In 2025, Vietnam became the focal point of an aggressive cyber campaign launched by an emerging hacktivist group operating under the alias Anonymous VNLBN. Scraped from their Telegram channel, the group’s posts reveal a calculated and highly coordinated effort to disrupt critical Vietnamese institutions. Targets span across several sectors, including government ministries, legal departments, healthcare providers, utilities, and even diplomatic and educational institutions.
One of the most striking aspects of this campaign was its concentration on the Western provinces of Vietnam, where legal and justice system websites were systematically taken offline. Posts from the group boasted of disabling eight out of thirteen legal administration portals in the region, asserting that the remaining ones were either permanently relocated or rendered inaccessible. These attacks weren't limited to legal entities—Vietnam’s provincial health departments were also targeted. Websites belonging to the Departments of Health in provinces such as Trà Vinh, Sóc Trăng, and Cà Mau were taken down, with the attackers claiming, “The entire Western Health Department website has been disabled. We take full responsibility.”
Energy infrastructure was also a major target. The group launched a wave of attacks against regional electricity providers under the EVNSPC umbrella, including power companies in Vĩnh Long, Đồng Tháp, and Kiên Giang. In an unsettling message that mixed mockery with menace, Anonymous VNLBN declared: “The entire Western region is in darkness. It’s so hot that a power outage would be great.”
The group’s Telegram announcements included check-host.net links, offering technical proof of potential site outages—clearly part of a deliberate strategy to validate their claims and spread fear. Their posts were loaded with sarcasm, references to "UDP death" (hinting at DDoS-style attacks), and repeated themes of disabling vital infrastructure. These weren’t random acts of vandalism; they were timed bursts, reflecting operational coordination and possibly automation.
What emerges is a disturbing pattern of hybrid warfare—a fusion of cyberattacks and psychological operations designed to undermine confidence in public services and amplify chaos. The symbolic focus on justice systems, health departments, and the power grid reflects an intent not only to disrupt but to destabilize and demoralize. With Vietnam’s embassy in China also targeted, the geopolitical undertones of this campaign cannot be ignored. Anonymous VNLBN’s actions echo those of similar groups active in Eastern Europe and beyond, where cyber tools are increasingly being used as weapons of influence and coercion.
Claimed Attack Activity
During the first four months of 2025, Vietnam experienced a surge in cyber threat activity, with a total of 179 claimed hacktivist attacks targeting organizations across the country. These attacks were perpetrated by four known hacktivist threat groups, with Anonymous VNLBN emerging as the dominant actor, responsible for approximately 84% of all incidents.
The attacks impacted 160 distinct hosts across 38 different organizations, indicating a broad and distributed targeting pattern rather than a focus on isolated infrastructure. This suggests a campaign strategy with the intent to disrupt multiple sectors or to create widespread instability or visibility.
From the first chart, we observe a low and sporadic level of activity from January to mid-March 2025. Most days registered zero or a minimal number of incidents, with rare spikes (e.g., early January and late February). However, a dramatic shift occurred starting on March 23, marking the beginning of an intensified attack phase. From March 23 onwards, the daily attack pattern also became denser, with frequent high-volume days—suggesting a well-organized campaign or heightened group motivation. April 2 recorded the highest number of daily attacks, with almost 35 claimed incidents reported in a single day.
Attack claiming Threat Groups
In 2025, most recorded cyberattacks—specifically 150—were attributed to Anonymous VNLBN. The Venom DDoS Community took responsibility for 22 incidents, with most occurring within the first two months of the year. Red Wolf Cyber claimed six attacks on March 23 alone. From that point onward, throughout the remainder of March and into April, all reported attacks were exclusively carried out by Anonymous VNLBN.
Since March 24, all attacks have been exclusively claimed by Anonymous VNLBN.
Targeted industries
Government institutions were the primary focus of cyberattacks in Vietnam, accounting for nearly 49% of all claimed incidents, specifically, 63 attacks. The education sector followed closely behind, being the target in 33.3% of the cases, with 43 attack claims. Media & Internet services were the third most affected, experiencing 10 attacks, which made up approximately 7.8% of the total.
