Cyber Incident Victim: Proton Technologies AG

On June 27, 2018, ProtonMail notified users of a distributed denial-of-service (DDoS) attack disrupting its systems, causing email delivery delays and intermittent ProtonVPN service issues. The attack persisted for several hours, with service interruptions typically lasting minutes and the longest outage approximating 10 minutes. Operational recovery occurred approximately three hours after ProtonMail’s initial announcement. While ProtonMail frequently experienced DDoS incidents, the company characterized this attack as exceptional in scale and complexity. Security firm Radware, ProtonMail’s DDoS mitigation provider, reported difficulty containing the assault, which peaked at 500 gigabits per second (Gbps). Attack vectors included UDP reflection attacks, TCP bursts, and SYN floods, indicating a multi-faceted offensive strategy designed to overwhelm network defenses through varied traffic patterns.

The Apophis Squad hacking group claimed responsibility for the attack, which also briefly targeted encrypted email provider Tutanota. The group, developing a commercial DDoS booter service advertised via Twitter and Discord, promoted capabilities including NTP, DNS, SSDP, Memcached, LDAP, HTTP, and CloudFlare bypass attacks. Though reportedly based in Russia, Apophis Squad denied this affiliation in communications with BleepingComputer. The group initially lacked interest in targeting ProtonMail but escalated hostilities after ProtonMail Chief Technology Officer Bart Butler publicly dismissed them as "clowns" on Twitter. On June 28, Apophis Squad launched a follow-up TCP-SYN flood attack against ProtonMail, peaking at 70 Gbps. The group asserted their initial attack caused a 60-second service disruption, contradicting ProtonMail’s reported outage durations. Radware’s mitigation efforts ultimately restored service stability following both assault waves.