RipperSec

RipperSec is a hacktivist collective with Malaysian roots, also referred to as Cyb3rDrag0nzz/Cyb3r Drag0nz. The group is described as ideologically motivated, publicly aligning with Muslim identity and pro-Palestinian causes, and framing operations against countries or entities it perceives as pro-Israel or hostile to Palestinian interests. Content also places RipperSec among globally distributed pro-Iran-aligned hacktivist ecosystems and states it formally integrated into the Cyber Islamic Resistance / CIR Electronic Operations Room, an umbrella coordinating multiple aligned teams. RipperSec’s observed activity is centered on disruptive and propaganda-oriented operations rather than financially motivated cybercrime. Reported tactics include DDoS attacks, website defacements, and public messaging. The group has been described as one of the most active actors in some datasets, repeatedly targeting Israeli government bodies such as the Israel Innovation Authority and Export Institute, and conducting DDoS campaigns against Israeli government and drone-related assets with time-specific disruption announcements. Additional reporting states it targeted India, continued targeting Israel while adding South Korean government and private-sector entities, and justified South Korean targeting by accusing the country of supplying weapons and armored vehicles to Israel. In UK reporting, RipperSec was described as a pro-Palestinian group that opportunistically targeted the UK in August 2024. Telegram is described as RipperSec’s primary platform for communication, rebranding, continuity, and audience management. Reporting notes repeated channel migrations and rebranding, use of backup channels, impersonation warnings, and promotion of Keet as a backup communications option. Earlier Telegram biographies described RipperSec as a Malaysia hacktivist collective; by January 2025 one biography described it as a non-governmental and non-profit organization focused on education, research, and pentesting. The group repeatedly promoted MegaMedusa, described in the content as a NodeJS-based DDoS tool provided by the RipperSec team, and shared related GitHub and donation links. Reporting also notes donation-based support through Sociabuzz and cryptocurrency wallets, with no evidence in the provided content of ransom demands, paid victim extortion, or structured victim-focused monetization. Some content also describes RipperSec as a pro-Russia group increasing activity against EU member states, targeting public administration, media/entertainment, and transport sectors, with a claimed intent to target OT. The provided content does not reconcile this with the separate reporting that consistently describes RipperSec as pro-Palestinian/pro-Iran-aligned, so both characterizations appear in source reporting.