An unusually powerful outage hit X (formerly Twitter) on Monday, disabling the service for thousands of people around the world.
The massive blackout, which sent people flocking to rival service Threads, stopped users from seeing and posting tweets on the app and website.
X owner Elon Musk said the outage was caused by a ‘massive cyberattack’ done by a ‘large, coordinated group’ or a country with ‘a lot of resources’.
Musk then sensationally claimed that the attack originated in Ukraine, ‘with IP addresses originating in the Ukraine area’.
However, Jake Moore, security advisor at ESET, says the cyberattack could have originated ‘anywhere’, telling MailOnline: ‘It’s just too difficult to pinpoint where it would originate from.’
He added: ‘Without seeing the report of [X’s] investigation it would be difficult to agree with this accusation either way.’
Megha Kumar, head of geopolitical risk at CyXcel, said ‘we need a lot more information before we jump to this [Musk’s] conclusion’.
‘Musk is not only the owner of the platform but is a key member of the Trump administration – and we know from recent events that the Trump government has a fraught position on Ukraine,’ Kumar told MailOnline.
The massive outage, which sent users flocking to rival service Threads, affected thousands of X users around the world
X owner and Tesla CEO Elon Musk said on Monday that IP addresses based out of Ukraine were involved in the apparent sabotage
Musk, who purchased the social media platform in 2022, told Fox Business Network on Monday afternoon: ‘We’re not sure exactly what happened.
‘But there was a massive cyber attack to try to bring down the X system with IP addresses originating in the Ukraine area.’
However, this is not a clear indicator of where exactly the cyberattacker is located, making it ‘dangerous to point the finger’ according to Moore.
An IP address can be ‘tampered with’ to make it seem that the origin is in a different country.
‘IP addresses can also be directed via software to be seen to have originated anywhere in the world,’ Mr Moore explained.
‘Therefore, even if their analysis suggests Ukraine, it would be dangerous to point the finger so early on.’
The expert agreed that it was a cyberattack, adding that it was highly likely a distributed denial-of-service (DDoS).
This is where the attacker floods a server with internet traffic to prevent users from accessing connected online services and sites, like a traffic jam on the internet.
On X (once it was restored), Musk said the outage was caused by a ‘massive cyberattack’ done by a ‘large, coordinated group’ or a country with ‘a lot of resources’. He then took to Fox News to say the attack originated in Ukraine, ‘with IP addresses originating in the Ukraine area’
Allan Liska of the cybersecurity firm Recorded Future said it is ‘doubtful’ that every IP address that hit Twitter on Monday originated from Ukraine.
If this scenario is even true, ‘they were most likely compromised machines controlled by a botnet run by a third party that could be located anywhere in the world’, he said.
Meanwhile, Ciaran Martin, professor at Oxford University’s Blavatnik School of Government, said Musk’s explanation was ‘unconvincing’ and ‘pretty much garbage’.
Professor Martin, who was previously in charge of the UK’s national cyber security, said there was ‘absolutely no evidence’ the attack originated from the war-torn country.
He told BBC Radio 4’s Today programme: ‘We’ll wait and see whether they are responsible.
‘But there’s absolutely no evidence that this has come out of Ukraine.’
Professor Martin questioned X’s cybersecurity capabilities over the ‘remarkable incident’, adding: ‘I am very surprised that X fell over as a result of a DDos attack.
‘It’s a very large-scale DDoS attack but it’s not that sophisticated, it’s a very old technique.
DownDetector, a site that monitors online outages, shows more than 9,000 reports from affected users shortly before 10am GMT on Monday
In the US, affected X users were across the nation, including New York, Los Angeles and Chicago. Pictured, a heat map from DownDetector measuring reports from affected users
In the UK, most of the issues were reported in major cities, including London, Birmingham and Manchester
‘I can’t think of a company of the size and standing, internationally, of X that’s fallen over to a DDoS attack for a very long time.
‘It doesn’t reflect well on their cyber security.’
Nicholas Reese, cyber expert at New York University, said it’s not possible to definitively verify Musk’s claims without seeing data from X – and the likelihood of this happening is ‘pretty low’.
Reece does not think the attack was by ‘state actors’ – people acting on behalf of a government with an official ‘licence to hack’.
Reese said the likelihood that a state actor is behind the outage ‘doesn’t make a lot of sense’ given its short duration, unless it’s a warning for something larger to come.
‘It´s only really a statement if there is some kind of follow on action, which I would not rule out at this point,’ he said.
In other recent developments, a pro-Palestinian, Russian-linked hacktivist group called Dark Storm has taken credit for the disruption.
First observed in 2023, Dark Storm is known for launching cyber-attacks against entities that they believe to be Israel supporters, Kumar said.
Elon Musk is now an acting as an adviser on federal spending to President Donald Trump (pictured together at the White House, February 11, 2025)
In October last year they claimed responsibility for another DDoS attack against JFK airport in New York.
‘We have seen a major resurgence in the category of patriotic hackers since the war began, and these groups are financially motivated in some circumstances, but also ideologically driven,’ Kumar told MailOnline.
‘They can choose to fight for a particular cause, whether it be a Russia/Ukraine issue, so attacks are motivated by making a political point.
‘These are frequent, and given the fraught political environment we’re living in at the moment, and the tools used to score points, there is a need for robust cybersecurity.’
Now an acting as an adviser on federal spending to President Trump, Musk previously said Ukrainian president Volodymyr Zelensky is running a ‘fraud machine feeding off the dead bodies of soldiers’, suggesting limited appetite for continued American support for Ukraine.
‘Musk is not only the owner of the platform but is a key member of the Trump administration – and we know from recent events that the Trump government has a fraught position on Ukraine,’ Kumar added.
It comes amid fraught relations between Kyiv and Washington; last month, Trump called Ukrainian President Zelensky a ‘dictator.’
A subsequent Oval Office meeting between the two disastrously descended into acrimony.
David Mound, cybersecurity expert at risk management platform SecurityScorecard, said Musk’s assertion ‘aligns with recent political narratives coming from the White House’.
‘While it is possible that Ukraine was involved, attributing such an attack without verifiable proof is premature and unhelpful,’ Mound told MailOnline.
‘However, without concrete evidence, it is difficult to determine who was actually behind the attack.
‘Given Musk’s history of controversial decisions and public disputes, the list of potential adversaries is extensive.
‘Unless technical indicators or forensic evidence are shared, any claims about the origin of the attack should be taken with skepticism.’
