Cyber Incident Victim: Cursed Patriarch

Between October 21 and October 25, 2021, a coordinated distributed denial-of-service (DDoS) extortion campaign targeted at least eight email service providers specializing in privacy and security-focused offerings. The affected companies included Runbox, Posteo, Fastmail, TheXYZ, Guerilla Mail, Mailfence, Kolab Now, and RiseUp. Attacks commenced on October 21, with sustained DDoS activity persisting through the weekend and into the following Monday, causing prolonged service disruptions. Following the initial attacks, the threat actor—identifying as **Cursed Patriarch**—sent ransom emails demanding 0.06 Bitcoin (approximately $4,000 at the time) and gave targets three days to comply before threatening escalated network disruptions. Posteo publicly confirmed receiving the threat on October 22 via a blog post, stating it would not pay the ransom. Runbox and TheXYZ later corroborated receiving identical demands, with attacks peaking at 50Gbps and 256Gbps, respectively. After media exposure of the campaign, subsequent extortion emails included links to news coverage of the incidents.

The attacks exclusively impacted smaller email providers, with no evidence of collateral disruption to unrelated sectors. Cursed Patriarch’s campaign was distinct from contemporaneous DDoS incidents affecting UK VoIP provider Voipfone and gaming server host Sparked, which involved separate threat actors. While the full scope of victim compliance remains undisclosed, Posteo’s refusal exemplified a non-payment response. The incident highlighted ongoing DDoS extortion trends, coinciding with unrelated attacks leveraging the Meris botnet against ISPs and financial institutions in Russia, the UK, the US, and New Zealand during the same period. No technical mitigation details or post-incident forensic findings were disclosed by the affected providers beyond confirming attack volumes and ransom demands.