Turkey banking sector & .tr DNS DDoS attacks
A two-week Anonymous-claimed DDoS campaign knocked Turkish banks' online and card-payment systems offline and hit the NIC.tr DNS infrastructure with a 40 Gbps flood, disrupting roughly 400,000 .tr domains nationwide.
- Victim
- Turkish banks & NIC.tr (.tr DNS registry)
Between 14 and 25 December 2015, Turkey's financial sector and national internet backbone were hit by a sustained distributed-denial-of-service (DDoS) campaign that took online banking and card payments offline and degraded the country's .tr domain infrastructure for nearly a week.
What happened
The campaign opened with an attack on NIC.tr, the registry operated by Middle East Technical University (METU) that runs Turkey's .tr top-level domain. A flood peaking around 40 Gbps overwhelmed the authoritative DNS servers, intermittently knocking out resolution for a large share of the roughly 400,000 registered .tr domains — including bank, government, and commercial sites that could not be reached even when their own servers were healthy.
The attackers then turned to the banks directly. The websites and point-of-sale (POS) systems of state lender Ziraat Bankası and private banks İş Bankası and Garanti went partly offline, disrupting online banking and credit-card transactions for customers across the country. Türk Telekom confirmed it was defending against a "serious" and "heavy" attack.
Attribution and motive
Anonymous claimed responsibility, framing the campaign as retaliation for the Turkish government's alleged support of ISIS/Daesh. In a video released ahead of the attacks, the group warned: "If you don't stop supporting ISIS, we will continue attacking your internet, your root DNS, your banks and take your government sites down." The Turkish hacktivist collective RedHack also publicly celebrated the disruption.
Impact
- Online banking and POS card processing intermittently unavailable at three of Turkey's largest banks during the pre-holiday period.
- A large fraction of .tr domains affected by the DNS-layer attack, making it a rare strike on a country's core internet infrastructure rather than a single victim.
- No data was stolen and no ransom demanded — the goal was disruption and political signaling.
Why it matters
The December 2015 campaign is a textbook case of availability-targeting hacktivism against critical infrastructure. By attacking the .tr registry, the operators showed that hitting a single DNS chokepoint can ripple across an entire nation's banking, government, and commerce simultaneously. It pushed Turkey's banking regulator (BDDK) and the central bank to harden DDoS resilience requirements across the financial sector and remains the most significant infrastructure-level cyber disruption in modern Turkish history.
Timeline
Anonymous releases a video threatening sustained attacks on Turkey's internet, DNS, banks and government sites over Turkey's alleged support for ISIS.
NIC.tr — the registry running Turkey's .tr top-level domain — is hit by a sustained DDoS flood peaking around 40 Gbps.
Hundreds of thousands of .tr domains experience intermittent outages as the DNS infrastructure is overwhelmed for roughly a week.
Online banking and point-of-sale systems at Ziraat Bankası, İş Bankası and Garanti go partly offline; card transactions are disrupted.
Turkish authorities, including Türk Telekom and the transport/communications ministry, confirm a 'serious' attack and say defenses are holding.
Sources
- hackread.comhttps://www.hackread.com/anonymous-target-turkish-banks-disrupt-service/
- dailydot.comhttps://dailydot.com/layer8/turkey-bank-cyberattacks
- bankinfosecurity.comhttps://www.bankinfosecurity.com/ddos-a-8497
- gun.av.trhttps://gun.av.tr/insights/updates/the-recent-cyber-attacks-against-banks-in-turkey-the-legal-situation