist groups are closely linked to state intelligence (eg. Handala alleged MOIS front); pro-Russian hacktivists also active, expanding the attack surface.
- Practical mitigation: block or deny traffic from regions with no legitimate user base for your service; use firewalls and region-based filtering during geopolitical crises.
Context and relevance
This story matters because it shows how geopolitical conflict quickly translates into broad, automated cyber campaigns that hit commercial targets worldwide. The patterns — heavy use of proxies, botnets and automated recon — reflect an industrialised cyber-crime model that scales rapidly and cheaply. Organisations in finance, e-commerce, gaming and media should recheck regional access policies, tighten credential protections and review DDoS and exposure monitoring.
In broader terms, the report highlights an ongoing trend: geopolitical tensions increasingly drive opportunistic and state-linked cyber activity. Defence teams should assume elevated baseline risk during such conflicts and apply pragmatic controls (region blocks, layered MFA, exposure scanning, traffic anomaly detection) to reduce attack surface and triage noise more effectively.
Why should I read this?
Short version: if you run a bank, payment service, online shop, game network or streaming site — or you secure them — this is your red flag. Attack volumes have exploded, most of it automated, and a lot comes through proxies in other countries. Read the details so you can lock down region access, ramp up monitoring and stop credential leaks from turning into full-blown incidents. We’ve read the noise so you don’t have to — but you should act.