Cyber Incident Victim: VFEmail
Date:
Nov 2015
Location:
United States of America
Summary
The email service provider VFEmail received an extortion threat from a group identifying as Armada Collective, demanding payment of 5 Bitcoin to avoid a disruptive distributed denial-of-service (DDoS) attack targeting all its servers. The threat included a demonstration attack on a specific IP address to validate their capabilities and warned of escalating demands, permanent service disruption, and public encouragement for users to switch competitors if unpaid. The attackers claimed significant DDoS capacity exceeding 1 Tbps, framing the ransom as anonymous protection against infrastructure damage and reputational harm from prolonged outages.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 4, 2015, VFEmail, a U.S.-based email service provider, publicly disclosed an extortion attempt by a group identifying itself as the "Armada Collective." The attackers sent a ransom demand via Bitmessage to VFEmail's administrative email address on November 3, 2015, threatening to launch distributed denial-of-service (DDoS) attacks against all VFEmail servers unless a payment of 5 Bitcoin (approximately $1,800 at the time) was sent to wallet address 1C71QxTfzVVBJnkRg2cJpFXLALwDkfvNTz within 24 hours. The message claimed a demonstration attack would occur against IP address 96.30.253.182—one of VFEmail's servers—lasting 15 minutes to validate their capabilities without causing significant disruption. The threat stipulated that failure to pay by Friday would trigger sustained attacks, with ransom demands escalating to 410 Bitcoin plus 5 Bitcoin daily increments during ongoing attacks. Attackers additionally threatened to publicly advise VFEmail users via social media to switch to competitors ProtonMail and Tutanota if unpaid. The communication explicitly warned against media disclosure, stating such actions would trigger immediate permanent attacks.
VFEmail's infrastructure analysis confirmed receipt of the threat through standard email filtering systems, with headers indicating origination from Bitmessage servers in Switzerland. The provider did not confirm whether the demonstration attack occurred as described. No evidence suggested VFEmail paid the ransom, with the company instead publishing the full extortion email and headers to a public blog. Operational impacts remained unverified, though the provider expressed concern about potential service disruption given its reliance on a 10Mbps connection and status as a regional ISP serving multiple customers. The disclosure highlighted broader security challenges, including the attackers' use of Tor and Bitmessage for anonymity, cross-border jurisdictional limitations, and concerns about collateral damage to interconnected networks. VFEmail indicated potential FBI engagement through an offhand reference to Milwaukee-based FBI customers but provided no confirmation of formal law enforcement reporting or intervention. The incident underscored vulnerabilities in small-to-midsize providers facing large-scale DDoS threats.