The CIReN website has been under a sustained and escalating wave of distributed denial of services (DDOS) attacks since last Friday, December 5.
The attacks, sustained over five days so far, are aimed at bringing down the website by flooding it with artificial web traffic.
At one point, CIReN.cy received over 70.000 requests per second in a coordinated effort to crash the site. A total of over 250,000 IPs have been banned by Qurium, the Swedish nonprofit organisation that hosts and assists independent media outlets worldwide.
“Denial-of-service attacks are not merely technical disruptions; they are instruments of intimidation,” Qurium’s technical director Tord Lundstrom told CIReN. “By mobbing journalists off the network, they aim to coerce a change in editorial attitude, punish difficult reporting, and ultimately induce self-censorship—leaving the media both unprotected and silenced.”
Qurium’s investigation of “one of the worst attacks” on record revealed that the attackers are combining a number of infrastructures.
The first wave of attacks originated almost exclusively from residential and data-center proxies. One of the infrastructures used for the ensuing attacks belongs to FineProxy, a commercial proxy rental service with a history of abuse targeting independent media outlets.
FineProxy, which did not respond to requests for assistance or information from CIReN, is owned by Russian individuals via companies registered in Estonia and South Africa. The proxy’s servers, meanwhile, are hosted by providers in Finland and the US.
While the companies are not the perpetrators of the attack, their systems and services have repeatedly been used for cyber attacks against media, journalists and civil society organisations.
In 2023, a DDOS attack against Rappler, a leading independent news organisation in the Philippines, was partly carried out by FineProxy, according to Qurium’s investigation. FineProxy was also identified in an attack on exiled Azerbaijani media outlets in 2018 and 2020.
The real impact is in the amount of effort required to fend off the coordinated takedown attacks, according to Lundstrom.
“Resources that should be dedicated to investigate and report need to be reallocated to deal with the attacks, small and medium size media organizations are overwhelmed by such events,” he said.
Qurium confirmed they have been in contact with the companies used to carry out the cyber attacks since 2019, but have seen no mitigating behavior to address the continued threat.
It’s unclear who is behind the attacks on CIReN, which began hours after reporters reached out for comment to Cypriot lawyer Christos Christodoulides for a story that was published the same day the attacks began. (Christodoulides declined to comment when asked about the DDOS attacks.)
Media partner OCCRP, which co-published the story with CIReN, sustained a similar attack on Wednesday. Digital analyses from OCCRP and Qurium found the attacks were launched by the same perpetrators.