- The Russian Legion’s hacking group is uniting with other Russian hacking groups to launch a series of coordinated Distributed Denial of Service (DDoS) attacks against Denmark.
- The group demands that the Danish government stop providing £1.5 billion (220 million dollars) of military support to Ukraine.
- The main attack will occur on February 2, at 16:00 (Denmark time), and will be directed against electricity grids and governmental websites.
Denmark just became the latest target in Russia’s cyber war playbook. A new collective of hackers is performing multiple attack sequences against Denmark’s infrastructure. And they are not hiding their intentions.
On January 28th, 2026, the Russian Legion (with support from the Inteid and Cardinal hacker groups) issued a joint ultimatum via Telegram. Their message was clear: halt military aid to Ukraine or face the backlash.
To show how serious they were, they carried out DDoS attacks, hinting at their planned attacks. Screenshots shared by the group already show Danish company websites knocked offline.
The attacks escalated over the last 48 hours. Russian Legion claims successful hits on Danish firms and public bodies, with the energy sector taking the hardest beating. The group set their main assault for 6 PM Moscow time (4 PM Danish time) today, February 2.
Government websites, energy grids, and other private organizations are all dealing with a huge influx of traffic that is designed to overwhelm their server and make it impossible for their users to use their services.
Russian Legion’s Strategy To Scale Fast Amid Simplicity
The Russian Legion’s plan is pretty basic, and it allows their operations to expand quickly. The main way that they start their operations is with a large DDoS attack against the target. They flood the target device with junk packets (bytes of data used to send a message) until they overwhelm and crash the target device. Many of the posts made by the group show examples of successful attacks against Danish websites.
There are signs that they have plans for much worse than just simple traffic flooding. They will be deploying a combination of data wipes and/or ransomware attacks. This is similar to what went on with other pro-Russian hacktivist groups that have emerged since the start of the Ukrainian crisis.
Such escalations to disruptive malware have already targeted European critical infrastructure, as seen in the recent ransomware attack on a Romanian water agency that affected 1,000 systems, highlighting the tangible threat beyond DDoS.
Inteid and Cardinal (Russian Legion’s partners for this attack) are similar to the Russian Legion (and are anti-Western) but use a slightly different mixture of hacktivism and sabotage. Their main difference is that they are using cheap DDoS services to create gigabit-level attacks (huge amounts of data).
The primary focus of these attacks will be on energy infrastructure, which should cause a great deal of concern. Critical systems like power plants run on exposed SCADA systems that are vulnerable to layered attacks.
Security firm Truesec rates the Russian Legion as state-aligned rather than directly state-funded. This fits Russia’s established pattern perfectly. Since the 2022 Ukraine invasion, Russian cyber actors have increased intrusions by 300%, according to threat intelligence reports. Groups like this mix DDoS with information operations. Their Telegram broadcasts spread fear and amplify Kremlin messaging.
Denmark’s official response has been quiet so far. No public alerts yet from CERT or government agencies, though companies are reporting brief outages. Truesec notes similar attacks in Norway and Finland tied to disputes over Ukraine aid.
What Denmark Faces and How to Defend
Not every cyber threat delivers on its promises. Data shows 60% of these campaigns stay at the DDoS level, and escalations often fizzle if targets respond quickly. Still, the impacts hurt. A 2025 Baltic DDoS wave cost banks millions in downtime.
The alliance’s strength lies in loose coordination. Members pool botnets and share exploits via dark web forums. Security experts warn to watch for follow-on attacks like SQL injections on web applications or phishing campaigns targeting insider access.
The contemporary threat landscape is multifaceted, ranging from these disruptive geopolitical campaigns to stealthy criminal operations, such as the recently reported ‘Stealth’ Data-Stealer targeting Discord’s global user base.
Denmark needs to act now. The 48-hour countdown creates political pressure, even though aid rejection seems unlikely given NATO commitments. But the uncertainty itself serves the psychological operation perfectly.
The main ways to defend against the spikes created by DDoS attacks include utilizing traffic scrubbing via cloud service providers such as Cloudflare or Akamai, which can filter out approximately 90% of the packets being used for malicious purposes within seconds.
Implementing rate limiting allows for capping of requests towards your server by IP Address, and geo-blocking access to your server from Russian and Belarusian IP Addresses further helps to reduce your attack surface.
Organizations should also consider utilizing anycast DNS in order to distribute the load across nodes around the world and use multiple Internet service providers (multi-homed) and failover servers to provide redundancy.
The clock is ticking. Danish organizations have hours to shore up their defenses before the main wave hits.