Other sectors were significantly less impacted: Telecommunications faced 3 attacks (2.3%), while Manufacturing and Hospitality each saw 2 attacks (1.6%). Transportation, Retail, Finance, Consumer Services, and the Energy, Utilities and Waste sectors were each targeted once, representing less than 1% per sector. This data suggests a strategic focus by attackers on critical infrastructure and public-facing institutions, especially those in governance and education, which are likely to have high symbolic significance.
Anonymous VNLBN
Anonymous VNLBN is a new hacktivist outfit that presents itself as operating beneath the banner of the Commando Army—an elite combat force within the Vietnam People’s Army. Its Telegram channel, launched on 14 March 2025, has attracted 294 followers to date. As a self-proclaimed Vietnam-focused offshoot of the wider Anonymous collective, the group mirrors pro-Russian online propaganda and attack methods, seeking visibility through operations designed to unsettle regional governments and erode public confidence. Whereas the broader Anonymous movement is a loose, global network notorious for cyber-operations against state and corporate targets, Anonymous VNLBN concentrates mainly on Vietnamese entities, as shown by its attacks against government and critical infrastructure websites. It has, however, occasionally targeted organizations in the United States, France, Israel, and China—likely an effort to court attention and curry favor with kindred hacktivist factions it claims as allies.
The activities of Anonymous VNLBN align with the typical methods employed by global hacktivist groups, such as Distributed Denial of Service (DDoS) attacks, aimed at disrupting services and drawing attention to their causes. Their operations are often publicized through platforms like Telegram, where they share updates and coordinate actions.
Anonymous VNLBN wants to position itself as a prominent player within the global hacktivist community, emphasizing its transnational and non-ideological stance. In a recent Telegram post, the group announced the formation of an alliance, claiming that their collective operates under a principle akin to "Article 5" of the Hacker Alliance's general policy. This reference draws a parallel to Article 5 of the North Atlantic Treaty, NATO's foundational clause on collective defense.
Article 5 of the North Atlantic Treaty stipulates that an armed attack against one or more NATO members in Europe or North America is considered an attack against them all. In such an event, each member agrees to assist the attacked party by taking immediate action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area.
By invoking a similar principle, Anonymous VNLBN signals that an attack on any member of their alliance or any country or organization under the ‘protection’ of a member would prompt a unified response from all affiliated groups. This adoption of a collective defense doctrine underscores their intent to present a united front in their cyber activities, mirroring the solidarity emphasized in NATO's Article 5. Anonymous VNLBN's appropriation of this concept reflects their aspiration to establish a similar level of cohesion and mutual support within their cyber alliance.
Conclusion
The cyber offensive led by Anonymous VNLBN in early 2025 marks a pivotal moment in Vietnam's cybersecurity landscape, revealing the increasing complexity and intensity of hacktivist-led digital warfare. What initially appeared to be isolated disruptions quickly evolved into a sustained, strategic campaign targeting the pillars of public service—justice, health, education, and energy—with a clear intent to destabilize and provoke.
Anonymous VNLBN’s adoption of symbolic narratives, such as invoking NATO’s Article 5, coupled with their consistent use of psychological and technical warfare, signals a shift in how modern hacktivist movements operate—no longer acting purely in protest but as self-proclaimed paramilitary cyber forces with structured goals, synchronized attacks, and calculated propaganda. Their behavior illustrates the fusion of ideological motives with disruptive capabilities, and a willingness to weaponize visibility to gain credibility and attract like-minded entities globally.
Vietnam’s experience serves as a cautionary tale for other nations, particularly those with emerging digital ecosystems and active regional disputes. It highlights the urgent need for a robust, multi-layered cybersecurity strategy that combines proactive threat intelligence, resilient infrastructure design, coordinated incident response, and public-private sector collaboration.
In an era where information, infrastructure, and influence are under constant digital siege, the campaign led by Anonymous VNLBN reinforces one fundamental truth: cyber resilience is now a cornerstone of national security, and the battleground has irrevocably expanded into cyberspace.