Cyber Incident Victim: YES Bank
Date:
Aug 2020
Location:
India
Summary
A criminal group launched DDoS extortion attacks against YesBank India and multiple financial service providers, demanding Bitcoin payments to halt disruptions targeting critical backend infrastructure, API endpoints, and DNS servers. The attackers, operating under aliases like Armada Collective and Fancy Bear, employed advanced techniques including rapidly changing attack protocols and peak traffic volumes of 200 Gb/sec, causing prolonged operational outages such as multi-day trading halts for affected organizations. Mitigation experts characterized the campaign as more sophisticated than previous efforts, emphasizing the group’s focus on crippling financial services through sustained infrastructure targeting while advising against ransom compliance.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In late August 2020, YesBank India was targeted by a criminal gang conducting distributed denial-of-service (DDoS) extortion attacks against multiple financial institutions. The attackers, operating under aliases such as Armada Collective and Fancy Bear, sent emails threatening to cripple victims' online operations unless Bitcoin ransom payments were made. This campaign impacted several prominent financial service providers including MoneyGram, Worldpay, PayPal’s subsidiaries Braintree and Venmo, and the New Zealand Stock Exchange (NZX), alongside YesBank. The group employed high-volume DDoS attacks peaking at 200 gigabits per second, frequently altering their attack protocols to bypass defensive measures. Their tactics focused on disrupting critical backend infrastructure, including API endpoints and DNS servers, to maximize operational paralysis. The attacks represented an escalation of DDoS extortion schemes first observed in 2016, with this group demonstrating greater technical sophistication through adaptive attack patterns and infrastructure targeting.
The New Zealand Stock Exchange experienced severe operational disruption, halting trading for three consecutive days due to sustained attacks. While the article did not specify YesBank’s exact downtime, the coordinated campaign highlighted systemic vulnerabilities across financial networks. Attackers demanded cryptocurrency payments to cease attacks, though DDoS mitigation providers universally advised against compliance, urging victims to engage professional security services instead. The incident occurred amid broader law enforcement actions against cybercriminal networks, including Europol’s takedown of a major hacking ring around the same period. Financial institutions faced mounting pressure to fortify network defenses against increasingly aggressive DDoS tactics targeting economic stability. The attacks underscored the evolving threat landscape where criminal groups weaponize network disruptions for extortion against critical financial infrastructure.