Cyber Incident Victim: Venmo
Date:
Aug 2020
Location:
United States of America
Summary
A criminal gang conducted DDoS extortion attacks against multiple financial service providers, including Venmo, demanding Bitcoin payments to cease disruptive operations. The attackers, operating under names like Armada Collective and Fancy Bear, targeted critical infrastructure such as backend systems, API endpoints, and DNS servers, causing prolonged outages that disrupted services like stock exchange trading for consecutive days. Their sophisticated methods involved rapidly changing attack protocols and generating traffic peaks reaching 200 Gb/sec, highlighting advanced capabilities in overwhelming victim networks. Security professionals advised against ransom payments, emphasizing mitigation through expert intervention instead. The incident underscored escalating threats to financial institutions from coordinated DDoS campaigns aimed at operational paralysis.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late August 2020, a criminal group launched distributed denial-of-service (DDoS) extortion attacks against multiple financial service providers, including Venmo, PayPal, Braintree, MoneyGram, Worldpay, and YesBank India. The attackers sent threatening emails to these organizations using aliases such as Armada Collective and Fancy Bear, demanding Bitcoin payments to avoid or halt sustained DDoS attacks. These attacks targeted critical infrastructure components including backend systems, API endpoints, and DNS servers, causing operational disruptions. The New Zealand Stock Exchange (NZX) experienced three consecutive days of halted trading beginning August 24 due to these attacks, marking one of the most severe public impacts. Attack volumes reached peaks of 200 gigabits per second during this campaign, with the group demonstrating advanced capabilities by frequently changing attack vectors and protocols to bypass defenses. This wave of attacks represented an escalation of DDoS extortion tactics first observed in 2016, with the current operators considered more sophisticated and destructive than previous groups due to their strategic targeting of essential financial infrastructure.
The attacks caused significant operational disruptions across targeted organizations, with NZX's extended trading suspension demonstrating the potential severity of the outages. Security professionals and DDoS mitigation providers advised victims against paying the ransom demands, instead recommending engagement with specialized security firms to implement protective measures. The incident highlighted vulnerabilities in financial sector infrastructure, particularly the disruptive potential of targeting API endpoints and DNS systems that underpin digital payment platforms like Venmo and Braintree. While specific technical details of Venmo's operational impact weren't disclosed, its inclusion among the targeted major payment processors indicated broad risk exposure across the financial services ecosystem. Europol's recent takedown of a significant hacking operation was noted as context for the evolving cybercrime landscape, though no direct connection to this specific extortion campaign was established in available reporting. The group's methodology reflected an ongoing evolution of DDoS-for-Bitcoin schemes, with increased focus on maximizing disruption to pressure victims into compliance.