at least five Services at South African web hosting and network providers have been disrupted by massive distributed denial-of-service (DDoS) attacks since last Friday, with one provider demanding ransom in one of the incidents – raising fears that the country's internet infrastructure is being targeted in an extortion campaign.

Network Platform, 1-Grid and Zenilo have all reported significant attacks.

For the latest on this story, read: DDoS extortionists 'carpet bomb' South African internet hosts

Also read: Troubling questions over South African internet infrastructure attacks

The clearest indication of an extortion motive came from the network platform that was affected on Monday. The provider said the attack began at around 1.25pm ​​and grew rapidly, with inbound traffic exceeding 300Gbit/s. It describes a small-payload flood of junk network traffic targeted at multiple IP addresses, with the attackers changing targets throughout the network over time and attacking both its IP transit service and customers' networks.

Crucially, the network platform said it received ransom demands – and that neither it nor the affected customers had any connection to them or paid them. For this reason, she warned, there remains “a strong possibility” of renewed activity. As a precaution, the company has turned on DDoS scrubbing protection for every customer on its network, including those who had never subscribed to the service.

1-Grid, an SME-focused host, was also affected. The company, which says it serves more than 32,000 customers and hosts more than 77,000 websites, reported intermittent disruption from the massive attack on parts of its infrastructure, later confirming that the attack had been mitigated. 1-Grid did not mention any ransom demand.

hit xneelo

The most recent provider to be affected is XneeloOne of the largest hosting companies in the country. Early Tuesday, Xneelo reported a network outage that left the KonsoleH management system, web hosting, and e-mail hosting intermittently inaccessible.

By late morning, it had confirmed the massive DDoS attack and said it was treating the matter as a priority incident, with its status update still describing the situation as “under investigation” – an indication that the attack has not been fully mitigated.

It is not yet clear whether all three incidents are the work of the same attackers, and only the network platform has publicly linked its attack to extortion. But the clustering of large-scale attacks on local hosting providers, along with a confirmed ransom demand, fits the pattern of a ransom DDoS – or RDoS – campaign, in which attackers disrupt a target's services and demand payment to stop the disruption.

hacker

Hosting providers are attractive targets because a single successful attack can impact hundreds or thousands of downstream customers, causing both disruption and pressure to pay. DDoS extortion has become a recurring tactic globally, but a cluster of attacks on this scale against South African infrastructure in the same window is unusual.

For now, the disruption seems to be subsiding. But South Africa's hosting industry may face continued threats. — (c) 2026 NewsCentral Media

Get breaking news from TechCentral on WhatsApp. Sign up here.

Categorized in: