Australian Cyber Attacks: Denial-of-Service & Data Breaches

Last Updated on June 2, 2026 by Arnav Sharma

In the space of nine days, Australian organisations absorbed three significant cybersecurity incidents: a terabit-scale DDoS attack that took down the country’s largest privately owned web hosting provider, a ransomware extortion operation targeting a NSW video security distributor, and a double-breach of a major cultural institution’s customer database via a third-party ticketing platform. Together, these cyberattacks are not outliers. They reflect structural weaknesses that threat actors are actively exploiting across Australian networks, and they carry direct implications for every security architect, CISO, and cloud engineer responsible for Australian infrastructure.

For australians using hosted websites, online services, or ticketing platforms, these incidents were not abstract. Websites went dark, personal data moved onto dark web forums, and phishing scam messages landed in customer inboxes. For Australian businesses operating those services, the consequences include reputational damage, regulatory obligations, and incident response costs that arrive without warning.

This analysis covers each incident in detail: who the attackers were, how the attacks were executed, what data was compromised, how affected organisations responded, what government agencies did, and what defensive controls Australian organisations can implement now to prepare for and potentially reduce their impact.

---

Three Incidents That Define Australia DDoS and Ransomware Incidents in 2026

These three incidents are not isolated. The ASD’s Annual Cyber Threat Report 2024-25 documented a 280% surge in DDoS attacks and a 23% increase in ransomware notifications across the reporting period. The ACSC responded to over 1,200 cybersecurity incidents in that year alone. Cybercriminals and hacktivists together account for a growing share of that caseload, with cybercriminal groups like Stormous and botnet operators specifically targeting Australian organisations to monetise access and stolen data. What makes late May 2026 significant is that two distinct attack classes, denial-of-service and ransomware extortion, struck Australian organisations within days of each other, with a separate data breach via a third-party vendor compounding exposure in between.

Understanding each incident at a technical level matters because generic summaries of cyber threats do not give security teams the context to prioritise controls. Cyber resilience requires knowing specifically how each attack class works, not just that it occurred. The sections below provide that context.

---

VentraIP DDoS: Australia’s Largest Hosting Provider Taken Down by Its Own Network

Attack Scale and Mechanism

At approximately 10:30 AEST on Saturday 23 May 2026, VentraIP, Australia’s largest privately owned web host and domain registrar, confirmed it had identified an ongoing DDoS attack, a tactic often used in broader cyber attacks. From that point until around 17:38 AEST when the company reported tentative mitigation, customers experienced a partial or complete loss of access to their websites, email services, and hosted applications. The incident was not fully resolved until 09:12 AEST on 26 May.

VentraIP services 300,000 customers across domain registration, shared hosting, SSL certificates, and virtual servers. The company’s post-incident report put the attack volume at in excess of 600Gbps, highlighting the potential for a massive data breach. The scale was sufficient to take two major telco providers, used by VentraIP for data transit, completely offline, while simultaneously saturating all of VentraIP’s own peering links. In 18 years of operation, VentraIP said it had never seen an attack of this size or scale.

The critical finding from VentraIP’s post-incident analysis: the majority of attack traffic originated from compromised devices on Australian home NBN connections, not from offshore servers. This changes the threat model entirely. Traditional DDoS attacks originate from compromised cloud servers, which hosting providers and upstream telcos can profile and block through established outbound detection controls. Traffic originating from millions of residential IP addresses, spread across every NBN point of presence in the country, does not fit that profile. Standard scrubbing infrastructure was not dimensioned for it.

Cheyne Jonstone, co-founder of VentraIP parent company Nexigen Digital, identified the structural amplifier clearly: NBN’s fibre and fixed wireless services provide far higher upload capacity than the ADSL and VDSL copper connections they replaced. The same botnet that could generate a manageable attack volume on copper can produce roughly fifty times the traffic on NBN, underscoring the growing threat of cyber attacks. Vaughan Shanks, CEO of Melbourne-based incident response vendor Cydarm Technologies, assessed the attack as most likely involving an IoT-based botnet, consistent with VentraIP’s own attribution to home devices.

