Cyber Incident Victim: MoneyGram
Date:
Aug 2020
Location:
United States of America
Summary
A criminal group conducted DDoS extortion attacks against financial services including MoneyGram, demanding Bitcoin payments to cease attacks that disrupted operations. The attackers, posing as groups like Armada Collective and Fancy Bear, targeted critical infrastructure such as API endpoints and DNS servers, causing extended outages and forcing trading halts at one exchange. Attacks reached peaks of 200 Gb/sec with rapidly changing methods, demonstrating advanced capabilities. Mitigation experts advised against paying ransoms, emphasizing professional security response instead.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In mid-August 2020, MoneyGram was targeted by a coordinated DDoS extortion campaign alongside other prominent financial service providers including the New Zealand Stock Exchange (NZX), Braintree, Venmo, PayPal, Worldpay, and YesBank India. The attacks began with threatening emails sent under aliases such as Armada Collective and Fancy Bear, demanding Bitcoin payments to avoid crippling distributed denial-of-service attacks. The criminal group executed high-volume DDoS attacks peaking at 200 gigabits per second, specifically targeting critical infrastructure components like backend systems, API endpoints, and DNS servers to maximize operational disruption. These attacks represented an escalation from earlier DDoS extortion schemes first observed in 2016, with the attackers demonstrating advanced capabilities through rapid protocol switching and sustained assault durations. NZX experienced severe enough disruption to halt trading operations for three consecutive days, though the specific duration of MoneyGram's service interruptions wasn't detailed in public reports. Security analysts noted the campaign's focus on financial sector victims coincided with increased vulnerability due to pandemic-related digital service dependencies.
The attacks caused significant operational disruptions across targeted organizations, with NZX's multi-day trading suspension representing the most publicly visible impact. While MoneyGram's specific downtime wasn't quantified, its inclusion among primary targets indicated substantial service degradation potential given the attackers' infrastructure-focused methodology. DDoS mitigation providers confirmed the group's technical sophistication in bypassing conventional defenses through adaptive attack vectors. Industry response centered on coordinated defense strategies, with cybersecurity firms advising targeted organizations against ransom payments while reinforcing network resilience measures. Law enforcement collaboration was referenced through Europol's contemporaneous disruption of a major cybercriminal operation, though no direct connection to this specific extortion group was confirmed. The incident underscored systemic vulnerabilities in financial sector digital infrastructure, particularly regarding third-party API dependencies and DNS configurations that attackers exploited for prolonged outage effects.