{"id":651047,"date":"2026-05-31T10:00:41","date_gmt":"2026-05-31T08:00:41","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=651047"},"modified":"2026-05-31T10:14:44","modified_gmt":"2026-05-31T08:14:44","slug":"south-african-internet-company-hit-by-large-scale-ddos-attack","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/cloud-hosting\/651047-south-african-internet-company-hit-by-large-scale-ddos-attack.html","title":{"rendered":"South African Internet company hit by large-scale DDoS attack"},"content":{"rendered":"\n<p>South African hosting company Rackzar has notified customers that its network has been targeted by a distributed denial-of-service (DDoS) attack, causing connectivity problems to its servers.<\/p>\n\n\n\n<p>\u201cWe have identified a sophisticated and targeted attack with the sole intention of extortion,\u201d the company said on its system status page.<\/p>\n\n\n\n<p>\u201cWe have put measures in place to attempt to reduce the impact to your services and will continue working with our upstream partners to mitigate the attack.\u201d<\/p>\n\n\n\n<p>This is the second time in two weeks Rackzar has been targeted by large-scale DDoS attacks. The company told MyBroadband it was <a href=\"https:\/\/mybroadband.co.za\/news\/cloud-hosting\/648362-south-african-infrastructure-providers-wiped-off-the-internet-by-sustained-ddos-attacks.html\">hit in the previous wave<\/a> that caused severe disruptions in South Africa.<\/p>\n\n\n\n<p>In the week of 18 May 2026, several Internet infrastructure companies in South Africa were taken offline by massive DDoS attacks, with one peaking at 1Tbps and another at 675Gbps.<\/p>\n\n\n\n<p>Network Platforms, which suffered the attack that peaked at 675Gbps, revealed that it had received an extortion demand to make the DDoS stop.<\/p>\n\n\n\n<p>Rackzar has confirmed to MyBroadband that it received a similar ransom note and received another extortion demand for the current DDoS attack, although the attackers\u2019 name has changed.<\/p>\n\n\n\n<p>The notes from the previous attacks came from \u201cBlackMatter\u201d. This time, they are \u201cWhiteDwarf\u201d. It is unclear whether Rackzar is dealing with a copycat or if the attackers have changed their name.<\/p>\n\n\n\n<p>Rackzar told MyBroadband that it would only be able to provide detailed feedback about the attack once they had mitigated it.<\/p>\n\n\n\n<p>However, MyBroadband has seen the ransom note. It demanded a payment of 5 XMR (Monero), equivalent to about R30,500.<\/p>\n\n\n\n<p>Monero is a crypto asset which is not widely traded in South Africa. None of the major exchanges like VALR, Luno, and Binance offer markets for XMR.<\/p>\n\n\n\n<p>AltCoinTrader offers a listing for the asset, where it traded at around R6,450 at the time of publication. At Bitfinex, a major overseas exchange, XMR traded at around $373.<\/p>\n\n\n\n<p>Therefore, the extortionists were demanding the equivalent of between R30,500 and R32,250, depending on the exchange.<\/p>\n\n\n\n<p>\u201cThe attack is directed at our upstream network infrastructure and is causing intermittent packet loss and elevated latency for some customers,\u201d Rackzar told customers.<\/p>\n\n\n\n<p>\u201cWe are working closely with our upstream partners and internet exchange peers to identify, filter, and mitigate the malicious traffic as quickly as possible.\u201d<\/p>\n\n\n\n<p>Rackzar said customers may experience intermittent connectivity disruptions until the attack was fully mitigated.<\/p>\n\n\n\n<p>\u201cWe apologise for any inconvenience and will continue to provide updates as the situation develops.\u201d<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">DDoS extortion<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"623\" src=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/05\/DDoS-attacks-South-Africa-31-May-2026-1200x623.jpg\" alt=\"\" class=\"wp-image-651049\" srcset=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/05\/DDoS-attacks-South-Africa-31-May-2026-1200x623.jpg 1200w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/05\/DDoS-attacks-South-Africa-31-May-2026-600x312.jpg 600w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/05\/DDoS-attacks-South-Africa-31-May-2026-768x399.jpg 768w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/05\/DDoS-attacks-South-Africa-31-May-2026.jpg 1434w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><figcaption class=\"wp-element-caption\">Netscout Cyber Threat Horizon showing incoming attacks to South Africa on 31 May 2026<\/figcaption><\/figure>\n\n\n\n<p>Two weeks ago, MyBroadband reported that several hosting providers and other Internet infrastructure companies in South Africa were knocked offline due to sustained DDoS attacks.