RC RANDOM CHAOS
cybersecuritycloudopen-sourcepolicy

Cloudflare hosts the booter that took down Ubuntu — then sells Canonical the cure

· via Hacker News

Original source

Can someone please explain whether Cloudflare blackmailed Canonical?

Hacker News →

On 30 April 2026 a pro-Iranian group calling itself the Islamic Cyber Resistance in Iraq knocked Canonical’s public web infrastructure offline for roughly twenty hours, including ubuntu.com, the developer portal, and the security advisory APIs that downstream package managers depend on. The attackers used a rented stresser called Beamed, which openly markets itself as a Cloudflare-bypass service — pitching residential IP rotation and origin-hunting techniques against Under Attack Mode. Both Beamed’s marketing site and customer portal sit on Cloudflare AS13335, as does the paid Canonical customer relationship that eventually absorbed the traffic. The same provider fronted the weapon and billed the target for relief.

A paper trail behind Beamed leads through a UK shell registrar, Immaterialism Limited, whose directorship passed from a Costa Rican nominee to longtime activist Naomi Colvin, former director of the Courage Foundation. Its upstream autonomous system, AS39287, has been continuously routed since 2006 but has cycled through Flattr (Peter Sunde’s Cypriot vehicle), a Finnish ab stract ltd run by Pirate Bay co-founder Peter Kolmisoppi with Njalla nameservers, and as of 27 February 2026 a Romanian entity called Materialism s.r.l. Peering with Telia, GTT, GlobalConnect, and Voxility stayed identical across all three handoffs — only the nameplate changed.

The same day the AS reassignment landed, Let’s Encrypt issued fresh apex certificates for archive.ubuntu.com and security.ubuntu.com, with the pattern repeating over the next nine days for the cloud-mirror hostnames. Apex certs at those names are the precondition for putting the origin behind a CDN without breaking TLS — a preparation step, not an artifact of normal operations. The author stops short of calling it blackmail outright but lays out the structural coincidence: an attacker ecosystem hosted on Cloudflare, a victim driven onto Cloudflare, and a synchronized 27 February pivot nobody has explained.

Read the full article

Continue reading at Hacker News →

This is an AI-generated summary. Read the original for the full story.