a wave of Distributed denial-of-service (DDoS) attacks Impressing South African web hosts An extortion campaign deliberately carried out by a criminal group.
This is the view of Warwick Ward-CoxChief Technical Officer network platformA wholesale Internet service provider that supplies bandwidth and transit to other Internet and managed service providers.
More on this Developing story here
Because the network platform's customers are the hosting companies and ISPs themselves, the company has the clearest ideas about DDoS campaigns. Ward-Cox told TechCentral that the attacks actually began last Friday.
At its peak, he said, inbound attack traffic at one of the hosting companies reached 676Gbit/s – close to 700Gbit/s. This is more than all of South Africa's telecommunications infrastructure companies can handle.
Ward-Cox said three of Network Platform's hosting clients received ransom e-mails warning that a DDoS attack would begin within 15 minutes unless they opened a chat with the attackers to negotiate a delay.
The demand in each case was 2.5 Monero (XMR) – a privacy-focused cryptocurrency favored by criminals because it is difficult to trace – which is approximately R16 000, which is very low considering the chaos created by the attackers.
When Ward-Cox was asked whether the network platform had considered paying out the extortion money, she said, “Not a freak chance,” adding that her clients have taken the same approach.
'Black Matter'
Ward-Cox said the ransom e-mails identified the group as “Black Matter” and a similar message reached multiple customers.
He said the group appeared to have a history of similar campaigns overseas, typically attacking large hosting companies and ISPs for a few days before moving on. TechCentral could not independently verify the identity of the group; The name is reminiscent of an infamous but now reportedly shut down ransomware operation, although DDoS extortion teams regularly borrow well-known names.
The attacks were indiscriminate. Ward-Cox describes this technique as a “carpet bomb”: instead of attacking a single server, attackers use botnets and command-and-control infrastructure to flood each IP address of a client with a continuous stream of small data packets, then repeat the attack.
The network platform routes traffic from the attacked customers to a scrubbing service in London, where malicious traffic is filtered before sending clean traffic back to South Africa.
Hosting providers vulnerable to cyber attackers include 1-Grid and Xneelo. Domains.co.za and Liquid Intelligent Technologies were also reportedly targeted. — (c) 2026 NewsCentral Media
Get breaking news from TechCentral on WhatsApp. Sign up here.