Cyber Incident Victim: Moneyweb
Date:
Apr 2024
Location:
South Africa
Summary
A financial news website experienced sporadic distributed denial-of-service (DDoS) attacks targeting two articles investigating a trading platform's alleged ties to fraudulent investment schemes misusing prominent business figures' identities. The attacks overwhelmed systems with over a billion requests, primarily directed at the specific articles, accompanied by extortion demands threatening continued disruption and domain closure unless the content was removed. The targeted organization's IT team successfully mitigated the attacks and refused compliance with the removal demands, while the trading platform denied involvement and referenced ongoing regulatory complaints regarding the disputed reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 1, 2024, Moneyweb experienced a distributed denial-of-service (DDoS) attack targeting two specific articles investigating Banxso's potential connections to fraudulent investment schemes falsely using the identities of prominent business figures including Johann Rupert, Elon Musk, and Nicky Oppenheimer. The initial attack commenced in the evening and lasted nearly 12 hours, followed by a second wave on April 2 lasting over 8 hours. Collectively, these attacks generated 1.015 billion malicious requests, with 93% (945 million requests) concentrated on the articles titled "Banxso – beneficiary or victim of ‘R4 800’ Musk and Rupert scams?" and "Banxso is still registering clients who click on fake ads." Moneyweb's IT team and service provider successfully mitigated both attacks by blocking the malicious traffic, preventing sustained disruption to the broader website operations.
On April 2, Moneyweb received an unsigned extortion email threatening continued attacks unless the articles were removed, stating: "We’ve just attacked your site and will keep it down until we get to an agreement." A follow-up email from "Joe Gryn" of the "Proton Netscape Team" escalated demands, threatening domain suspension within 72 hours if the articles remained online, falsely claiming involvement from "Netscape"—a defunct 1990s-era company with no active operations. The attackers asserted the domain would face irreversible closure unless compliance occurred, though Moneyweb confirmed no legitimate entity matching the threat actor’s claimed affiliation existed. Banxso’s COO Manuel de Andrade categorically denied involvement in the attacks or extortion attempts, referencing an ongoing Press Council complaint against Moneyweb’s reporting while maintaining the company’s regulatory compliance as an FSCA-registered entity. Moneyweb refused all demands, publicly reaffirmed its reporting accuracy, and retained both articles. No data breaches, financial losses, or collateral damage beyond the DDoS disruptions were reported. The attackers ceased operations after failing to compel article removal, with no further incidents disclosed at the time of reporting.