KEYMOUS Plus, also known as Keymous+ threat group, markets itself as a hacktivist collective, but researchers describe it as a North African hybrid actor blending political performance with a commercial DDoS-as-a-Service platform and an alliance network spanning 70+ groups. The group first appeared publicly in November 2023, with a DDoS claim against Morocco’s national e-Visa portal, and is the most prolific DDoS-claiming entity in global hacktivism, according to researchers.
Its operations are split into an Alpha Team handling breaches and data leaks and a Beta Team dedicated to DDoS, with Alpha Team largely inactive by mid-2025 and Beta Team driving most confirmed operations. EliteStress, a commercial DDoS-for-hire platform, is publicly connected to Keymous+ and was surface-promoted to followers from June 2025, with fourfold bandwidth amplification in coalition operations and attacks reaching up to 44 Gbps in coordinated campaigns.
In 2026, after the Operation Epic Fury strikes, Keymous+ claimed 26.8% of global hacktivist DDoS activity across 16 countries and 110 organisations, while single attacks averaged about 11.8 Gbps for solo operations and 44 Gbps for coalition efforts, with peaks and activity often announced on Telegram channels.
Researchers note the group’s targeting pattern is opportunistic and geopolitically driven, with government, telecommunications, financial services, and energy sectors among the most frequently attacked, and a notable concentration of activity around 06:00 UTC. According to NETSCOUT, the group also employs a mix of spoofed sources, amplification vectors such as CLDAP, DNS, NTP, memcached, and SNMP, and direct floods, underlining the need for intelligence-led monitoring and capacity planning.