Rackzar Hit by Repeat DDoS Attack as Extortionists Demand Monero Payment in Ongoing South African Cyber Assault Wave: South African hosting provider Rackzar is once again battling a major distributed denial-of-service (DDoS) attack, marking the second large-scale incident in less than two weeks. The ongoing cyber assault has caused intermittent connectivity disruptions for customers and placed significant strain on the company’s upstream network infrastructure as mitigation efforts continue.
The company confirmed that it has identified the attack as both sophisticated and targeted, with indications that the primary motivation is extortion. Rackzar stated that malicious actors are deliberately overwhelming its network links with high volumes of traffic, resulting in packet loss, increased latency, and periodic service instability for hosted websites and servers.
Despite deploying mitigation measures and working closely with upstream providers and internet exchange partners, the company warned that some customers may continue to experience performance issues until the attack is fully neutralized. Rackzar has assured users that it is actively filtering malicious traffic and scaling defensive systems in real time to reduce service impact.
This latest incident is part of a broader pattern of large-scale DDoS activity affecting internet infrastructure providers in South Africa. In the week of 18 May 2026, several companies in the sector were hit by massive attacks that caused widespread disruption. One of the incidents reportedly peaked at 1 terabit per second (Tbps), while another reached approximately 675 gigabits per second (Gbps), both large enough to overwhelm unprotected or partially mitigated networks.
In one of those earlier cases, Network Platforms confirmed that it had received an extortion demand linked to the attack, with threat actors attempting to coerce payment in exchange for stopping the traffic flood. Rackzar has now reported similar behavior in its own case, indicating that the same or related actors may be behind the ongoing wave of disruptions targeting South African hosting and network operators.
According to Rackzar, it has received ransom notes demanding payment in Monero (XMR), a privacy-focused cryptocurrency often used in cybercrime-related transactions due to its anonymity features. The attackers allegedly demanded 5 XMR, which is estimated to be worth between R30,000 and R32,000 depending on exchange rate fluctuations across different platforms.
Monero is not widely supported on major South African crypto exchanges, with platforms such as VALR, Luno, and Binance not offering direct trading pairs for the asset. However, alternative exchanges like AltCoinTrader have listed XMR, where it has traded at several thousand rand per coin. Internationally, prices on major exchanges have placed Monero significantly higher in dollar terms, highlighting the variability in valuation depending on liquidity and jurisdiction.
Rackzar has confirmed that the ransom notes reference different names compared to previous attacks. Earlier incidents were linked to a group calling itself “BlackMatter,” while the current wave refers to “WhiteDwarf.” Cybersecurity analysts suggest this could indicate either a rebranding effort by the same group or the emergence of copycat attackers attempting to exploit the situation for financial gain.
The company has emphasized that the attack is not a simple volume-based flood but appears to be carefully engineered to target upstream routing and bandwidth capacity. This type of attack can be more difficult to mitigate because it requires coordination between multiple network providers rather than filtering at a single point.
Rackzar has apologized for the inconvenience caused to customers and stated that it will provide a more detailed technical analysis once the situation is fully under control. For now, the company continues to prioritize stabilization of services and minimization of downtime while monitoring for additional waves of malicious traffic.
Industry observers note that the repeated targeting of South African infrastructure providers highlights a growing trend of extortion-driven DDoS campaigns, where attackers combine service disruption with ransom demands in an attempt to monetize network outages. As these attacks increase in scale and sophistication, providers are being forced to invest more heavily in upstream mitigation systems and global traffic scrubbing solutions.
Customers have been advised to expect intermittent disruptions until defenses fully absorb or reroute malicious traffic. Rackzar maintains that it is committed to restoring full stability as quickly as possible while cooperating with partners to trace and mitigate the source of the attacks. Who Owns Space Debris and Who Is Responsible for Cleaning It Up? | Maya
