The sheer scale of the distributed denial-of-service (DDoS) attacks on South African internet infrastructure in recent days does not make sense considering the relatively small amounts the attackers are trying to extort.
A senior South African network security specialist, who asked for anonymity given the nature of his work, told TechCentral on Tuesday that the ransom of two-and-a-half monero – equating to about R16 000 at the time of writing – pales in comparison to the cost it would have taken to mount the attacks.
To sustain the attacks – which peaked at over 600Gbit/s in the case at least two hosting providers and which have run for hours at a time – is not a cheap exercise. Just one 300Gbit/s attack, according to the security specialist, would cost at least US$5 000 per target.
“A commodity criminal would chase the softest targets. Someone has picked the most consequential ones in this attack. The knock-on map through the ISP and reseller chains is exactly the dependency picture a hostile actor would want to validate,” said TechCentral’s source.
“If this had happened in the UK, the US or Australia, there would already be a government-level task team … actively assisting the affected centres, exchanging indicators of compromise with foreign counterparts and issuing public technical advisories within 24 hours.”
Mystery also surrounds the true identity of the perpetrators of the string of attacks, which began late last week and which have impacted 1-grid, Domains.co.za, Xneelo and Network Platforms, among others. The attackers identified themselves as BlackMatter in extortion e-mails to the affected companies, though it’s far from clear whether this is the group that’s really behind the attacks.
BlackMatter?
First coming into prominence in 2021, BlackMatter was a rebrand of DarkSide, a ransomware-as-a-service outfit that was active between 2020 and 2021.
“BlackMatter operates outside of a typical corporate-style entity. This ransomware gang is constantly staging its ‘death’ and ‘rebirth’ to shake off law enforcement attempting to track them,” said Jayson O’Reilly, MD at cybersecurity specialist CYBER1 Solutions.
Read: DDoS extortionists ‘carpet bomb’ South African internet hosts
There are other complicating factors that make BlackMatter difficult to pin down. According to O’Reilly, digital deception – the embedding of false flags to confuse forensic investigators – is part and parcel of BlackMatter code. He said the organisation is also thought to operate from “safe haven” jurisdictions, including Russia and the Commonwealth of Independent States, making physical contact nearly impossible.
“They also do financial transactions through cryptocurrencies like monero and highly obfuscated crypto mixing services. So, in a nutshell, they are playing the cat and mouse game and winning against authorities. This is what makes them successful,” said O’Reilly.
According to the American Cyber Defence Agency, BlackMatter actors have attacked numerous US-based organisations and have demanded ransom payments ranging from $80 000 to $15-million in bitcoin and monero.
The group attacking South African infrastructure companies in recent days demanded their extortion money be paid in monero – a nearly untraceable form of cryptocurrency. But the small amount of money being extorted from the South African companies remains the biggest puzzle, and does not fit with previous ransomware demands by BlackMatter in the past.
The carpet bombing attack on South African infrastructure has had a wide impact on South African websites. Xneelo confirmed to TechCentral that its infrastructure was indeed hit by a DDoS attack but that disruption from upstream service providers also had an impact on end-user connectivity. 1-grid, meanwhile, said the attack speed exceeded 100Gbit/s on its network and targeted IP address across its entire network range.
Read: Extortion fears as DDoS attacks hit SA internet infrastructure
System monitoring website Downdetector indicated reports of a disruption at subsea cable operator Seacom on Tuesday morning. Seacom confirmed that the disruption – which it described as temporary – was due to DDoS attacks on downstream service providers and not an attack on its own infrastructure. – © 2026 NewsCentral Media
Get breaking news from TechCentral on WhatsApp. Sign up here.
