Cyber Incident Victim: Wordplay

In late August 2020, a criminal group launched distributed denial-of-service (DDoS) extortion attacks against multiple financial services organizations globally. The attackers sent emails to targeted companies, posing under names such as Armada Collective and Fancy Bear, and threatened to cripple operations unless victims paid substantial Bitcoin ransoms. Among the confirmed targets were the New Zealand Stock Exchange (NZX), MoneyGram, YesBank India, Worldpay, PayPal, Braintree, and Venmo. The NZX experienced significant disruption, halting trading operations for three consecutive days starting around August 24 due to sustained attacks that overwhelmed its systems. This marked one of the most severe operational impacts publicly attributed to the campaign. The attackers focused on disrupting critical infrastructure components, including backend systems, API endpoints, and DNS servers, aiming to prolong service outages and increase pressure on victims to comply with ransom demands.

The campaign demonstrated advanced technical capabilities, with attack volumes peaking at 200 gigabits per second during August 2020. Attackers frequently altered their protocols and methods to bypass conventional mitigation measures, indicating a higher level of sophistication compared to previous DDoS extortion schemes observed since 2016. Security professionals and DDoS mitigation providers advised targeted organizations against paying ransoms, instead recommending immediate engagement with specialized response teams. While the attacks caused widespread operational interruptions, particularly in the financial sector, public reports did not confirm any victims fulfilling the Bitcoin demands. Concurrently, Europol announced the takedown of a major cybercrime operation around this period, though direct linkage to this specific extortion group remained unspecified in available reporting. The incident underscored persistent vulnerabilities in financial sector infrastructure to large-scale DDoS operations.