Thexyz and 6 other email service providers have recently been targeted with distributed denial of service (DDoS) attacks. These attacks attempt to disrupt our network with a flood of traffic from a botnet by an organized criminal group. On the evening of Sunday, October 24th, a support ticket was received demanding payment of around $4,000 in Bitcoin (0.06 BTC) to avoid an attack. The message was sent through the encrypted email service, ProtonMail and signed by the Bitcoin extortion group the Cursed Patriarch.

DDoS from Cursed Patriarch

To begin with, we would like to make our stance clear. Thexyz does not respond to any extortion attempts, and will not pay these criminals under any circumstances.

We deal with DDoS attacks on a regular basis and have seen extortion attempts to cause disruption for our network before, including a large attack from the Armada Collective in 2016 . However, there it is still possible that these ongoing attacks could cause some disruption for our users as our site may suddenly become slower or be temporarily unavailable. We have posted an announcement on the matter as a warning in advance to provide as much information on what to expect.

The email we received is pasted below and in less than 5 minutes after it was received a 150Gbps DDoS attack was targeted towards thexyz.com and webmail.thexyz.com. At around 6.55pm EST, the attackers began directly attacking the infrastructure of our data centers and upstream providers. This forced our ISP to null route our IP addresses and our failover service kicked in. Within 5 minutes, our services were resolving again on our failover server which is available to assist if there is trouble or failure at our main datacenter. After a few minutes, our failover server was also hit with a powerful flood of traffic exceeding 150Gbps. It soon became apparent that this was a coordinated attack against all our IP addresses to cause maximum disruption to our users and our network.

The attack was very well distributed and we didn’t see an IP range that is to blame. From a small snippet of what our system was seeing for the top hitters, though these were all under 1% of the total IPs being used to perform the attack. Most of the IPs appeared to be US-based, residential IP addresses.

Once we enabled sufficient DDoS protection capable of providing mitigation to more powerful and coordinated attacks like this, we were able to get the null route lifted on our IPs. Upwards of 200GB of traffic was mitigated and at its peak, the attack was totaling 256Gbps.

Why would someone attack Thexyz?

This was a very large attack and presently our infrastructure could still be vulnerable to attacks of this magnitude, but we have a powerful long-term solution that has already been implemented. Protecting against highly sophisticated attacks launched against us requires implementing service level agreements that include DoS defense provisions as we also need to protect our upstream providers and data centers. There are significant costs to occur since there are few service providers able to fight off an attack of this size and sophistication. These solutions are expensive and take time to implement, but they will be necessary because it is clear that any online service that is a privacy-first service has powerful opponents.

It has also become apparent that Thexyz has not been singled out in this attack, as The Record reports, these attacks “have targeted Runbox, Posteo, Fastmail, TheXYZ, Guerilla Mail, Kolab Now, and RiseUp–all small-time companies that provide privacy and security-centric email services. are also under attack by the same extortionists.”

Hi,

First, I believe that you don’t need this type of publicity and that we can solve this as peacefully as possible: https://therecord.media/ddos-attacks-hit-multiple-email-providers/

Right now, I will start 1-2 hours attack on your main page. It will not be hard as I don’t want to impact your business now. Just check your logs to see that I’m for real.

Pay me only 0.06 BTC to 3Jmu75PvTLTVeYjfQtn58Ff8vVagyVxHJA and I will never attack you again, I will never write to you again and nobody will ever know that you were attacked and that you have paid me.

I will wait until Wednesday, but if I’m not paid by Wednesday, total shut down is coming, cheap protection will not help my fee will increase and if you refuse you will lose much more then that.

Pay 0.06 BTC now to prevent damage.

It’s nothing personal, I don’t hate you, I don’t want to harm your business, but this is the way I make money. You can judge me, say that I’m a bad person, but I have my reasons for doing this.

Best regards,
Cursed Patriarch

P.S. This is disposable email. Do not reply.

What is Thexyz doing to stop it?

By not paying these extortion demands, the incentive for organizing these types of attacks is reduced. Thexyz stands united with other independent email services that have pledged to not succumb to extortion threats.  Our coordinated efforts against these criminals will render these attacks worthless to the culprits.

We are focused on working with our upstream network providers and data centers to enable controls capable of mitigating large DDoS attacks.  This will help to ensure attacks are blocked and legitimate traffic will resume to get through at every stage of the network. We also have DoS defense provisions in place for mitigating various other DDoS scenarios and are prepared to adapt to any type of attack that may come through.

As you can see from the Blockchain, no payments have been made to the Bitcoin wallet address: 3Jmu75PvTLTVeYjfQtn58Ff8vVagyVxHJA. We have also notified the Canadian Centre for Cyber Security (Cyber Centre), Canada’s authority on cyber security for dealing with cyberattacks, and we are working with relevant Canadian and international law enforcement to provide them with details of the attack.

What should I do?

If Thexyz Webmail should suddenly become slower or be temporarily unavailable over the next day or so, please follow the below tips:

  • Remember there is no cause for concern, the disruption is just temporary and email service should not be affected. Your data remains safe and secure.
  • If you experience any issue accessing Thexyz Webmail, please wait or try opening one of our alternative Webmail Sites.
  • Visit us on Twitter @thexyz or our network status page to stay informed of any network disruptions.
  • Set up your email on a mobile device or email client so you can continue to access email if Webmail becomes temporarily unavailable.

We thank you for your patience and understanding while we fight to ensure your access to our services is uninterrupted and encourage customers to continue supporting small-tech, independent email services.