A pro-Russian hacker alliance calling itself “Russian Legion” has issued direct threats against Denmark, warning of large-scale cyberattacks linked to the country’s planned military support to Ukraine.
The campaign appears designed to combine disruptive cyber activity with psychological pressure on Danish authorities, businesses, and the wider public.
The first threat was posted on the Russian Legion’s Telegram channel on January 28, 2026. In the message, the group demanded that the Danish government publicly reject a proposed 1.5 billion DKK military aid package to Ukraine within 48 hours.
They warned that “DDoS is just the tip of the iceberg; after 48 hours, we will switch to real cyber attacks,” clearly signaling an escalation path from nuisance-level disruptions to potentially more serious intrusions.
Following this ultimatum, Russian Legion and associated members, including personas known as Inteid and Cardinal, began publishing screenshots of Danish company websites that appeared to be taken offline or made inaccessible through Distributed Denial-of-Service (DDoS) attacks.
Denmark Faces Escalating Cyber Threat
These posts are being used as “proof” of action and as a psychological tool to amplify fear and uncertainty among Danish organizations and citizens.
Over the past 48 hours, the group has released multiple statements claiming that both Danish companies and public-sector organizations have been targeted, with particular emphasis on the energy sector.
According to their latest messaging, a “cyberattack” is scheduled to launch at 6 PM Moscow Time (4 PM Danish time) today, suggesting a coordinated wave of operations intended to coincide with peak attention and media coverage.
According to Truesec’s assessment, Russian Legion is likely state-aligned but not directly state-funded. This fits a broader pattern where Russian-linked hacktivist or proxy groups operate in support of geopolitical objectives, especially around the war in Ukraine noted.
Such groups typically blend influence operations with disruptive activity, using cyber sabotage and hacktivism to amplify narratives, intimidate populations, and undermine trust in public institutions.
Historically, these campaigns often start with loud public threats and relatively low-impact attacks such as DDoS, followed by promises of more damaging intrusions if political demands are not met.
Escalation in cyber warfare
While some operations have had real-world impact, particularly on public services and critical infrastructure, many campaigns remain primarily psychological.
Practical defensive measures include enforcing rate limiting, applying geo-blocking where appropriate, using Web Application Firewalls (WAF), and integrating specialized cloud-based DDoS mitigation services.
Truesec’s data indicates that in numerous cases, the threatened “next stage” of catastrophic attacks never fully materializes, especially when defenders act quickly and implement effective countermeasures.
In this context, Danish organizations are strongly advised to review and strengthen their DDoS protection.
Russian-aligned hacktivist groups heavily rely on DDoS as their primary weapon, amplified by easy access to powerful DDoS-for-hire (booter) services.
Ensuring robust monitoring, clear incident response procedures, and close coordination with national cybersecurity authorities will be critical to limiting operational disruption and reducing the psychological impact of this ongoing campaign.
3 Comments