Curricula - Knowledge - Navigation

“Hacktivism”: about the origins, meaning and history of online Activism.

From “Anonymous” to Wikileaks “hacktivism” can have many faces and forms. Having been replaced from the headlines by state run disinformation campaigns, “hacktivism” is far from dead but remains an elusive concept.

The phenomena of “hacktivism” rose to the media’s attention from 2011 onwards and peaked together with incidents of “hacktivism” in 2015-16 to disappear from the media’s attention shortly afterwards. While hacktivism still does not receive as much press coverage as it used to, recent events in Venezuela and Sudan have sparked a revival of interest in this phenomenon. However, while a much-used word: “hacktivism” remains undefined. Therefore, this article will analyse the origins, history and evolution of “hacktivism” to enable a more defined understanding of the concept.

“Hacktivism” is a combination of “hacking” and “activism”. However, the origin of the name remains inconclusive, over which an insightful debate has emerged. 

“Omega”, a member of the hacker group “Cult of the Dead Cow” or cDc, is credited with using the word in an email to the group around 1994. Furthermore, by 1999 the cDc had established “Hacktivismo” a sub-group that focused on the creation of anti-censorship technology.

However, the date of “Omega´s” e-mail is highly debated, as some see the writer Jason Sack as first to mention “hacktivism”. In a 1995 article about Shu Lea Cheang, a new media artist, Sack uses “hacktivism” to describe the mix between online activities and activism. Thus, while “Omega” can be seen as more rouge character, producing change via action, Sack´s description gives a more artistic impression of “hacktivism”, intended to educate and stimulate thoughts.

Defining “Hacktivism”

Indeed, “hacktivism” is anything but a unified field or scene. Groups like Wikileaks appear to follow Sack´s idea, attempting to bring change via information, while groups like Anonymous have relied more on “Omega´s” direct action model.  

Moreover, when a Chinese fighter jet and a U.S spy plane collided in 2001 the hacker communities of the respective countries declared “war” on each other.

Further, while, beside this moment of patriotism, the US “scene” became increasingly critical of government and big business, in China the hacktivists emerged over the anti-Chinese riots in Indonesia and targeted perceived adversaries of their country.

Nevertheless, the respective national “hacktivist” scenes are far from homogeneous and can usually be found on both sides of a conflict, while having surpassed national boundaries. Further, the scale of the attacks and their form can vary, from shutting down servers to obtaining and releasing private or secret information. 

Hence, “hacktivism”, far from a defined concept, can have a variety of forms, methods and goals.

Similarly, Whelan (2016) sees terrorism on a spectrum rather than a distinct phenomenon. As such, its boundaries are floating and it is defined, at least to some degree, in its relation to other forms of political  violence. As such, it mirrors “hacktivism” as no international or general consensus on its definition has emerged.

Cyber-terrorism, also lacking an international definition, is defined by NATO (2008) as “cyber-attack using or exploiting computer or communication networks to cause sufficient destruction or disruption to generate fear or to intimidate a society into an ideological goal”. 

Thus, its boundaries to “hacktivism” are floating and appear to depend on the degree of damage done and  if the act generates fear. Interestingly, following this definition the original intention of the attacker or “hacktivist” appears to matter little. Rather, the actual impact of the attack makes it to cyber-terrorism and with it the perpetrator a cyber-terrorist or not.

On the other hand, the boundaries to cybercrime are more distinct. Here the intention of seeking profit vs. the intention of achieving political or social goals is the main differentiation. 

Finally, “hacktivism” differentiates itself from “cyber-warfare”, which is definitional not related to normal war, by the perpetrator. While acts of “cyber-warfare” are committed by a state or an organisation with close ties to it, “hacktivism” is conducted by non-state actors.

However, some degree of caution remains. One of the largest distributed denial-of-service (DDoS) attacks, overloading a server with requests to make it unavailable, occurred in Estonia in 2007. The attack was likely caused by removal of a Soviet war memorial and claimed by the pro-Kremlin group “Nashi”. However, while the group denied having acted on governmental orders, the scale and cause of the attack left several researchers wondering. Hence, the lines between state-actor and a non-state actor, motivated by nationalism, are floating or at least hard to trace. Indeed, the difficulty of attributing cyberattacks to a specific actor has been described by Brantley (2018) as “cyber deterrence problem”. Hence, it is this deniability that has and will lead state actors to rely on “hacktivist” groups to do their betting to avoid reprisals. 

Therefore, “hacktivism” has to have the following qualities to be described as such:

  • conducted by a non-state actor, having weak or no ties to government
  • aims to further a political or social goal
  • action causes no or insufficient destruction or disruption or/and does not intimidate the population

History of “Hacktivism” 

Hacking dates back to the 1950s, where students of the Massachusetts Institute of Technology begun experimenting with track circuits and the expanding possibilities of the internet. It would take until October 1989 for, what is described as, the first “hacktivist” action to take place. Believed to have originated from Australia, a malware “worm” managed to infiltrate the computers of the NASA and the U.S Energy Department. It altered the login screens of the infected computers to “Worms against nuclear killers…”. The “worm” was the second of its kind, but appeared to stand in relation with the anti-nuclear movement. Thus, while the attack was carried out online, it appeared to have been caused and intended to have effects on the physical world, much like in the Estonian case. 

