A 3.5 Tbps DDoS hit Canonical for ~20 hours on April 30; Canonical resolved it by moving security.ubuntu.com and archive.ubuntu.com behind Cloudflare, which also fronts the booter service (Beamed) used in the attack.
Key Takeaways
Beamed, a commercial Cloudflare-bypass DDoS-for-hire tool, is hosted on Cloudflare AS13335 infrastructure; both attacker and victim pay Cloudflare.
Canonical selectively migrated only the two apt repository endpoints to Cloudflare, leaving all other properties on its own AS41231 space, suggesting a targeted, minimal response.
Certificate transparency logs show apex certs for archive.ubuntu.com and security.ubuntu.com were issued by Let’s Encrypt on 27 February 2026, the same day the routing AS (AS39287) behind Beamed’s infrastructure was reassigned to Romanian entity Materialism s.r.l.
The AS39287 chain traces through Pirate Bay founders Peter Sunde (Flattr/Njalla) and Peter Kolmisoppi (ab stract ltd) before its February 2026 reassignment; Njalla’s parent 1337 Services LLC is also listed as a customer of Beamed’s registrar Immateriali.sm.
The author stops short of alleging a ransom payment but frames Beamed’s continued Cloudflare-hosted availability as a structural coercive mechanism.
Hacker News Comment Review
Commenters largely rejected “blackmail” as the correct framing; the legal consensus leaned toward “extortion” at most, with several arguing Cloudflare bears no direct liability for hosting a booter’s marketing domain.
The more defensible critique, per discussion, is a conflict-of-interest or structural incentive problem: Cloudflare profits from both attack infrastructure and victim mitigation, without issuing any explicit demand.
Notable Comments
@amatecha: Argues CF’s architecture creates “blackmail as a service” structurally, protecting attacker and billing victim, without any explicit demand needed.
