Ransom DDoS Extortion Scam via Cryptocurrency
How criminals threaten businesses with a distributed denial-of-service attack unless a cryptocurrency ransom is paid, often without ever launching a real attack.
Part of: Ransom DDoS Extortion Scam
Last reviewed: 13 July 2026
Ransom DDoS (RDoS) extortion emails are sent to businesses, often targeting finance, e-commerce, and online service companies, threatening to flood the company's servers with junk traffic and take websites or APIs offline unless a ransom is paid. Payment is demanded almost exclusively in cryptocurrency, usually Bitcoin or Monero, because it can be sent across borders instantly and is difficult for investigators to trace back to an individual once mixed or moved through several wallets.
Many RDoS campaigns are pure bluff: the group has no intention or capability of carrying out a meaningful attack and is relying on the threat alone plus name recognition of well-known hacking group aliases to frighten smaller businesses into paying quickly. In cases where a demonstration attack is launched, it is typically brief and modest compared to what a sustained campaign could do, intended only to prove the threat is 'real' before the ransom deadline arrives.
How this scam works on Cryptocurrency
The extortion email arrives addressed to a company's general or security contact, naming a well-known or invented hacker group and specifying a ransom amount in a cryptocurrency to be sent to a wallet address by a stated deadline, often just a few days away. The email may reference the company's public IP ranges or domain to appear technically credible.
Some campaigns send a short 'demonstration' DDoS attack against the target's website before or shortly after the email, lasting minutes to an hour, to convince the recipient the threat is genuine and to increase pressure to pay before a larger, sustained attack allegedly begins. The ransom demand typically increases if the deadline passes without payment.
Because cryptocurrency wallets can be created instantly and abandoned after one payment, tracing the extortionist is difficult even when the wallet address is reported, and paying does not guarantee the group will not return with a second demand or sell the target's details to another group.
Common red flags
- An email threatens a DDoS attack against your company's infrastructure with a cryptocurrency ransom demand
- The message invokes a well-known hacker group name to add credibility without other proof of capability
- A short demonstration attack occurs around the same time as the email to pressure a fast decision
- The ransom is demanded in Bitcoin or Monero to a wallet address with a tight payment deadline
- The email threatens escalating ransom amounts if you do not pay by the deadline
- No specific, verifiable evidence of an ongoing or planned attack is provided beyond the threat itself
How to protect yourself
- Do not engage with the extortionist or pay the ransom — payment does not reliably prevent an attack and can mark you as a willing payer for future demands
- Notify your hosting provider, CDN, or DDoS mitigation service immediately so they can prepare or activate protection
- Preserve the extortion email and any attack logs as evidence for law enforcement and your provider
- Review and, if needed, upgrade your DDoS mitigation coverage (rate limiting, scrubbing services, CDN-level protection) proactively
- Notify your incident response team or IT provider and consider informing customers if service disruption is likely
- Consult your insurer if you carry cyber-insurance, as some policies cover extortion incident response costs
How to report it
- Report the extortion attempt to your national cybercrime authority (e.g., the FBI's IC3, the UK's NCSC/Action Fraud, or Australia's ACSC)
- Report the cryptocurrency wallet address to blockchain-analysis and abuse-reporting services
- Inform your hosting provider or DDoS mitigation vendor so they can assist with monitoring and defence
Frequently asked questions
Should we pay the ransom to avoid downtime?
Security agencies generally advise against paying. There is no guarantee the attackers will not attack anyway, demand more money later, or share your details with other extortion groups. Investing in DDoS mitigation is a more reliable defence than paying.
How can we tell if the threat is real or a bluff?
A short demonstration attack that briefly disrupts your service is a stronger signal of capability than an email alone, but even demonstration attacks can be minor and unrepresentative of what follows. Treat every threat seriously enough to activate mitigation regardless of how credible it appears.
If we already paid in cryptocurrency, can we get the funds back?
Cryptocurrency payments are very difficult to reverse once confirmed on the blockchain. Report the wallet address and transaction to law enforcement and blockchain-analysis firms; recovery may depend on the payment method and timing, but you should not count on getting the funds back.
Does paying guarantee the attack won't happen?
No. Numerous documented RDoS cases show groups attacking anyway after payment, or returning with a second demand once they know a target is willing to pay.
What should our incident response plan include for RDoS threats?
A plan should include immediate escalation to your hosting or mitigation provider, preservation of the threat email and any attack traffic logs, a decision-maker chain that does not default to paying, and a communication plan for customers if downtime occurs.