Cyber Incident Victim: Fastmail
Date:
Oct 2021
Location:
United States of America
Summary
A coordinated DDoS extortion campaign targeted multiple privacy-focused email providers, including Fastmail, causing prolonged outages. The attacks involved ransom demands of 0.06 BTC with threats of continued disruption if unpaid within three days, attributed to a group calling itself "Cursed Patriarch." Some attacks peaked at 256Gbps, severely impacting services. Several providers confirmed receiving threats but refused payment, publicly denouncing the extortion attempts. The campaign specifically affected smaller email services emphasizing security and privacy, distinguishing it from unrelated DDoS incidents targeting other industries. The threat actor referenced media coverage of their attacks in subsequent communications, indicating an awareness of public exposure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The DDoS attacks targeting Fastmail and seven other email providers began on October 21, 2021, as part of a coordinated extortion campaign by a threat actor identifying as the "Cursed Patriarch." The attacks continued through the weekend and into Monday, causing prolonged outages for privacy-focused email services including Runbox, Posteo, TheXYZ, Guerilla Mail, Mailfence, Kolab Now, and RiseUp. Attackers launched volumetric DDoS attacks against these companies before sending ransom demands via email. The extortion letters demanded payment of 0.06 Bitcoin (approximately $4,000 at the time) within three days, threatening continued network disruption for non-compliance. Runbox reported attack traffic peaking at 50Gbps, while TheXYZ experienced significantly larger attacks reaching 256Gbps.
Posteo became the first provider to publicly confirm the incident on October 22, stating it had received a threatening letter and ransom demand but would not pay. Following media coverage by The Record on October 25, Runbox and TheXYZ also acknowledged receiving identical ransom demands linked to the DDoS attacks. The attackers modified subsequent extortion emails to include a reference to The Record's article after their campaign became public. This campaign was confirmed as separate from contemporaneous DDoS attacks against UK VoIP provider Voipfone and gaming infrastructure company Sparked, which involved different threat actors. The incident highlighted ongoing DDoS extortion activity against internet service providers, with similar campaigns previously targeting organizations in Russia, the UK, US, and New Zealand using botnets like Meris.