A number of privacy-oriented email service providers have been targeted by distributed denial-of-service (DDoS) extortionists demanding payment in bitcoin.

Hushmail, ProtonMail and Runbox, among other services, were targeted by an entity calling itself the Armada Collective. The group was the subject of a warning from earlier this fall by the Swiss Governmental Computer Emergency Response Team, a national agency dedicated to cybersecurity issues.

Blog posts from the email providers indicate that the attacks took place between 3rd and 6th November. In the case of ProtonMail, the service paid the demanded ransom after being contacted on 3rd November, but despite the payment it was still targeted with DDoS attacks.

In a new blog post, ProtonMail said that it has “largely mitigated the DDoS attacks”. Forbes reported yesterday that some of those funds have since been returned to ProtonMail’s bitcoin address, and that it believes the follow-up attacks may have been from a different party.

Hushmail said that it experienced downtime on 5th and 6th November, and that it was refusing to pay the demanded payment. According to Runbox, an extortion demand was received on the 4th, with the downtime continuing through the 6th.

Affected email providers say they are working with law enforcement agencies, and at least one believes those behind it are starting to regret the action. ProtonMail founder Andy Yen told Forbes in an interview that the extortionists “know they are being hunted”.

Image via Shutterstock