Several EU Member States reported repeated, large scale DDoS attacks. Finnish election infrastructure, Dutch public-sector organisations, and UK military-linked entities were among the most frequently targeted. 

April’s activity showed a pattern of persistent harassment, where services were intermittently disrupted to undermine trust and create uncertainty. This reflects the continued evolution of hacktivism into a strategic tool, rather than purely technical sabotage. 

Disinformation and Influence Operations 

Alongside DDoS activity, April saw an escalation in information operations aimed at shaping public perception, particularly around political processes. 

Key trends included: 

• Election-focused disinformation targeting European democratic processes with false narratives, manipulated content, and misleading claims. 

• Social media account takeovers, including those of political figures, are used to spread fabricated or deceptive messages. 

• Coordinated amplification of hacktivist claims, where even minor DDoS incidents were exaggerated online to project power and impact. 

• Attempts to increase social separation. In Lithuania, According to the Lithuanian State Security Department (VSD), Russian and Belarusian intelligence agencies conducted information-psychological operations aimed at provoking ethnic tension against the Belarusian diaspora, portraying Lithuania as xenophobic and unsafe. These operations included online narratives, staged provocations, and attempts to recruit individuals via social media, often disguised as legitimate opportunities, to carry out attacks against Belarusians. The goal was to simulate friction between the communities. 

These campaigns obscured the line between cyber operations and psychological impact, reinforcing how cyber disruption and disinformation increasingly operate in a couple. 

What Else Happened in April 2025? 

While hacktivism dominated, other notable developments included: 

• Continued state-aligned cyberespionage activity, often running parallel to influence campaigns. 

• Data breaches and leaks affecting public administration and private companies, occasionally leveraged by hacktivist groups to support political narratives. 

• Phishing and credential-theft operations that contributed to the wider threat stage. 

Key Takeaways 

• Hacktivism is now persistent and strategic, focused on visibility, narrative control, and political signalling rather than technical damage. 

• DDoS attacks are increasingly used as supporting instruments for influence operations, not standalone incidents. 

• Disinformation campaigns amplify cyber activity, turning finite technical impact into excessive psychological and reputational effects. 

• Election periods remain a prime trigger for combined cyber and information operations. 

Looking Ahead 

Organizations – especially public institutions – should prioritize: 

• DDoS resilience and quick mitigation capabilities 

• Monitoring and response for disinformation and impersonation campaigns 

• Cross-team coordination between cybersecurity, communications, and public affairs 

April 2025 demonstrated that modern cyber threats are not always about breaches or malware – oftentimes, they are about visibility, influence, and perception, with hacktivism and disinformation playing a central role in shaping the digital battleground. 

References 

• VSD: Priešiškos žvalgybos tarnybos bando organizuoti smurtinius išpuolius prieš Lietuvoje gyvenančius baltarusius 

• CERT-EU: Cyber Brief 25-05 (April 2025) 

This entry is published as part of the SOCshare project (No. 101145843), which we are running together with Vilnius City Municipality. It is partly funded by the European Union. The views and opinions expressed are those of the authors alone and do not necessarily reflect those of the European Union or the European Cyber Security Centre of Excellence. Neither the European Union nor the European Cyber Security Centre of Excellence can be held responsible for them.