Cyber Incident Victim: Balkan Investigative Reporting Network
Date:
Sep 2022
Location:
Greece
Summary
A cyberattack employing distributed denial-of-service (DDoS) techniques targeted the Balkan Investigative Reporting Network and its Greek media partner following their joint investigation into a Turkish businessman convicted of fraud who obtained honorary Greek citizenship through financial means. The assault overwhelmed servers with millions of global IP connections, temporarily rendering the primary website inaccessible over the weekend while the partner outlet remained offline for an extended period. The attackers specifically focused on disrupting access to the investigative report, which exposed how citizenship honors were allegedly commodified. A separate media outlet that previously reported on the same individual faced similar disruptive attacks after its publication.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 10, 2022, starting at 7:30 AM, the Balkan Investigative Reporting Network (BIRN) and its Greek partner outlet Solomon experienced sustained distributed denial-of-service (DDoS) attacks targeting their websites. The attacks overwhelmed BIRN’s infrastructure with approximately 35 million different IP connections from global sources, causing its flagship Balkan Insight site to become completely inaccessible at peak intensity. BIRN’s technical team detected the attack through server alarms and initiated defensive measures by 8:00 AM, engaging in what an IT security expert described as an unprecedented "fierce battle" to restore service. Although BIRN’s servers were not breached, the volumetric traffic surge specifically targeted a page hosting a joint investigation into Yasam Ayavefe, a Turkish businessman convicted of defrauding online gamblers in 2017. By Sunday evening, BIRN successfully repelled the attack, but Solomon’s website remained under active assault and was still offline as of Monday morning. Solomon confirmed via Twitter on Saturday that the outage resulted from a "massive DDoS attack," highlighting the operational disruption to their independent media platform.
The attacks coincided with BIRN and Solomon’s exposé revealing how Ayavefe, arrested in Greece in 2019 for using a false passport, obtained honorary Greek citizenship—a state honor allegedly commodified into a "golden visa scheme." This investigation followed earlier reporting by Greek outlet Inside Story, which had published findings about Ayavefe’s controversial citizenship in July 2022 and similarly suffered DDoS attacks afterward. The DDoS strategy aimed to suppress access to content critical of Ayavefe by flooding servers with traffic, a common tactic to incapacitate websites requiring significant recovery time. While BIRN mitigated the attack within two days, Solomon’s prolonged downtime demonstrated the asymmetric impact on smaller media entities. No data breaches or system compromises occurred, but the incidents underscored the targeting of investigative journalism revealing financial misconduct and exploitation of state honors. The attacks ceased after disrupting public access to the reports for approximately 48 hours at BIRN and longer at Solomon.