This trend would continue, when the so called “Zippies” used DDoS attacks in retaliation to John Mayor´s Criminal Justice and Order Act in November 1994. Their attack overloaded the servers of government websites, causing them to shut down for weeks. 

However, there were also actions which aimed more directly at the internet and control over it. For instance, the so called “Hong Kong Blondes”, targeted the Chinese computer systems to provide free access to the internet for the population. In doing so they received help from the cDc, showing how the “hacktivist” community had become internationalised and was building loose ad hoc networks to conduct a specific campaign or action. 

The Electronic Disturbance Theatre (EDT) would evolve “hacktivism” further. Aiming to break the barrier between online and offline activism the group created “Floodnet”. This program enabled “normal” persons with no hacking experience to conduct a joined DDoS attack. In support of the Zapatista rebels the group organised large scale DDoS attacks against American and Mexican servers. 

Hence, different to the network-like operation between the “Hong Kong Blondes” and the “cDc”, the “EDT” operated as organisator of a swarm. Having made “Floodnet” openly available its control rested on the willingness of sympathisers to utilise the program and on “EDT´s” ability to create a unified direction and target for them. 

Nevertheless, both forms of cooperation appear to have occurred on an ad hoc basis, with the duration of the cooperation dependent on the campaign or goal. Further, these cases reveal that the methods of “hacktivists” are fairly limited. DDoS, which can be bought for $30-70 for a day, constitute the main mechanism, followed by releasing and obtaining information and defacing or altering websites. 

In 2003 a further revolution in the “hacktivist” scene occurred. Created by the 15-year-old C. Poole, the website “” soon attracted a lot of traffic. In its forums different “hackers” exchanged hacking and coding tips and started to develop into a loose free to join/leave group. Members without an account acted with the user name “anonymous” on the platform and adopted this name for their loose group. 

By 2008 the hackers moved into “hacktivism” and conducted several DDoS attacks against Scientology, after the organisation attempted to remove a leaked video from YouTube. During this campaign “Anonymous” organised on and offline protests, signifying that “hacktivism”, following EDT´s idea, had surpassed the online-offline borders further. Between 2015 and 2018 “Anonymous”, according to IBM X-Force, was responsible for 45% of all “hacktivist” attacks. 

Thus, a new form of organisational structure was added. “Anonymous” in many aspects resembles the swarm like structure of the “EDT” and their followers. However, while the EDT still operated as a leadership cell, centrally organising the actions of the swarm, Anonymous has embraced and developed the swarm model further. It has captured symbols, like the Guy Fox masks, and has no existing barriers for joining the group. Further, there is no direct leadership; actions and campaigns are rather developed in a grassroot manner within the different internet platforms. Hence, the unity of action is more often the exception than the rule and various “Anonymous” campaigns can run simultaneous with rather different goals. 

Future of “Hacktivism” 

“Anonymous” has seemingly lost attractiveness in recent years. From 2011 to 2015 the cases of “hacktivism” were increasing almost constantly. However, the data of the IBM X-Force has shown that after peaking in 2015, hacktivism has been declining in recent years, and in 2018 was down by 95% from its 2015 levels.

Nevertheless, as shown by Trend Micro and the cases presented here “hacktivism” can be caused by real world events and is seemingly related to offline politics. According to Adam Meyers, VP. of Crowdstrike, the increased geopolitical volatility has led to a renewed increase in “Hacktivism”. Indeed, a variety of new smaller actors appear to have replaced big collectives like “Anonymous”. As such, the recent protests in Sudan, that lead to a military coup and consequent protests were also accompanied by several acts of “hacktivism”. Six days before al-Baschir was arrested, 260 Sudanese domains were targeted by DDoS in a single day. 

Thus, “hacktivism” appears to occur in “waves”, driven by political events. Only the future will tell if we are at the beginning of a new wave of “hacktivism”, but the indicators appear to be there. 

Note: This article was inspired by Whelan´s (2016) approach to define terrorism

Author: Niklas Hamann 


Brantley, A.F. (2018). The cyber deterrence problem. Brussels: NATO

IBM-X Force (2019): X-Force Threat Intelligence Index. Verfügbar unter:

Insikt Group (2019): Return to Normalcy: False Flags and the decline of International Hacktivism. [pdf] Ort:Insikt Group, (26p.). Verfügbar unter:

Mccormick, TY (2013): Hacktivism: A short history. In: Foreign Policy, Verfügbar unter:

Newman, Lilly Hay (2019): Hacktivists are on the rise- but less effective than ever In: Wired, Verfügbar unter:

Whelan, T.E.A. (2016). The capability spectrum; locating terrorism in relation to other forms of political violence. In: Contemporary Voices: St. Andrews Journal of International relations, Vol. 7, No. 1, pp. 11-19



hacktivism, online-activism