Cyber Incident Victim: Braintree
Date:
Aug 2020
Location:
New Zealand
Summary
A criminal group conducted DDoS extortion attacks against multiple financial service providers, including Braintree, by threatening to disrupt operations unless Bitcoin ransoms were paid. The attackers impersonated entities like Armada Collective and Fancy Bear, targeting critical infrastructure such as API endpoints and DNS servers to cause extended outages, with attack traffic peaking at 200 Gb/sec. Their sophisticated methods involved rapidly changing attack protocols, leading to significant operational disruptions—such as halted trading at a major stock exchange—across the targeted organizations. Security professionals advised against ransom payments, noting the group's escalated threat level compared to previous DDoS extortion campaigns.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In late August 2020, a criminal group launched distributed denial-of-service (DDoS) extortion attacks against multiple financial service providers, including Braintree, a PayPal subsidiary specializing in payment processing. The attacks began around August 24, with the group targeting Braintree alongside MoneyGram, YesBank India, WorldPay, PayPal, and Venmo. Attackers sent threatening emails to these organizations using pseudonyms like Armada Collective and Fancy Bear, demanding Bitcoin payments to avoid crippling DDoS attacks. This campaign represented a resurgence of DDoS extortion tactics first observed in 2016, though with increased technical sophistication. The attackers focused on disrupting critical operational infrastructure, specifically targeting backend systems, API endpoints, and DNS servers to maximize service interruptions. Attack volumes peaked at 200 gigabits per second during this period, with the group demonstrating advanced capabilities by frequently modifying attack vectors and protocols to evade conventional mitigation measures.
The attacks caused significant operational disruptions, most notably forcing the New Zealand Stock Exchange (NZX) to halt trading for three consecutive days due to sustained DDoS bombardment. While Braintree's specific operational impacts weren't detailed in public reports, its inclusion among high-profile financial targets indicated the attackers' strategic focus on payment processors and financial infrastructure. Security analysts noted the group deliberately targeted systems that would prolong outages, increasing pressure on victims to pay ransoms. DDoS mitigation providers universally advised targeted organizations against paying extortion demands, instead recommending immediate engagement with specialized security firms to implement defensive measures. This incident occurred amid broader law enforcement actions against cybercriminal networks, including Europol's takedown of a major hacking operation shortly before these attacks, though no direct connection was established between these events. The campaign underscored the evolving threat of financially motivated DDoS attacks against critical financial sector infrastructure.