IoT Botnets and the NBN Amplification Problem

The residential botnet threat is not theoretical. In March 2026, the US Department of Justice, with partners in Canada and Germany, dismantled four IoT botnets, Aisuru, KimWolf, JackSkid, and Mossad, which collectively had infected more than three million devices globally, principally consumer routers, IP cameras, and other IoT equipment. These botnets were used as DDoS-for-hire services, rented to threat actors who paid per attack volume. VentraIP’s incident response aligns with exactly this operating model: someone rented botnet capacity and directed it at VentraIP’s transit infrastructure.

The regulatory position is a critical gap. Australia’s Cyber Security Act 2024 introduced mandatory IoT security standards that took effect on 4 March 2026, requiring new smart devices to ship without default passwords, with defined support periods and a vulnerability disclosure process. But those obligations apply only to devices manufactured after that date. The tens of millions of routers, cameras, and smart-home devices already installed in Australian homes are entirely outside scope. NBN Co maintains it is a Layer 2 wholesale provider and has no operational visibility into DDoS traffic. Retail service providers and hosting companies absorb the cost of mitigation with no legal mechanism to compel upstream detection or blocking, which can lead to significant breaches in Australia.

VentraIP’s sister company Synergy Wholesale was also affected. Investigations are ongoing in cooperation with the Australian Signals Directorate.

Attack Attribution and Ransom Communication

VentraIP believed the same threat actor was responsible for the 15 May attack on Brisbane-based cloud provider Binary Lane, which Binary Lane described as the largest DDoS attack it had ever observed. Jonstone confirmed that Nexigen had been told the source of both attacks was the same. The ACSC is engaged with the Binary Lane incident under an open case. When asked whether the attacker had requested payment, Jonstone acknowledged brief communications had occurred but declined to provide further detail, raising concerns about a potential ransomware attack. This is consistent with DDoS extortion: launch an attack, then offer to stop it for payment. Whether VentraIP paid is not confirmed.

---

VSP Solutions: Stormous Ransomware and the Double Extortion Playbook

Threat Actor Profile: Stormous

Stormous is an Arabic-speaking, pro-Russian ransomware group active since at least 2021. It operates a Ransomware-as-a-Service platform and has consistently employed double extortion: encrypt systems and exfiltrate sensitive data simultaneously, then threaten publication if the ransom is not paid. The group aligned publicly with Russia at the start of the Ukraine conflict and has claimed attacks against targets in the United States, Ukraine, and Europe.

In mid-2024, Stormous absorbed GhostSec’s Ransomware-as-a-Service operations and now operates the STMX GhostLocker platform, providing affiliates with both the StormCry Python encryptor and GhostLocker 2.0 Golang malware, plus a dark web management panel. Stormous is one fifth of “The Five Families” collective, alongside GhostSec, ThreatSec, Blackforums, and SiegedSec. The group’s observed initial access methods include brute-forcing exposed RDP and VPN portals with stolen credentials, spear-phishing campaigns, and exploitation of unpatched web-facing applications. Its attack chain typically progresses from initial access through lateral movement and data exfiltration before encryption and extortion, often leading to data stolen from victims.

Stormous’s prior victim list includes attempts against Coca-Cola, French government agencies, and organisations across hospitality and professional services sectors, illustrating the widespread impact of cyber attacks. The VSP Solutions listing in May 2026 represents a continuing pattern of targeting mid-market businesses with significant customer and financial data but limited security operations maturity.

