TL;DR: On February 17-18, 2026, Deutsche Bahn suffered a targeted distributed denial-of-service (DDoS) attack that took down bahn.de and the DB Navigator app for nearly 24 hours. The attack came "in waves" and Deutsche Bahn called the scale "considerable." Hundreds of thousands of German travelers couldn't check train schedules or book tickets. No group has claimed responsibility. Deutsche Bahn says customer data wasn't compromised, but declined to say whether attackers made contact or demanded anything. The attack fits a pattern: pro-Russian hacktivist groups like Killnet and NoName057(16) have repeatedly targeted European critical infrastructure since 2022.
What Happened
At 15:45 UTC on February 17, 2026, something started hammering Deutsche Bahn's servers [1].
The bahn.de website became unresponsive. The DB Navigator app (used by millions of Germans daily to check train times and buy tickets) stopped working. The booking and timetable systems went dark.
Deutsche Bahn acknowledged the attack within hours: "The current attack is specifically targeting DB and has been carried out in waves. The extent is considerable" [2].
"Considerable" is corporate-speak for "we're getting hammered."
By Tuesday evening, services were partially restored. Then Wednesday morning, the attack surged again. Full recovery didn't come until 13:00 UTC on February 18, nearly 24 hours after it started [3].
How DDoS Works
A distributed denial-of-service attack is conceptually simple: overwhelm a target with so many requests that legitimate users can't get through.
Attackers typically use botnets (networks of compromised computers, servers, and IoT devices) to generate massive traffic. A sophisticated DDoS can throw terabits per second at a target, more than most defenses can absorb.
Deutsche Bahn said their "defense mechanisms are working" and "countermeasures" were "effective in minimizing the impact" [1]. That's partially true: the trains kept running. But for customers, "minimizing impact" meant hours without booking capability during one of the busiest travel periods.
Who Did It?
Deutsche Bahn declined to speculate. The company told reporters it wouldn't comment on "the background of the attack" or "whether the perpetrators made contact" [1].
That last part is interesting. If attackers didn't make contact, this wasn't extortion. It was disruption for disruption's sake, or a message.
The obvious suspects: pro-Russian hacktivist groups like Killnet and NoName057(16). Since 2022, these groups have systematically targeted European critical infrastructure: airports, government websites, financial institutions, and yes, transportation systems [4].
Germany has been a frequent target. The country's support for Ukraine and recent military aid packages have made it a priority for Russian-aligned cyber operations.
But without attribution, we're speculating. It could also be:
- Cybercriminals testing defenses before a larger attack
- Hacktivists protesting German policies
- Someone with a grudge and access to a botnet
The German Federal Office for Information Security (BSI) is involved, but no public statements on attribution have been made [2].
Why This Matters
Deutsche Bahn isn't just a railway company. It's critical infrastructure serving 12 million passengers daily across Germany [5]. The state-owned operator runs:
- Long-distance ICE trains connecting major cities
- Regional rail networks
- S-Bahn commuter services in major urban areas
- Freight operations carrying goods across Europe
A 24-hour disruption to booking systems is annoying. A successful attack on operational systems (signaling, switches, safety controls) would be catastrophic.
This attack didn't touch train operations. Deutsche Bahn was clear about that. Trains ran normally [1]. But it demonstrated that attackers can reach Deutsche Bahn's customer-facing systems at scale.
The question isn't whether they can do worse. It's whether they will.
A Pattern of Attacks
This isn't isolated. European critical infrastructure has been under sustained cyber pressure:
- February 2026: UK water company Southern Water reports data breach
- January 2026: Multiple German city governments hit by ransomware
- December 2025: French hospital network knocked offline
- October 2025: Italian transport ministry website DDoSed during NATO summit
- 2024: Killnet attacks on European airports, banks, and government sites
The message is consistent: we can reach you. We can disrupt you. And the cost of defending everything, all the time, is enormous.
What Happens Next
Deutsche Bahn says it's strengthening defenses. BSI is investigating. The usual post-incident playbook.
But DDoS mitigation is an arms race. Attackers rent botnet time cheaply. Defenders spend millions on scrubbing centers and traffic analysis. Each attack teaches attackers where the gaps are.
The German government has been investing in critical infrastructure protection since 2022's Nord Stream pipeline sabotage and a separate attack that disrupted Deutsche Bahn's radio communications [4]. Whether those investments are enough remains unclear.
For travelers, the practical advice is simple: have backup plans. Paper tickets exist. Station displays work independently. And when the app is down, the old-fashioned way still functions.
For the rest of us watching critical infrastructure, this is another data point in a concerning trend. The systems modern life depends on (power, water, transport, healthcare) are all networked, all vulnerable, and all being probed constantly.
Deutsche Bahn got knocked offline for a day. The bigger question is what happens when someone decides to do more than probe.
References
- The Register - Deutsche Bahn back on track after DDoS yanks the brakes (February 18, 2026)
- The Local Germany - Deutsche Bahn's app and website hit by 'considerable' cyberattack (February 18, 2026)
- RailTech - Deutsche Bahn suffered targeted cyber attack (February 20, 2026)
- Security Affairs - Germany's rail operator Deutsche Bahn hit by a DDoS attack (February 2026)
- SC Media - Deutsche Bahn hit by major DDoS attack disrupting services (February 2026)
Published: February 26, 2026