Over the past few decades, hacktivism was largely confined to website defacements and DDoS attacks—tactics that garnered attention but had little long-term impact. However, in recent years, the landscape has shifted significantly. Research by Check Point Research reveals that hacktivist groups are evolving their tactics to evade detection, yet their very activity may ultimately expose them.
Experts analyzed thousands of messages from dozens of hacktivist groups using machine learning and linguistic analysis. Their research focused on uncovering connections between groups, tracking shifts in motivation, and identifying evidence of state sponsorship. One of the key objectives was to determine the recurring themes in hacktivist discourse and identify common patterns across their communications.
In recent years, hacktivism has transformed into a tool of geopolitical influence. Whereas hacktivists once acted primarily out of ideological convictions, state actors are now disguising their operations as spontaneous cyberattacks. These entities create numerous shadow groups to obscure their involvement and discredit genuine activist movements. While the difficulty of attribution helps maintain anonymity, the repeated use of the same techniques can ultimately lead to their exposure.
A closer examination of attacks reveals a strong correlation with political events. Additionally, the sudden emergence of numerous new accounts employing identical attack methods may indicate coordinated efforts by intelligence agencies.
To detect such anomalies, researchers employed Topic Modeling to identify key discussion themes and Stylometric Analysis to discern unique linguistic fingerprints in their messages. By leveraging machine learning, they were able to uncover textual similarities that suggest potential affiliations between different groups.
The dataset was gathered from X (formerly Twitter) and Telegram, platforms traditionally used by hacktivists for disseminating their messages. In total, approximately 20,000 posts from 35 active accounts—which researchers suspect to be linked to state entities—were analyzed.
Among the most frequently discussed topics were cyberattacks on websites in Israel, Iran, and other nations, as well as document leaks and propaganda campaigns. This analysis provided insight into how hacktivist group interests evolve in response to global events. Notably, multiple groups exhibited identical word choices, sentence structures, and even consistent spelling mistakes, allowing researchers to establish links between groups that claimed to be independent entities.
The study also uncovered instances where a group’s writing style abruptly changed. For instance, in 2022, the writing style of IT Army of Ukraine shifted noticeably, suggesting either a change in authorship or a transfer of control over the account. Such textual variations may indicate leadership transitions or strategic realignments within a group.
These findings enhance cyberattack attribution efforts and expose state-backed operations masquerading as hacktivists. However, researchers caution that adversaries are continually adapting, devising new obfuscation techniques to evade detection. Nevertheless, the integration of machine learning and textual analysis is proving to be an indispensable tool in combating such threats.