What Data Was Stolen and Published

VSP Solutions is a NSW-based distributor of video security hardware, primarily supplying installers and integrators nationwide with products from Hikvision, Axis, and similar manufacturers. On 13 May 2026, the company became aware of a cyber security incident affecting its business. Stormous listed VSP Solutions on its dark web leak site on 23 May, claiming to have exfiltrated more than 40 gigabytes of data. The claim enumerated the following categories:

• Full financial backups from QuickBooks and Reckon accounting platforms
• Email archives and staff personal folders
• Customer and client databases covering installers and integrators across Australia
• Shipment and order tracking records for major brands including Hikvision and Axis

This is a high-value dataset for downstream attacks. Customer databases containing integrator contacts, combined with email archives, create a targeting set for phishing and business email compromise. Financial backups give attackers detailed visibility into commercial relationships, payment terms, and banking references. For organisations that procured hardware through VSP Solutions, their details are potentially in the hands of a threat actor who actively monetises stolen data.

Business Impact and Incident Response

VSP Solutions confirmed on 1 June 2026 that it was responding to the incident. The company said it had immediately contained the breach, engaged forensics experts and cyber security advisors, and contacted law enforcement. Relevant Australian government agencies were notified. The company stated that impacted data was historical in nature and pertained to a related business, and that current operations were not affected.

The Stormous listing offered a free 20GB sample to incentivise purchase of the full dataset. This is standard dark web leak site procedure: demonstrate the data is real to establish credibility with potential buyers. For VSP Solutions customers, particularly Australian organisations with active integrator relationships, the advisory is to treat any communication purportedly from VSP Solutions with elevated suspicion and to alert staff about phishing attempts referencing orders, shipments, or account credentials.

Whether a ransom was paid has not been confirmed. Under the Cyber Security Act 2024, entities with annual turnover exceeding $3 million that make a ransomware payment are required to report it to the ASD within 72 hours. This obligation has been in full enforcement since May 2025.

---

Melbourne International Film Festival: Third-Party Cyber Risk in Action

The Ferve Ticketing Platform Compromise

The Melbourne International Film Festival is Australia’s largest and one of the Southern Hemisphere’s oldest film festivals, operating since 1952. On 29 May 2026, MIFF became aware of unauthorised access to its ticketing platform, operated by Ferve Tickets (Vallez Pty Ltd). A further access event was identified on 30 May, with some customers receiving unauthorised emails and SMS messages from the festival. MIFF confirmed on 1 June that the incident had impacted approximately 27,000 sets of customer records. Compromised data included names, email addresses, phone numbers, and residential addresses. Payment card details and account passwords were not among the stolen data.

The attack vector was a third-party compromise. MIFF’s own systems were not the entry point. Ferve Tickets, the SaaS ticketing provider, was the breached entity, and the exposure propagated to MIFF customers through that dependency. This is a canonical third-party cyber risk scenario: the controller organisation (MIFF) had limited ability to directly govern the security posture of its processor (Ferve), and customer data stored by the processor was exposed without the controller’s knowledge until after the breach occurred.

Divergent Victim Count: 27,000 Versus 340,000

A threat actor using the handle “2019” posted to a prominent hacking forum on 30 May 2026, claiming to have breached MIFF and offering data on more than 340,000 customers for sale to the highest bidder. The alleged dataset was described as including addresses, customer IDs, email addresses, names, membership data, and purchasing history. MIFF’s own confirmed figure is approximately 27,000 records. The gap between these numbers is significant and has not been reconciled publicly.

There are three plausible explanations. First, the hacker may be inflating the claimed volume to increase the perceived value of the dataset on a criminal forum; this is common practice in the context of ransomware attacks. Second, the actor may have access to a larger historical database, potentially including records that predated MIFF’s current relationship with Ferve. Third, MIFF’s 27,000 figure may reflect only the records directly confirmed as exposed during the specific access events on 29 and 30 May. Until MIFF or a regulatory body publishes a complete investigation finding, security teams advising clients who are MIFF members or ticket purchasers should treat the higher figure as the conservative risk boundary.

MIFF has advised affected customers to remain alert for phishing and scam attempts, avoid clicking unexpected links, and not provide personal information unless they are confident of the source. Any customer who used the same password for their MIFF account as for other services should change those credentials immediately, as credential reuse amplifies exposure even where the data breach did not include password hashes.

