Iran War Triggers 245% Cyber Traffic Surge

Since 28 February 2026 — the day the United States and Israel struck Iran — Akamai Technologies has recorded a 245 percent increase in malicious internet traffic targeting businesses and institutions across North America, Europe, and parts of Asia-Pacific. That figure, drawn from Akamai's global edge network monitoring data, is not primarily an Iran story. It is a Russia and China story, which makes it considerably more complicated.

Of the source IPs behind the surge, Russia accounts for 35 percent and China 28 percent, according to Akamai's analysis published in March 2026. Iran contributes 14 percent. Researchers at Akamai and Palo Alto Networks' Unit 42 group have been careful to note that source IP geography does not equal attacker nationality — both Russia and China host large underground cybercrime service markets that sell attack infrastructure to clients regardless of origin. What the data shows is that criminal and state-aligned threat actors have been systematically exploiting the distraction created by a major geopolitical crisis to intensify opportunistic and targeted attacks.

The scale at the enterprise level is striking. A critical payment processing platform in Asia-Pacific blocked more than 11 million malicious packets originating from Russian-origin IPs in a single day during March 2026, according to the Akamai report. A major European payment processor blocked nearly 978 million packets from Russian-origin IPs over a 90-day window. These are not headline-grabbing nation-state intrusions into defence contractors; they are sustained, volumetric attacks against financial infrastructure that processes daily commerce.

“A major European payment processor blocked nearly 978 million packets from Russian-origin IPs over a 90-day window.”

Palo Alto Networks' Unit 42 team published a threat brief on 26 March 2026 documenting a specific escalation pattern following each major development in the Iran conflict. Within 48 hours of the February 28 strikes, Unit 42 observed a coordinated increase in reconnaissance activity against US and European critical infrastructure sectors, including energy, logistics, and financial services. "The correlation between geopolitical events and threat actor tempo is more direct and faster than it was even three years ago," wrote Unit 42 researchers in the March 26 threat brief. "Incident responders need to treat major military events as cyber threat elevation triggers."

The World Economic Forum's Global Cybersecurity Outlook 2026, released in March, found that 91 percent of the largest organisations surveyed had already changed their cybersecurity strategies in response to geopolitical volatility. That is a remarkable proportion and suggests that boards and C-suites are taking the cyber dimensions of the Iran conflict seriously in ways that did not happen when previous Middle East crises erupted.

There is a caveat buried inside the encouraging headline. Changed strategies do not equal improved security. The same WEF report noted that smaller suppliers in global manufacturing and services chains remain significantly under-resourced for the threat environment, and that larger organisations' improved defences effectively push attackers toward mid-market and SME targets. The cybersecurity perimeter of any large company now extends as far as its weakest supplier — a problem that a single firmware update or board-level policy cannot solve.

For companies and individuals exposed to the current threat environment, Unit 42 and ASIS International have both published practical mitigation advisories. The consistent recommendations include patching internet-facing systems immediately rather than on quarterly cycles, enabling multi-factor authentication across all remote-access services, and reviewing access controls for cloud storage buckets that may have been configured before the threat environment changed. The Register, reporting on the 245 percent surge on 16 March 2026, noted that KYC facial verification bypass tools have appeared on criminal marketplaces specifically designed to exploit the reduced attention that financial institutions' security teams are giving to fraud detection while managing the elevated DDoS threat load.

The 245 percent figure will likely climb before it subsides. The Iran conflict has no agreed-upon end date, the Lebanon ceasefire announced on 16 April applies only to kinetic operations, and no diplomatic framework currently constrains the digital activity of the actors exploiting the moment. The next inflection point to watch is the mid-May expiry of the US Russian oil sanctions waiver — a date that, if accompanied by fresh economic pressure on Moscow, could trigger another wave of retaliatory activity across the same infrastructure that has been absorbing attacks since late February.