Since the start of the Iran war, Akamai says cyber activity tied to the crisis has risen dramatically, with malicious traffic jumping 245 percent across categories that include credential harvesting, automated reconnaissance and denial-of-service preparation. The surge, according to the company’s assessment, has been especially severe for sectors that sit close to the financial bloodstream of modern economies.
Banking and fintech have taken the heaviest share of the pressure, followed by e-commerce, gaming, technology and media platforms. That distribution suggests something important about the current moment: cyber operations linked to geopolitical tension are not focusing only on symbolic government targets. They are also zeroing in on the digital systems that support payments, consumer activity and daily commercial life.
That pattern fits a broader warning from cybersecurity analysts that wars now spill quickly into private infrastructure. As companies move more operations into cloud environments and public-facing platforms, moments of geopolitical escalation increasingly produce pressure on civilian-facing networks far from any battlefield. Unit 42 has warned that Iranian-linked and pro-Iran hacktivist groups are active in the current environment and that such campaigns can extend beyond direct military participants to regional and Western-linked targets.
FutureCrime Summit 2026: Registrations to Open Soon for India’s Biggest Cybercrime Conference
The First Wave Looks Less Like Sabotage Than Preparation
Much of the activity described so far appears to have been preparatory rather than spectacular. Akamai’s breakdown points to jumps in botnet-driven discovery traffic, automated reconnaissance, infrastructure scanning, credential harvesting and early probing ahead of distributed denial-of-service attacks. In other words, the internet is filling with actors looking for exposed services, weak credentials and systems that might be turned into more serious targets later.
That matters because the opening stages of cyber conflict often do not look like a dramatic breach. They look like mapping. Attackers identify who is reachable, what is exposed and where defenses may be weakest. By the time an organization experiences a more obvious disruption, much of the groundwork may already have been laid.
This logic has become familiar to security teams during international crises. Unit 42 has described how pro-Iran and aligned hacktivist ecosystems use disruptive tactics, influence operations and destructive campaigns in ways that can rapidly expand the attack surface. The same research also warns that opportunistic cybercriminal groups can exploit public turmoil with phishing and other social engineering operations, using the crisis itself as bait.
Why So Much of the Traffic Appears to Come From Elsewhere
One of the more revealing details in Akamai’s account is that only a minority of source IP addresses were attributed to Iran itself. Larger shares appeared to come from Russia and China, which the company says are being used as proxy infrastructure for vast numbers of malicious connection attempts.
That does not necessarily mean the operators are Russian or Chinese. In cyber conflict, origin points and actual authorship are rarely the same thing. Proxy networks, permissive hosting environments and abuse-friendly services can make activity appear to come from one geography while serving the aims of actors somewhere else entirely. What matters operationally is that attackers have access to infrastructure that lets them scale quickly and obscure attribution.
Security researchers have long warned that geopolitically motivated groups often route activity through jurisdictions where cybercriminal ecosystems operate with relative freedom. Unit 42 has also noted the risk of false-flag and proxy-style operations in periods of tension, including the possibility that actors outside Iran may exploit Iranian-linked infrastructure or branding to pursue their own objectives.
From Digital Pressure to Real-World Corporate Disruption
The danger in all this is that a surge in scanning and probing does not remain abstract for long. One of the clearest examples has been the recent attack on Stryker, the global medical technology company, where an Iran-linked group called Handala claimed responsibility for a destructive cyber operation that disrupted internal systems, affected employee devices and interfered with ordering, manufacturing and shipping. Reuters reported that Stryker said patient-related services and connected medical products were not affected, but the incident still caused significant business disruption across a company operating in 61 countries.
That case underscores what security officials increasingly fear: the line between geopolitical signaling and commercial disruption is thin. A campaign may begin with scanning and credential theft, but the institutions that end up paying the immediate price are often hospitals, banks, utilities and multinational firms whose systems are woven into everyday life.
For businesses, the lesson is not only that cyber risk rises during war, but that it does so unevenly and often without warning. The organizations under the greatest pressure are not always those closest to the battlefield. They are often the ones whose networks are visible, whose services are essential and whose disruption can send the widest signal.
About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.
