ProtonMail Pays Bitcoin Ransom to Stop DDoS Attacks

Encrypted email service provider ProtonMail recently and grudgingly gave in to a ransom demand of 15 bitcoin (approx $6000) to attackers who targeted the service with destructive Distributed Denial of Service (DDoS) attacks.

ProtonMail, an encrypted email service set up by CERN scientists in Geneva and researchers at MIT, has revealed crippling DDoS attacks to be the cause of a recent outage suffered by the crypto e-mail service provider. Two groups are believed to be behind the attacks, one of which began the cyber-strikes and put forth the ransom demand.

The website remains down at the time of publishing due to an overwhelming second attack leading to fears that the pro-encryption email service provider may be targeted by state-sponsored actors making for the second group who continued the attacks.

ProtonMail co-founder Andy Yen released updates through the email provider’s WordPress blog, revealing an initial attack that flooded the ProtonMail’s IP addresses. He confirmed the attacks spread to company’s datacenter in Switzerland while assuring users that the company’s core technology of end-to-end encryption remained untouched.

The datacenter where ProtonMail houses its servers also contained servers of other banks and tech companies, all of whom were affected. With increasing pressure from these companies including ProtonMail’s ISP itself, the company revealed it grudgingly transferred the sum of 15 BTC to the cybercriminal gang who used this Bitcoin address. However, things only got from bad to worse.

A timeline of events goes:

  • Just before midnight on November 3rd, ProtonMail received a blackmail e-mail from a cybercriminal group notorious for a recent string of DDoS attacks targeting installations in Switzerland.
  • A DDoS attack quickly followed the threat, lasting 15 minutes.
  • Another DDoS attack struck at 11 AM the next morning, at which point ProtonMail’s datacenter started mitigation techniques to stop the attack.
  • A few hours later at around 2 PM, the attackers targeted their efforts to directly attack the company’s ISP and the datacenter. The assault exceeded speeds of a 100Gbps, bringing down hundreds of companies including ProtonMail.
  • Left with little choice and mounting pressure from the affected companies and the ISP, ProtonMail gives in to the ransom demand of 15 bitcoins at 3:30 PM.
  • Despite the payment, the attacks continued to such an extent that it disrupted operations across the ISP’s entire network.

Yen revealed that the group responsible for the initial attacks that came with the ransom demand even wrote in to deny responsibility of the crippling second attack.

The bitcoin address used for the ransom demand also had several public notes to publicly deny their involvement in the second string of attacks.

We are not attacking ProtonMail! Our attack was small, directed at their IP only and lasted 15 minutes only!


We have no such power to crash data center and no reason to attack ProtonMail any more!

ProtonMail’s blog added:

The second attackers [are] exhibiting capabilities more commonly possessed by state-sponsored actors.

The service, primarily created to ensure secure communication and privacy to activists, whistleblowers, journalists, and dissidents among other vulnerable groups has — as a result of the crippling hacks — launched a GoFundMe campaign to secure funds that will be used to invest in better cybersecurity measures, solutions that will cost around $100,000 a year, ProtonMail confirmed.

Last modified: May 21, 2020 10:59 AM UTC

November 6, 2015 4:46 PM UTC
Posted in: Archive
Samburaj Das @sambdas

Samburaj is the Chief Editor of, one of the earliest and foremost publications covering blockchain, cryptocurrency, and financial technology news. He has authored over 2,000 articles for Reach him at Visit his LinkedIn profile here or his Muck Rack profile here.