Russia Accused of DDoS-Attacking VPN Services as Crackdown Escalates
Amnezia VPN says a large denial-of-service attack hit its infrastructure while numerous server IP addresses were being blocked. The provider blames Roskomnadzor, but that attribution remains unverified.
Amnezia VPN has accused Russia's federal internet regulator of moving beyond conventional VPN blocking and actively attacking the service's infrastructure. The service disruption is documented by the provider and recent reporting. The attacker's identity is not: Amnezia has not released enough public forensic evidence for independent attribution.
What Happened to Amnezia VPN?
Amnezia VPN users began reporting serious connection problems in late May. Some locations became unavailable, the application became unstable and users struggled to move between servers. The problems affected both Amnezia Free and Amnezia Premium.
On 1st June, Amnezia said its infrastructure had been hit by a large-scale distributed denial-of-service attack. It also reported that a substantial number of VPN server IP addresses were being blocked at the same time.
The company initially suggested that normal service could return within hours. The disruption lasted longer than expected, however, and by 4th June the team said it was continuing to work around the clock to restore stable operation. Premium customers were promised compensation for affected days.
It is accurate to report that Amnezia experienced a major outage and says a DDoS attack occurred. It is not yet accurate to present Roskomnadzor's responsibility as independently established fact.
What Is Confirmed—and What Is Not?
| Statement | Status | Evidence Available |
|---|---|---|
| Amnezia suffered a serious service disruption | Confirmed | The provider reported instability affecting Free and Premium services, including difficulty changing servers. |
| A large DDoS attack hit Amnezia infrastructure | Reported by operator | Amnezia publicly identified DDoS traffic as a cause alongside targeted IP blocking. |
| Roskomnadzor conducted the attack | Unverified allegation | Amnezia made the attribution, but no public forensic report or independent confirmation has established it. |
| Several Russian-facing VPNs were disrupted | Supported | Amnezia referred to wider availability problems, while BlancVPN separately recorded Russia-related incidents. |
| Russia formally banned all VPN use | Incorrect | Russia aggressively blocks circumvention services, but the current reports do not describe a universal criminal ban on ordinary VPN use. |
Why Attribution Is Still Uncertain
Amnezia said the combined DDoS activity and server blocking represented a coordinated campaign by Russia's censorship system. The timing, simultaneous blocking of many VPN addresses and wider enforcement environment may support the company's suspicion.
Those circumstances do not prove who generated the attack traffic. Reliable attribution would normally require evidence such as packet captures, traffic-source analysis, command-and-control links, infrastructure overlap or provider logs showing coordination with network-level blocking.
Amnezia is the primary source for the accusation. Roskomnadzor had not publicly confirmed involvement, and no independent organisation had published a technical attribution report at the time covered by this article.
DDoS traffic can be routed through compromised devices in many countries, making its apparent origin unreliable. Even when an attack benefits a state censorship campaign, that does not by itself prove that a government agency launched it.
DDoS Attacks and VPN Blocking Are Different
Conventional VPN censorship prevents users from reaching a service. A DDoS attack attempts to overwhelm the service itself. When both occur together, the provider has to defend its infrastructure while replacing or reconfiguring blocked routes.
| Technique | Target | Typical Effect |
|---|---|---|
| VPN server IP blocking | Known server addresses | Users on filtered networks cannot reach those locations, although the servers may remain healthy elsewhere. |
| Protocol detection | Recognisable VPN traffic patterns | Connections fail even when a server address has not yet been blocked. |
| Active probing | Suspected proxy endpoints | A censorship system tests a server and may block it after identifying circumvention behaviour. |
| DDoS flooding | Service infrastructure, APIs or control systems | Legitimate requests time out because capacity is consumed by attack traffic. |
| Combined campaign | Access routes and backend operations | Users lose existing servers while deployment of replacements is also disrupted. |
A VPN application may rely on central APIs to retrieve locations, authorise accounts and distribute updated connection details. Overloading those systems can interfere with server selection even when some individual VPN gateways remain online.
Why This Could Mark an Escalation
Russia has repeatedly blocked VPN websites, applications, protocols and server addresses. It has also pressured technology companies and domestic online services to identify or restrict VPN use. Those controls aim to stop users reaching blocked foreign platforms and independent information.
An active denial-of-service campaign would be different because it would target a provider's operational capacity, not only connections crossing Russian networks. Successful attacks could affect customers outside Russia, increase infrastructure costs and delay the deployment of replacement servers.
That is why the allegation matters even though attribution remains unresolved. If independently verified, it would suggest the censorship campaign had expanded from filtering traffic at network borders to directly degrading circumvention infrastructure.
What the Disruption Means for Users
The most obvious symptom is an unreliable application: connections may fail, working locations may disappear and a new server list may not load. A service can also appear to connect while providing extremely poor performance because supporting systems are under pressure.
- Outages do not prove compromise: unavailability does not automatically mean VPN traffic or account data was exposed.
