Cyber Incident Victim: Posteo

The incident began on October 21, 2021, when multiple privacy-focused email providers—including Posteo, Runbox, Fastmail, TheXYZ, Guerilla Mail, Mailfence, Kolab Now, and RiseUp—faced distributed denial-of-service (DDoS) attacks. These attacks persisted through the weekend and into Monday, October 25, disrupting services for users of these platforms. A threat actor group identifying itself as the "Cursed Patriarch" executed the attacks as part of an extortion campaign. Following the initial DDoS disruptions, the targeted companies received ransom emails demanding payment of 0.06 Bitcoin (approximately $4,000 at the time), with a three-day deadline to comply. The attackers threatened to escalate network disruptions if payments were not made. Posteo publicly confirmed receiving the extortion demand in a blog post on October 22, explicitly stating it refused to pay. Runbox and TheXYZ later corroborated similar experiences, disclosing attack peaks of 50Gbps and 256Gbps respectively in their own statements.

The coordinated campaign exclusively targeted smaller email services emphasizing privacy and security, with no evidence linking it to simultaneous DDoS incidents affecting UK VoIP provider Voipfone or gaming server provider Sparked, which involved separate threat actors. After media exposure of their campaign, the Cursed Patriarch group began including links to news coverage of their attacks in subsequent extortion emails. The attacks occurred amid broader DDoS extortion activity globally, including incidents against internet service providers and financial institutions in Russia, the UK, the US, and New Zealand during the preceding month. While the full duration of service disruptions for each provider was not detailed in available reports, the sustained multi-day attacks demonstrated the operational impact of large-scale DDoS campaigns against specialized email services reliant on consistent uptime.