---

Australian Government and Regulatory Response

ASD Engagement

The Australian Signals Directorate’s Australian Cyber Security Centre is the government’s technical authority on cyber security. ASD is engaged with the Binary Lane DDoS incident under an open case, with Nexigen confirming that investigators have been briefed on the shared attribution across the Binary Lane and VentraIP attacks. For the VSP Solutions and MIFF incidents, the companies confirmed they had notified relevant Australian government agencies; the nature of those notifications and any ACSC advisory activity following them has not been publicly detailed at the time of writing.

The ASD’s Cyber Threat Report 2024-25 noted that DDoS attacks targeted both commercial operators and critical infrastructure, with cybercriminals and hacktivists accounting for a significant share of incidents. The surge in DDoS volume is consistent with the structural shift Nexigen described: residential botnets on high-speed fixed broadband connections represent a new and largely unmitigated attack surface for Australian hosting providers.

The Cyber Security Act 2024: What Has Changed

Australia’s first standalone cyber security law received Royal Assent on 29 November 2024 and introduced four operational obligations relevant to these incidents, including measures to prevent data leaks.

Mandatory ransomware payment reporting. Entities with turnover above $3 million that make an extortion payment must report to ASD within 72 hours. This is in full enforcement. Organisations that paid Stormous or any other ransomware group and failed to report are in breach. The intent is to give government visibility into the full scale of the ransomware threat and to inform law enforcement.

IoT security standards for new smart devices. From 4 March 2026, new IoT devices must ship without default passwords, with defined support windows and a vulnerability disclosure process. Critically, this does not cover legacy devices already deployed. The gap between the new standards and the installed base is the exact vulnerability that the VentraIP attack exploited.

National Cyber Security Coordinator. Organisations experiencing significant cyber security incidents can voluntarily share information with the Coordinator under a limited-use protection, meaning the information cannot be used against them in enforcement or litigation. This is designed to encourage early engagement rather than suppression of incidents.

Cyber Incident Review Board. The CIRB is constituted to review major incidents and provide recommendations. Whether these three incidents will be reviewed by the CIRB depends on the government’s assessment of national significance, but the VentraIP incident in particular has attracted broad public commentary about the systemic weaknesses it exposed.

---

Incident Comparison Table

Incident	Attack Type	Threat Actor	Data Compromised	Confirmed Impact	ASD / Regulator Involved
VentraIP (23-26 May)	DDoS, 600Gbps+	Unknown, IoT botnet, same as Binary Lane	No data breach; service disruption	300,000 customers, outage approx. 7 hrs	ASD engaged (Binary Lane case)
VSP Solutions (13 May, disclosed 23 May) experienced a significant incident that raised concerns over potential data breach impacting their clients.	Ransomware, double extortion	Stormous (RaaS, pro-Russian)	40+ GB: financial records, customer DB, email archives	NSW video security distributor, nationwide integrator exposure	Law enforcement and govt agencies notified
MIFF (29-30 May, confirmed 1 Jun)	Third-party breach via Ferve	Handle “2019”, cybercrime forum	Names, emails, phone numbers, addresses; up to 340K records claimed	Approx. 27,000 confirmed; unauthorised customer comms	Privacy Act notification obligations triggered

---

What Australian Organisations Can Implement to Prepare For and Reduce Their Attack Surface

These three incidents map directly to three control areas. The controls below are not aspirational guidance; they are essential to prevent breaches in Australia. They are the minimum posture that would have reduced impact across all three attack types.

DDoS Resilience: Addressing Denial-of-Service Risk

Organisations that depend on internet-facing services should treat DDoS as a near-certainty rather than a low-probability event. The structural conditions that allowed the VentraIP attack to succeed, specifically residential IoT botnets on high-bandwidth NBN connections, have not been fixed at a network level. The regulatory gap means they will not be fixed quickly. That leaves mitigation cost entirely downstream.

