Jun 12, 2026
Table Of Content
Related Articles
Dark Web Profile: Rock
Dark Web Profile: Tengu Ransomware (Shisa)
Jun 11, 2026
Dark Web Profile: Vect Ransomware
Jun 05, 2026
Top 10 Cyber Threat Actors Targeting Brazil
Jun 03, 2026
Sep 08, 2025
11 Mins Read
Dark Web Profile: Mr Hamza
Hacktivist groups like Mr Hamza have turned Telegram into a staging ground for cyber campaigns. These channels serve as meeting points where supporters coordinate Distributed Denial of Service (DDoS) attacks, share data leaks, and circulate “proof” links to showcase their claimed successes. For many actors, Telegram is not only a propaganda outlet but also a marketplace for selling attack tools, creating a blend of activism and cybercrime. And in 2025, one of them stood out the most.
Telegram channel logo of Mr Hamza
Who Is Mr Hamza?
Mr Hamza, (also written as Mr.Hamza or MR HAMZA) is a hacktivist group that appeared in late 2024. It may be one person, but the consistency and operational capacity suggest a small team, similar to Anonymous Sudan. Telegram messages hint at a Moroccan origin.
It is politically motivated, framing itself around anti-Israel and pro-Palestinian causes, while also selling attack tools such as botnets and stressers. The group has built alliances with others like NoName057(16), Z-Pentest, and the Holy League, embedding itself in the broader hacktivist ecosystem.
Threat actor card of Mr Hamza
We assess that Mr. Hamza follows a hybrid model, acting as an activist voice while also offering tools like botnets and DDoS.
This demonstrates how some DDoS-as-a-service groups evolve into Hacktivism-as-a-service operations. They present themselves as allies to political causes, which helps boost the visibility and sales of their tools.
Of course while profit is the main driver, many of these groups likely share a degree of sympathy for the hacktivist narratives they amplify.
Top 10 hacktivist groups active during the Iran–Israel conflict in June 2025 (Iran-Israel Threat Landscape Report)
As highlighted in SOCRadar’s Iran–Israel Conflict Threat Landscape Report (June 2025), Mr Hamza illustrates this dual role clearly. The group actively boosted the visibility of its DDoS tools while, at the same time, conducting more attacks than many of its peers during the conflict. This shows how their commercial interests and ideological positioning reinforce one another.
What Are Mr Hamza’s Targets?
During the June 2025 Iran–Israel conflict, Mr Hamza emerged as one of the most active hacktivist groups. The group was the leading source of DDoS claims during this period.
Active groups from both parties during the Iran–Israel conflict in June 2025, Mr Hamza is the leading actor with 90 distinct attack claims in less than two weeks of time (Iran-Israel Threat Landscape Report)
According to the collective attack counts of all hacktivist groups during the conflict, the primary target was Israel, which absorbed over 70% of recorded hacktivist activity (441 attack claims). Other top targets included the United States (69), India (34), Jordan (33), Saudi Arabia (13), and the United Arab Emirates (11). The main industries hit were government, defense, telecommunications, finance, and technology.
Number of attacks by target country, every hacktivist group’s activity is included (Iran-Israel Threat Landscape Report)
It is important to stress that these findings reflect only the conflict period. The spike in Mr Hamza’s activity coincided with military escalation and the flood of Telegram claims between June 13 and June 25, 2025.
While one of the most visible surges came during the June conflict, Mr Hamza’s activity is not limited to this narrow timeframe. The group was already active in the months leading up to the escalation and has remained prolific afterward.
Messages per day in Mr Hamza’s Telegram channel
Up-to-date analysis of the group’s Telegram channel shows that Israel and the United States remain its main recurring targets. Other states also appear in its messaging, including India, the United Arab Emirates, Germany, France, and Spain. In some cases, the group also singles out various countries like Taiwan, the Netherlands, and Saudi Arabia, pointing to a wider range of targets.
Mr Hamza Telegram posts in Arabic (left) and English (right) claiming cyberattacks against NATO
Hashtag usage further illustrates this persistence. Campaign tags like OpIsrael, OpUSA, and OpGermany account for the highest share of mentions.
Top hashtags in Mr Hamza’s Telegram channel
This reinforces that these states remain long-term priorities for the group rather than temporary conflict-driven targets. The continuity of these narratives in both peacetime and wartime suggests that Mr Hamza is positioning itself as a standing actor in the hacktivist ecosystem, not simply a conflict-time opportunist.
What Are Mr Hamza’s Techniques?
Mr Hamza operates primarily through Telegram, which acts as both its coordination hub and marketplace. The channel is used to announce attack targets, circulate hashtags that tie operations to political causes, and post “proof” screenshots or links after attacks. It also serves a commercial purpose, advertising botnets, stressers, and other attack kits for sale.
Mr Hamza’s Telegram channel info
The group’s main method is DDoS, used both to create disruptive impact and to signal activity to followers. Claims of website defacement and data leaks appear as well, though these are secondary.
