Who was really behind the massive X cyberattack? Here’s what experts say about Elon Musk’s claims
- X suffered outages on Monday 10 March due to a “massive cyberattack”
- CEO Elon Musk attributed "IP addresses originating in the Ukraine area”
- Security experts suggest the true origin of the attack cannot be identified
Analysts believe a distributed denial-of-service attack overloaded X’s servers with bogus traffic, interrupting access for genuine users. Because of the nature of the attack, it’s not really possible to identify with certainty where it originated. Hackers used devices in several regions, routing traffic through a number of hijacked IP addresses.
The social media platform X, formerly known as Twitter, suffered multiple outages on Monday 10 March. Thousands of X users in both the US and the UK reported being unable to access the website throughout the day.
Speaking to Fox Business, owner Elon Musk attributed the outages to a “massive cyberattack” and claimed that “IP addresses originating in the Ukraine area” were behind it.
With reported problems peaking at 40,000 on Downdetector, the scale of the outage is not in any doubt. It’s the most significant interruption of service that the platform has suffered in years, with the effects of the outages lasting for several hours.
But now the dust has settled, what exactly caused the outage? Here are the original theories, followed by the thoughts of cybersecurity experts...
The claim: Ukraine-based hackers were behind the X cyberattack
In the aftermath of the X outage, question marks remain over its cause – and who might be behind it.
Elon Musk took to X on Monday to share his belief that the attack had been carried out “with a lot of resources”. He went on to claim that "either a large, coordinated group and/or a country is involved", followed by his later comments on Fox Business that it came from “IP addresses originating in the Ukraine area”.
There was (still is) a massive cyberattack against 𝕏. We get attacked every day, but this was done with a lot of resources. Either a large, coordinated group and/or a country is involved. Tracing … https://t.co/aZSO1a92noMarch 10, 2025
The Hacking group Dark Storm Team briefly claimed responsibility for the attack on Telegram, although the post was later deleted.
Amid the uncertainty and finger-pointing, we’ve pieced together a clearer picture of what happened and deciphered Musk’s claims amid the ongoing geo-political spat with President Volodymyr Zelensky.
The reality: it's impossible to pinpoint the real source of the X attack
Analysts across the web are broadly united in their understanding that X suffered a distributed denial-of-service (DDoS) attack on Monday. This is traditionally quite a crude form of cyberattack. It floods a target’s servers with illegitimate traffic, overwhelming their capacity and preventing real users from accessing the website in question.
Speaking to BBC Radio 4’s Today program, Ciaran Martin – a professor at Oxford University’s Blavatnik School of Government and former head of the UK's National Cyber Security Centre – described the technique as “not that sophisticated.”
Some experts suggest otherwise. David Mound, Senior Penetration Tester at third-party risk management platform Security Scorecard, said in a statement that “DDoS attack tactics have evolved dramatically”. He pointed out that “attackers now distribute traffic across entire subnets”.
That echoes comments from industry insiders elsewhere. Several experts have highlighted that DDoS attacks are usually orchestrated using a battalion of devices around the globe. Traffic tends to be generated from IP addresses which are distributed across different regions, making it hard to pinpoint exactly where the attack originated from.
Speaking to Wired, Shawn Edwards, chief security officer of Zayo, a network connectivity firm, said that “attackers frequently use compromised devices, VPNs, or proxy networks to obfuscate their true origin.”
As a result, it’s difficult to pinpoint the real source of an attack. Even if traffic did come from IP addresses within a particular country, as Musk suggested, that doesn’t mean the cyberattackers were located in that country. In the words of Professor Martin, it “tells you absolutely nothing.”
Incidentally, Wired also quoted an anonymous researcher who stated that none of the top 20 traffic sources involved in the attack were located in Ukraine. If correct, that would disprove Musk’s statement regarding Ukrainian hackers. There appears to be no evidence behind his claim that IP addresses involved in the attack originated in Ukraine. Even if they did, that alone would not be proof that any group in the country was actually involved in the attack.
That’s not to say a state actor couldn’t be involved. Mound made clear that “nation-state actors are also employing DDoS as part of broader cyber influence and disruption campaigns, particularly in geopolitical conflicts”.
Another question is how the attack was able to impact X so significantly. DDoS attacks are relatively commonplace, with Musk himself posting on Monday that X gets “attacked every day”. So why did this one bring down X? Musk is keen to suggest that a heavily resourced group is behind it.
However, a number of independent analysts have identified that X’s servers were not properly secured, leaving them publicly exposed to the attack. To quote Professor Martin again, it “doesn't reflect well on their cyber security."
Cyber specialists are warning of an increase in the regularity and complexity of DDoS attacks. In some cases, attackers are “extorting businesses by threatening prolonged downtime,” says Mound. Others are threatening “politically motivated disruptions against governments, financial institutions, and infrastructure providers.”
Mound concludes: “With attackers continually refining their techniques, a proactive, adaptive security posture is essential to withstand modern DDoS threats.”
