Armada Collective: DDoS Blackmailers Attack the Hosting Industry

  • Katrin Graewe
  • September 1, 2020


Armada Collective: DDoS Blackmailers Attack the Hosting Industry

Link11 is cautioning hosting providers to beware of a new wave of DDoS blackmail attacks by the Armada Collective. As recently as mid-August, attackers using the name Fancy Bear used DDoS attacks to put pressure on operators of critical infrastructure and financial services.

A fresh crop of blackmailers is now threatening companies in Europe with DDoS attacks. Hosting providers and data center operators in particular have received blackmail letters from a group called the Armada Collective. According to the Link11 Security Operations Center (LSOC), the threat to unprotected companies is real, as the perpetrators have already launched high-volume warning attacks at several Gbps. In exchange for a payment of 10 Bitcoins (98,000 Euro, as of 31.08.2020), they promise to stop the attacks against the IP addresses mentioned in the blackmailer’s mail. If payment is not received, they threaten to launch attacks of up to 2 Tbps in bandwidth.

DDoS blackmail is a global phenomenon

It was only in mid-August that the LSOC registered a global wave of DDoS blackmail attacks against operators of critical infrastructure, especially in the financial sector. The perpetrators called themselves “Fancy Bear”. The LSOC says it’s unclear whether Fancy Bear and Armada Collective are the same perpetrators. While the extortion letters differ in wording and the ransom amount, both senders use the same e-mail provider. The two groups have been linked to long-running DDoS attacks on the New Zealand Stock Exchange. They are also said to be responsible for blackmailing PayPal and MoneyGram.

Corona pandemic increases DDoS attack risk

Various groups claiming to be Armada Collective or Fancy Bear are using the names to make money. Some of them are professionals, others are just copycats. In light of the current incidents, the LSOC is emphasizing the concrete threat: the attacks, which are launched to show off the criminals’ technical attack capabilities, pose a grave threat to insufficiently protected companies. Link11 is advising blackmailed companies to take the situation seriously. They should quickly and decisively protect their IT infrastructure against DDoS attacks to avoid damage from online blackmailers.

Learn more about Link11 DDoS Mitigation

The danger posed by DDoS attacks has become even more acute because of the sharp increase in home-office work and telework during the Corona pandemic. Since many employees are now working full- or part-time in home offices, new digital targets have emerged. If, over the long term, employees stay at home everywhere and dial into their accustomed working environment via VPN servers, corporate IT will have new security challenges to deal with. Downtimes – for example, of VPN services – can cause large-scale production losses. Another wrinkle in the threat situation is that DDoS attacks can be used as a smokescreen for more extensive cyber-campaigns. Only recently, the car manufacturer Tesla was the target of a ransomware campaign that was successfully thwarted by the US law enforcement authorities. The accused admitted that they wanted to use a DDoS attack as a smokescreen tactic.

In the Link11 DDoS Report for the first half of 2020, Link11’s security experts summarize the new threats facing companies and their accelerated digital transformation plans in the era of Covid-19.

The Internet of Things: How Does it Work?
Public Cloud Services Increasingly Exploited to Supercharge DDoS Attacks: New Link11 Research
This site is registered on as a development site. Switch to a production site key to remove this banner.