DDoS extortionists ‘carpet bomb’ South African internet hosts

Posted on May 19, 2026
54
DDoS extortionists 'carpet bomb' South African internet hosts - Warwick Ward-Cox
Network Platforms chief technical officer Warwick Ward-Cox

A wave of distributed denial-of-service (DDoS) attacks hitting South African web hosts is a deliberate extortion campaign run by a criminal group.

That is according to Warwick Ward-Cox, chief technical officer at Network Platforms, a wholesale internet service provider that supplies bandwidth and transit to other internet and managed service providers.

More on this developing story here

Because Network Platforms’ customers are themselves hosting companies and ISPs, the company has had one of the clearest views of the DDoS campaign. Ward-Cox told TechCentral the attacks in fact started last Friday.

At its peak, he said, inbound attack traffic on one of the hosting companies reached 676Gbit/s – close to 700Gbit/s. That’s more than most if not all telecommunications infrastructure companies in South Africa can deal with.

Ward-Cox said three of Network Platforms’ hosting clients received ransom e-mails warning that a DDoS attack would begin within 15 minutes unless they opened a chat with the attackers to negotiate a delay.

The demand in each case was 2.5 monero (XMR) – a privacy-focused cryptocurrency favoured by criminals because it is difficult to trace – which is roughly R16 000, a pittance given the chaos the attackers have caused.

“Not a freaking chance,” Ward-Cox said when asked if Network Platforms had considered pay the extortion money, adding that its clients have taken the same line.

‘Black Matter’

Ward-Cox said the ransom e-mails identify the group as “Black Matter” and that an identical message reached multiple clients.

He said the group appeared to have a history of similar campaigns abroad, typically hitting large hosting companies and ISPs for a few days before moving on. TechCentral could not independently verify the group’s identity; the name echoes a notorious but now-reportedly-defunct ransomware operation, though DDoS extortion crews routinely borrow well-known names.

This e-mail demanding payment was sent to at least two South African web hosting companies
This e-mail, demanding payment, was sent to at least two South African web hosting companies

The attacks were indiscriminate. Ward-Cox described the technique as a “carpet bomb”: instead of hitting a single server, the attackers use botnets and command-and-control infrastructure to flood every IP address a client owns with a relentless stream of small data packets, then repeat.

Network Platforms routes traffic from attacked clients to a scrubbing service in London, where malicious traffic is filtered out before the clean traffic is handed back to South Africa.

Hosting providers that have been hit by the cyberattackers include 1-grid and Xneelo. Domains.co.za and Liquid Intelligent Technologies were also reportedly targeted.  — (c) 2026 NewsCentral Media

Get breaking news from TechCentral on WhatsApp. Sign up here.