- Repeated reconnection may not help: the problem can involve central infrastructure rather than one overloaded gateway.
- Free and paid tiers can fail together: both may depend on shared APIs, control systems or hosting providers.
- Self-hosted deployments may behave differently: a personal server can avoid shared gateways but may still depend on application updates or configuration services.
- Unknown alternatives create risk: rushed migration to an unfamiliar VPN can expose users to logging, malware or fraudulent subscriptions.
Users in high-risk environments should not assume that changing to an unfamiliar VPN immediately restores anonymity. The provider, device, account activity and local network can all create identifying signals.
Were Other VPN Services Affected?
Amnezia said other VPN services were experiencing availability problems at roughly the same time, although it did not initially identify them. BlancVPN separately recorded connectivity problems affecting users in Russia during late May.
BlancVPN's public status page shows a Russia-related incident on 28th May that affected 50 location components before being marked resolved later that day. Subsequent reporting described additional disruption around late May and early June, with a large part of the service restored by 4th June.
Similar timing does not prove that Amnezia and BlancVPN were hit by the same attacker or technique. BlancVPN's public incident notice did not attribute its problem to a DDoS attack by Roskomnadzor.
Russia's Wider Campaign Against VPNs
The latest disruption sits within a much broader restriction campaign. At the end of March, Russia's digital minister publicly said the government's task was to reduce VPN usage. Reuters reported that more than 400 VPN services had been blocked by mid-January—about 70% more than late in the previous year.
Russia has also blocked or degraded major foreign messaging platforms, interrupted mobile internet in numerous locations and instructed officials to ensure that selected essential services continue operating during periods of restricted connectivity.
The strategy does not require every VPN to disappear. Making services unpredictable, difficult to download and expensive to maintain can reduce use even when determined users continue finding temporary workarounds.
| Pressure Point | Purpose | Practical Result |
|---|---|---|
| Server and protocol blocking | Prevent tunnels from connecting | Providers must continually rotate infrastructure and disguise traffic. |
| App and website restrictions | Make services difficult to obtain | Existing users may retain access while new users struggle to install or renew. |
| Domestic platform detection | Identify or discourage active VPN connections | Banking, search or social applications may warn users or limit functionality. |
| Mobile internet restrictions | Limit wider connectivity during selected periods | A VPN cannot restore access when the underlying connection is disabled. |
| Possible infrastructure attacks | Degrade the provider itself | Potential disruption can extend beyond one carrier or region. |
Timeline of the Latest Disruption
Amnezia and other circumvention services experienced earlier outages that the provider linked to widespread censorship-related blocking.
Amnezia users reported unavailable locations, unstable application behaviour and difficulty establishing dependable connections.
BlancVPN logged a Russia-related connectivity incident affecting 50 location components before marking that incident resolved.
Amnezia publicly reported a large-scale DDoS attack and said other VPN providers were also experiencing availability problems.
Amnezia described its infrastructure as being hit by a large attack alongside targeted server-IP blocking.
The provider said work to restore stable service was continuing around the clock and promised compensation to Premium users.
International reporting focused on Amnezia's accusation that Roskomnadzor had escalated from blocking VPNs to attacking infrastructure.
Frequently Asked Questions
Was Amnezia VPN DDoS-attacked?
Amnezia says its infrastructure experienced a large-scale DDoS attack while many VPN server IP addresses were being blocked. The provider is the primary source for that technical diagnosis.
Did Roskomnadzor carry out the attack?
That has not been independently proven. Amnezia attributes the campaign to Roskomnadzor, but no public forensic report or independent technical analysis has established responsibility.
Were Amnezia Free and Premium both affected?
Yes. Reporting based on the provider's updates says both tiers experienced disruption, including unstable connections and difficulty switching servers.
Does an outage mean VPN traffic was decrypted?
No. A DDoS attack aims to reduce availability. It does not automatically decrypt VPN traffic or prove account information was stolen. Any separate data breach would require additional evidence.
Was BlancVPN hit by the same attack?
That has not been established. BlancVPN reported Russia-related connectivity problems, but its public status notice did not identify Roskomnadzor or state that the incident was the same DDoS campaign.
Why would a DDoS attack be a major escalation?
Network blocking mainly prevents users inside a filtered network from reaching a VPN. A DDoS attack can degrade the provider's own infrastructure and potentially affect users in multiple countries.
Written by Martin Needs
“The service impact and the identity of the attacker are separate questions. Credible attribution requires technical evidence beyond the fact that an outage coincided with state VPN blocking.”
Sources
- Amnezia VPN — Public statement reporting a large-scale DDoS attack.
- Meduza — Russia's media regulator accused of DDoS-attacking VPN infrastructure.
- TechRadar — Summary of the Amnezia allegations and disruption.
- BlancVPN Status — Russia connectivity incident recorded on 28th May 2026.
- Reuters — Russia's wider campaign to reduce VPN usage.
- Reuters — Mobile internet restrictions and continuity orders for essential services.