This article is more than 1 year old

ProtonMail pays ransom to end web tsunami – still gets washed offline

Paying Bitcoin ransom encourages more attacks, it seems

After a crushing distributed denial-of-service attack against its servers and ISPs, secure email service ProtonMail has paid the ransom demanded by its attackers.

The Swiss firm was promptly smashed offline again.

"We were placed under a lot of pressure by third parties to just pay the ransom, which we grudgingly agreed to do at 3:30PM Geneva time to the bitcoin address 1FxHcZzW3z9NRSUnQ9Pcp58ddYaSuN1T2y," the firm said in a statement.

"We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. This was clearly a wrong decision so let us be clear to all future attackers – ProtonMail will NEVER pay another ransom."

Judging from public notes attached to transactions between ProtonMail and whoever was holding it hostage, it is possible there appears to be more than one group trying to disable the encrypted email service. "Somebody with great power, who wants ProtonMail dead, jumped in after our initial attack," reads one memo.

ProtonMail received a note from unknown criminals threatening to blast it off the internet just before midnight on November 2 unless a 15 BTC ($5,500 at time of writing) ransom was paid.

The webmail biz ignored the demand, and the next morning a 15-minute attack knocked its servers offline. A few hours later the assault resumed, this time with an "unprecedented level of sophistication," Team ProtonMail said.

The attackers went after the firm's upstream connectivity, dumping 100Gbps of packets on its ISP within a couple of hours. That onslaught left hundreds of companies in Switzerland and Germany without internet access, and these organizations put pressure on ProtonMail to pay the ransom.

Having forked out a few thousand bucks in Bitcoin on November 4 to end the waves of useless traffic, all went quiet – but not for long. Today, the website remains offline, submerged by unknown assailants.

A detailed analysis of the original attack shows two distinct phases. First, there was a standard DDoS attack against ProtonMail's IP addresses, but this was followed up by a sophisticated raid on the infrastructure supporting the firm.

ProtonMail said that the larger assault had the hallmarks of a state-sponsored attack, both in its complexity and in showing a willingness to cause large-scale damage to achieve its aims. However, it has provided no concrete proof of a nation state going after its servers.

ProtonMail said that its IT infrastructure can't handle any more floods of duff traffic, and is going to need an upgrade. The firm estimates that this will cost $100,000 and has launched a funding page that has already garnered over $25,000 in donations. ®

More about

More about

More about


Send us news

Other stories you might like