Cyber Incident Victim: Neomailbox
Date:
Nov 2015
Location:
Switzerland
Summary
A secure email service provider, Neomailbox, was targeted alongside several other private email hosting companies in a coordinated DDoS-for-ransom campaign by extortion groups including The Armada Collective. Attackers threatened prolonged network disruption unless payments were made, with one provider experiencing multi-day outages due to advanced persistent denial-of-service attacks exceeding 100Gbps. While some demands were later withdrawn, the incidents highlighted escalating threats against critical communication infrastructure, particularly impacting services reliant on SMTP protocols. The campaign demonstrated attackers' ability to disrupt operations through high-volume, multi-vector assaults aimed at extorting victims.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In late 2015, multiple secure email providers—including Neomailbox, ProtonMail, VFEmail, Hushmail, Fastmail, Zoho, and Runbox—faced coordinated DDoS-for-ransom attacks. Threat actors, notably a newly emerged group called The Armada Collective alongside established extortionists like DD4BC, sent threatening emails to these companies demanding payment under the threat of prolonged network disruption. The attackers exploited the providers’ operational vulnerabilities, particularly the high stakes of service continuity for platforms catering to privacy-conscious users. ProtonMail experienced the most severe impact, sustaining Advanced Persistent DoS (APDoS) assaults exceeding 100Gbps across multiple attack vectors, which forced its service offline for several days. Radware’s Emergency Response Team intervened to mitigate ProtonMail’s attacks and restore availability. Runbox reported an unusual reversal in its extortion case, with attackers withdrawing their ransom demand and issuing an apology shortly after the initial threats.
The campaign leveraged multi-vector attacks against SMTP infrastructure and other Layer 7 protocols, reflecting a broader trend of extortionists targeting communication services. While Neomailbox was confirmed among the affected providers, the article did not specify the duration of its outages, financial losses, or mitigation steps taken by its operators. The attackers’ tactics centered on psychological pressure, banking on providers’ fears of reputational damage and user attrition during extended downtime. Radware characterized the assaults as part of an escalating pattern of ransom-driven DDoS campaigns against critical internet services, urging heightened preparedness across email, SIP, and FTP infrastructures. No further technical specifics about Neomailbox’s incident response or operational recovery timeline were disclosed in the source material.