Practical controls:

• Contract with a scrubbing or anycast DDoS mitigation provider (Cloudflare, Akamai, Fastly) at a traffic threshold appropriate to the organisation’s exposure. Shared hosting customers have limited direct control here; the choice of hosting provider and its declared mitigation capacity matters.
• Require hosting providers to demonstrate DDoS mitigation capacity and the contractual SLA for mitigation response time. VentraIP itself acknowledged the incident prompted a complete rethink of its mitigation strategy.
• For organisations hosting their own infrastructure, implement upstream rate limiting and anomaly detection at the edge. A 600Gbps attack saturates transit links before on-premise scrubbing can act; upstream mitigation services must be pre-provisioned, not reactive.
• Review your inventory of IoT and network-connected devices to avoid unintentionally contributing to the infrastructure that allows DoS attacks to occur. A number of easily compromised internet of things devices can be remotely compromised by malicious actors with no visible symptoms on the local network. Devices connected to the internet with default credentials or unpatched firmware are candidates for botnet recruitment.
• Segment IoT devices onto dedicated VLANs with restricted outbound routing policies. A compromised IoT device on a segmented network has limited ability to participate in large-scale denial-of-service attacks designed to disrupt or degrade online services.

Ransomware Hardening: Reducing the Double Extortion Attack Surface

Stormous’s initial access methods, brute-forced RDP and VPN, credential stuffing, phishing, unpatched web applications, are the same as those used by the vast majority of ransomware groups. The controls that close these vectors are not new, but the VSP Solutions incident confirms they are still not universally applied.

Practical controls:

• Disable internet-facing RDP. If remote access is required, route it through a VPN or zero trust access gateway with MFA enforced at the network boundary, not just the application layer.
• Apply the ASD Essential Eight at Maturity Level 2 as a baseline. Patch operating systems and applications within 48 hours for exploits rated critical. The ACSC’s data shows 75% of business email compromise attacks in 2024-25 bypassed MFA, which means MFA implementation quality matters as much as MFA presence.
• Implement network segmentation to restrict lateral movement. If a malicious attacker gains access to a workstation running accounting software, they should not have a direct path to the domain controller or backup infrastructure.
• Maintain tested offline backups. Ransomware encrypts what it can reach. Immutable, air-gapped, or cloud-based backup copies outside the primary network are the primary recovery control.
• Establish a documented incident response plan that includes ransomware scenarios. Under the Cyber Security Act 2024, if a ransom payment is made, reporting to ASD within 72 hours is mandatory. Organisations without a plan will be managing the decision under duress.
• Monitor dark web leak sites and threat intelligence feeds for early warning of your organisation, supply chain partners, or known vendors being listed. Stormous posted a free 20GB sample before releasing the full VSP Solutions dataset; organisations monitoring leak site activity can act faster than those waiting for vendor disclosure.

Third-Party Cyber Risk: Lessons from the MIFF Breach

The MIFF breach via Ferve is a textbook third-party cyber incident. MIFF’s own systems were not the failure point, but MIFF’s customers absorbed the harm. Every organisation that collects personal data and delegates processing to a SaaS or ticketing vendor faces the same exposure.

Practical controls:

• Conduct security assessments of third-party vendors that handle customer personal data. Assessments should include penetration testing scope, incident response capability, breach notification SLA, and breach history. Many organisations sign data processing agreements without ever reviewing the vendor’s actual security posture.
• Require contractual breach notification within a defined timeframe. The Privacy Act and Australian Privacy Principles create obligations on the organisation that controls the data, regardless of whether a third party caused the data breach.
• Minimise data stored with third parties. Ticketing platforms need contact details to send confirmation emails; they do not necessarily need full residential address history stretching back years. Data minimisation reduces the exposure window when a breach does occur.
• Implement phishing-resistant MFA for all administrative accounts connected to third-party platforms. The MIFF incident involved unauthorised emails and SMS messages being sent to customers from within the platform, suggesting the attacker gained access to an account with sufficient permissions to send communications.
• Maintain a third-party inventory with data classification, security assessment dates, and breach notification contact details. Security teams that do not know which vendors hold customer data cannot respond effectively when a cyber incident occurs.