Cyber Incident Victim: Proton Technologies AG

On November 3, 2015, ProtonMail, a Switzerland-based encrypted email provider, received an extortion email from a criminal group linked to recent DDoS attacks across Switzerland. Shortly after midnight, a 15-minute distributed denial-of-service attack targeted ProtonMail’s infrastructure. The assault resumed at 11:00 AM with unprecedented sophistication, escalating to 100 gigabits per second by 2:00 PM. This volumetric attack focused on ProtonMail’s IP addresses and expanded to strike its datacenter and upstream providers’ routers in Zurich, Frankfurt, and other nodes. The coordinated assault overwhelmed infrastructure, forcing ProtonMail’s ISP to disconnect its IP range to protect other customers, which collateralized hundreds of unrelated companies. Facing sustained disruption, ProtonMail grudgingly paid a 15 bitcoin ransom (approximately $5,850) to halt the attacks, though the flooding persisted despite the payment.

The attack progressed into a second, technically distinct phase targeting vulnerabilities in ProtonMail’s ISP infrastructure—a method not observed in prior Swiss DDoS incidents. Through collaboration with MELANI, a Swiss federal agency, ProtonMail determined the second stage exhibited capabilities suggestive of state-sponsored actors, noting the attackers’ willingness to cause widespread collateral damage. The dual-phase attack left ProtonMail offline for an extended period, exposing its infrastructure’s vulnerability to large-scale, sophisticated assaults. In response, ProtonMail initiated a $100,000-per-year mitigation plan involving specialized DDoS protection services, acknowledging implementation would require time. The company established a defense fund to cover these costs through donations, citing the incident as evidence of systemic threats to privacy services. No conclusive attribution was made for the second attack wave, though the involvement of multiple threat actors was suspected.