Tools
Multiple tools are associated with Mr Hamza’s ecosystem, either directly promoted in their channels or flagged in open reporting. Some of these include:
- Elite Botnet, Rebirth Botnet, and Nova Botnet
- Ryzer Stresser, Dark Cloud Stresser
- MonacoC2, WraithC2, Sapphire C2, Cindy Network, Trident Network, Hyperion Network Solutions
- Utilities such as Email-Tracker, Chiasmodon, and dedicated doxing tools
In addition to promoting these services, Mr Hamza also distributes its own branded toolset via a dedicated “Tools” Telegram channel. In August 2025, the group released two bespoke Layer 7 flooding programs to followers:
- HTTP Spectral Phantom V1 – The script attempts to overwhelm targets with randomized request headers, cookies, and URL paths. It includes long lists of WAF-bypass payloads, proxy support, and even cycles through fake TLS and JA3 fingerprints to evade detection. By mutating nearly every request field, it tries to defeat caching, signature-based filtering, and TLS-profiling defenses.
WAF bypass payloads
Console banner from the HTTP Spectral Phantom tool
- HTTPS Flood V1 – a complementary tool optimized for HTTPS flooding. It generates high-volume Layer 7 traffic while spoofing User-Agents, rotating IP headers (X-Forwarded-For, X-Real-IP), and simulating browser sessions. The script also appends random query strings and asset requests (favicons, CSS, JS) to appear like legitimate browsing traffic.
Mr Hamza’s channel introducing their custom HTTPS Flood V1 tool, advertised as a dedicated Layer 7 attack script
Alliances
Mr Hamza is not isolated. Their Telegram feed is saturated with forwarded content and cross-branding from other hacktivist groups.
Reported alliances span pro-Russian actors such as NoName057(16) and Z-Pentest, DieNet Islamist collectives like the Holy League, and Arabian groups including Anonymous Guys, Anonymous Arab-Team, and Anonymous Morocco. The network extends even further, with links to Latin American groups and Kurdish hacktivists like Hezi Resh, showing how these alliances cross regions and ideologies while reinforcing each other’s visibility.
The never-ending circle of alliances typical of Telegram hacktivist groups
This coalition structure allows different groups to amplify each other’s claims and campaigns, giving the appearance of broad, synchronized action. In practice, it is mostly a matter of convenience: groups often cooperate for mutual gain under an “enemy of my enemy is my friend” logic, and today’s ally may take the opposite side in another context.
Operational Rhythm
Message activity shows consistent peaks in evening hours (UTC), suggesting that the group operates most actively during what would be after-work hours in many regions.
Average hourly posting activity in Mr Hamza’s Telegram channel, shown in UTC (left) and Morocco local time (right)
While no clear attribution can be made, the rhythm contrasts with the stricter “9-to-5” patterns sometimes observed in state-directed operations, hinting instead at a looser hacktivist structure.
What Are The Mitigation Tactics Against Mr Hamza?
A layered and hybrid approach can help you mitigate DDoS attacks.
1. External Layer Defenses
- Internet Service Providers (ISP) Filters
Work with your ISP to apply emergency traffic filtering or “blackhole routing” upstream. If traffic surges appear malicious, ISPs can block or discard the flood before it reaches your infrastructure. - Cloud Scrubbing & CDNs
Use Content Delivery Networks (CDNs) to absorb and filter traffic, or subscribe to cloud-based scrubbing services that cleanse incoming traffic. These defenses help ensure uptime even under high-volume attacks. - DNS Protection
Defend your DNS layer via services that filter or rate-limit resolver queries. This prevents DNS-based amplification and reflection attacks. - Native Cloud Provider Shields
Leverage infrastructure with built-in DDoS resilience, like AWS Shield, Azure DDoS Protection, or Cloudflare’s networks. These offer auto-scaling and traffic distribution features to absorb volumetric assaults.
2. Perimeter & On-Premise Controls
- Web Application Firewalls (WAFs)
Deploy WAFs inline to filter HTTP traffic at Layer 7. Use customizable rule sets to catch bot-like patterns, such as header spoofing, path fuzzing, or abnormal query counts—frequent in Mr Hamza’s tools. - On-Prem Appliances
Dedicated boxes with DDoS mitigation features can provide another line of defense inside your network if upstream controls fail.
3. Internal Controls & Policies
- Rate Limiting & Behavioral Analysis
Throttle requests per IP or use behavioral anomaly detection to identify bots. This helps catch sophisticated Layer 7 floods that mimic legitimate traffic. - Traffic Filtering & Blackholing
Drop traffic automatically based on signatures or abnormal behaviors. Use dynamic IP blocking or sinkholing when robotic patterns emerge.
How Can SOCRadar Help?
To proactively defend your systems, SOCRadar Labs – Free Tools offers the DoS Resilience service as the first step. This free tool provides insights into your domain’s or subnet’s resilience against various DoS attack types.
SOCRadar offers deeper protection through:
- Threat Actor Intelligence – tracking threat actors such as Mr Hamza, identifying their tactics, tools, and alliances.
- Advanced Dark Web and Telegram Monitoring – continuously watching underground forums, closed channels, and encrypted platforms where attack plans and tools are shared.
- Attack Surface Management – mapping exposed assets and services that adversaries could exploit in a DDoS or intrusion campaign.
By combining real-time monitoring with actionable intelligence, SOCRadar helps organizations move from a reactive stance to a proactive one — detecting threats as they emerge and strengthening resilience before an attack begins.
