A cyberattack that brought down Elon Musk’s X targeted servers that were insufficiently protected from malicious traffic, according to cybersecurity analysts.
Users of the social media platform faced intermittent outages throughout Monday, which Musk blamed on a “large, coordinated group” or country waging a “massive cyberattack”. He didn’t provide any additional specifics to bolster his claim.
Jérôme Meyer, security researcher with Nokia Deepfield, a business unit within Nokia, said X had been targeted in a distributed denial-of-service attack, or DDoS, which floods a website with traffic and forces it offline. Meyer said he was able to track the attack by reviewing data collected through Nokia’s Deepfield, which is deployed inside telecommunications companies and provides analytics and DDoS protection.
The waves of traffic targeted particular “origin servers”, which process and respond to incoming internet requests, he said. Those servers were vulnerable to attack because it appears they weren’t shielded behind technology that blocks DDoS attacks, Meyer said. They “should not be exposed on the internet”, said Meyer, who added that one of the servers attacked on Monday was still isolated and vulnerable to attack on Tuesday morning.
A representative for X didn’t immediately respond to a request for comment. A pro-Palestinian “hacktivist” group called Dark Storm Team took responsibility for the attack without providing any evidence.
‘Unlocked’
Ciaran Martin, former head of the UK’s National Cyber Security Centre, said in a BBC radio interview on Tuesday that it “looks like X didn’t implement Cloudflare properly”, referring to the company that offers DDoS protection services. Martin also said that X had “left some of its servers in front of rather than behind” Cloudflare’s protection. “It’s a bit like having four doors, putting state-of-the-art locks on three of them, and leaving one unlocked,” he said. Martin didn’t respond to a request for further comment.
A representative for Cloudflare didn’t immediately respond for a request for comment.
Read: Elon Musk: Starlink ‘not allowed’ in South Africa ‘because I’m not black’
David Mound, senior penetration tester at cybersecurity firm SecurityScorecard, said most large websites have strong protections against such attacks, including web application firewalls and other security technologies that protect their origin servers from being directly accessed via the internet.
“If X’s origin servers were exposed or lacked adequate filtering, that would be a fundamental security oversight,” he said. Protecting origin servers is a well-established best practice for any large-scale web service, Mound said.
Musk suggested in a Fox Business interview on Monday that his company had traced IP addresses to the “Ukraine area”. However, cybersecurity experts have cast doubt on that claim.
The majority of the devices used to flood X with traffic were located in the US, Mexico, Spain, Italy and Brazil, according to Nokia’s Meyer. These devices were likely under the control of an attacker who could have been located in another country, hiding behind multiple layers of obfuscation to conceal their true identity, he said.
Jason Kikta, a former official with US Cyber Command, said hackers faking the location of web traffic in attacks that overwhelm servers is “trivial and routine”.
“The IP addresses a victim sees in a DDoS attack is about as meaningful as describing what kind of ski mask a bank robber was wearing,” said Kikta, now chief information security officer at IT automation firm Automox. “It’s a starting point, but not terribly useful.”
Meyer said the attack was linked to a botnet – computers infected by malicious software and under the control of a hacker – that included between 10 000 and 20 000 IP addresses. These were associated with security cameras and network video recorders, which were likely compromised by malicious software, he said.
Halving
Many of the devices used in the attack on X were linked to a botnet known as “Eleven11bot”, which has previously carried out denial-of-service attacks against communications service providers and gaming hosting infrastructure, said Meyer, who has been tracking the botnet for several weeks.
Read: Tesla sales plunge in Europe amid anti-Musk backlash
Following Musk’s acquisition of Twitter in 2022, which he later rebranded as X, more than 100 people working on security and privacy teams left the company, halving the number of personnel who were responsible for protecting its infrastructure from cyberattacks and data breaches. — Ryan Gallagher, with Jordan Robertson and Jake Bleiberg, (c) 2025 Bloomberg LP
Get breaking news from TechCentral on WhatsApp. Sign up here
