Full Report
A pro-Iran hacking group claimed responsibility for an eBay outage that began Sunday and said it will “continue to rapid fire assaults and destroy their backends” if the group’s demands went unanswered. “We are prepared to offer them a simple way out, but they are yet to oficially [sic] contact us,” The Islamic Cyber Resistance…
Analysis Summary
# Incident Report: Distributed Denial of Service (DDoS) Campaign Against eBay
## Executive Summary
In late April 2026, the pro-Iran hacking group "The Islamic Cyber Resistance in Iraq – 313 Team" launched a coordinated DDoS attack against eBay’s global infrastructure. The assault caused intermittent outages, specifically disrupting login and search functionalities and completely taking down the eBay Japan site. The threat actors claimed the attack was an attempt to extort the company, threatening continued "rapid fire assaults" until unspecified demands are met.
## Incident Details
- **Discovery Date:** April 26, 2026
- **Incident Date:** April 26 – April 27, 2026 (Ongoing at time of report)
- **Affected Organization:** eBay Inc.
- **Sector:** E-commerce / Commercial
- **Geography:** Global (Specifically impacting U.S. and Japan operations)
## Timeline of Events
### Initial Access
- **Date/Time:** April 26, 2026, 12:01 PM PT
- **Vector:** External Network Traffic (DDoS)
- **Details:** Attackers initiated a "massive cyberattack" targeting eBay’s backend servers, causing immediate intermittent failures in search and authentication modules.
### Lateral Movement
- **N/A:** As this was a DDoS/Service disruption attack, lateral movement within the internal network was not reported; however, the attackers escalated by shifting targets from core infrastructure to regional segments (eBay Japan).
### Data Exfiltration/Impact
- **Data Impact:** No data exfiltrated; focus was on service unavailability and financial loss through business disruption.
- **Service Impact:** Disruption of search, login, and regional specific sites (ebay.co.jp).
### Detection & Response
- **Detection:** User reports peaked on Downdetector on Sunday (April 26) and Monday (April 27). eBay’s internal monitoring confirmed technical issues.
- **Response:** eBay Japan officially acknowledged authentication issues on X (formerly Twitter). eBay Global issued seller protections and refund policies for those impacted by auction disruptions.
## Attack Methodology
- **Initial Access:** Network-level flood/Resource exhaustion (DDoS).
- **Persistence:** Not applicable for DDoS, though the group threatened "rapid fire" recurring waves.
- **Defense Evasion:** Use of "sophisticated" techniques to bypass standard rate limiting (similarly noted in their previous attacks on Bluesky).
- **Impact:** Complete disruption of key website features and application programming interfaces (APIs).
## Impact Assessment
- **Financial:** Potentially high; attackers cited that eBay is "losing money by the minute." eBay is refunding advertising and selling fees for impacted auctions.
- **Data Breach:** None reported.
- **Operational:** Significant disruption to e-commerce operations, specifically for sellers with auctions ending during the window.
- **Reputational:** Public claims of responsibility by a known threat actor on Telegram and social media.
## Indicators of Compromise
- **Network indicators:** Volumetric spikes in traffic targeting `ebay.com` and `ebay.co.jp` authentication and search endpoints.
- **Behavioral indicators:** Claims posted on Telegram channel "The Islamic Cyber Resistance in Iraq – 313 Team."
- **Communication:** Threat actors provided a "Session Contact ID" via email to the victim organization.
## Response Actions
- **Containment:** eBay implemented intermittent technical limits to stabilize the platform.
- **Eradication:** Working to identify and block the specific attack traffic sources.
- **Recovery:** Seller protections enacted, including cancelling impacted orders and protecting seller performance metrics from negative feedback.
## Lessons Learned
- **DDoS Resilience:** High-profile commercial targets remain vulnerable to persistent, multi-wave DDoS attacks from politically motivated groups.
- **Geographic Diversification:** The shift in attack focus to eBay Japan suggests threat actors will pivot to regional nodes if primary nodes are hardened.
- **Communication Channels:** Threat actors are increasingly using public platforms (Telegram/X) to amplify the perceived impact of technical outages.
## Recommendations
- **Anti-DDoS Scrubbing:** Enhance web application firewalls (WAF) and DDoS scrubbing services to handle "sophisticated" volumetric and application-layer attacks.
- **Communication Plan:** Ensure rapid public response to service outages to prevent threat actors from controlling the narrative.
- **Redundancy:** Review the dependencies of the authentication/login backend to ensure that regional sites can operate even if primary global authentication services are under pressure.