<\/p>\n\n\n\n<p>Prominent hosting company 1-Grid suffered an extended outage, which drew attention to the scale of attacks targeting web hosting companies in South Africa.<\/p>\n\n\n\n<p>A reliable industry source told MyBroadband that Host Africa, Diamatrix (known as Domains.co.za), and Liquid Intelligent Technologies had suffered attacks.<\/p>\n\n\n\n<p>Internet infrastructure company Network Platforms and longstanding webhosting provider Xneelo also soon reported attacks.<\/p>\n\n\n\n<p>That wave of attacks started on Sunday, 17 May, and <a href=\"https:\/\/mybroadband.co.za\/news\/internet\/648969-ddos-attacks-that-caused-internet-problems-in-south-africa-suddenly-stop.html\">had halted within three days<\/a>. Companies told MyBroadband that the attacks had stopped by Wednesday, 20 May.<\/p>\n\n\n\n<p>This was confirmed by the American network monitoring and DDoS mitigation company NetScout, which said its data also showed the attacks began to let up on Wednesday.<\/p>\n\n\n\n<p>BlackMatter\u2019s extortion note to companies promised the attacks would not stop for 14 days and demanded payment of 2.5 XMR at the time.<\/p>\n\n\n\n<p>That was half what WhiteDwarf is trying to extort from Rackzar in this latest wave of attacks. The two extortion notes are otherwise nearly identical.<\/p>\n\n\n\n<p>\u201cUnfortunately, you have become a target of WhiteDwarf, a massive DDoS attack has been launched on your networks (the attack will begin in 30 minutes after this letter),\u201d the new note stated.<\/p>\n\n\n\n<p>BlackMatter\u2019s original note from two weeks ago stated that the attacks would begin in 15 minutes. WhiteDwarf also changed the aggressive wording in BlackMatter\u2019s original note.<\/p>\n\n\n\n<p>\u201cYou have two ways \u2014 ignore, in which case the attacks will be stopped in 14 days, and your business will most likely be destroyed by then,\u201d the original note read.<\/p>\n\n\n\n<p>WhiteDwarf\u2019s note deletes the latter half of the sentence, no longer threatening the victim with the destruction of their business.<\/p>\n\n\n\n<p>\u201cCompensate us a small amount. We guarantee decency and complete anonymity on our part. After receiving the transfer, the attack will be stopped within 5 minutes, and you will never hear from us again.\u201d<\/p>\n\n\n\n<p>Cybersecurity experts have raised questions about the extortion demands, as the amounts seem too low relative to the cost of perpetrating the attack.<\/p>\n\n\n\n<p>Victims reported that the attackers used a combination of Carpet Bombing, IP Fragmentation, and DNS Amplification to overwhelm their networks with traffic.<\/p>\n\n\n\n<p>Experts said the relatively small amounts being demanded by the attackers do not make sense, given how costly it was to run such a large-scale DDoS attack for an extended period.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A South African hosting company has been targeted by extortionists with a large-scale distributed denial-of-service (DDoS) attack for the second time in two weeks.<\/p>\n","protected":false},"author":15,"featured_media":651050,"comment_status":"open","ping_status":"closed","sticky":true,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,27],"tags":[105627,94581,105628],"class_list":["post-651047","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-hosting","category-security","tag-blackmatter","tag-rackzar","tag-whitedwarf"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/651047"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=651047"}],"version-history":[{"count":3,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/651047\/revisions"}],"predecessor-version":[{"id":651055,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/651047\/revisions\/651055"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/651050"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=651047"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=651047"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=651047"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}