Adyen Hit by Multi-Wave DDoS Attack, Disrupting European Payment Services
Dutch payment processor Adyen experienced a distributed denial-of-service (DDoS) attack this week, causing temporary disruptions to its services across Europe. The company detected the incident shortly before 7 p.m. CEST (1 p.m. EDT) on Monday, when monitoring systems flagged unusually high error rates in its European payment infrastructure.
According to Adyen’s Chief Technology Officer, Tom Adams, the attack unfolded in three distinct waves, each with evolving patterns that required rapid adjustments to mitigation efforts. At its peak, the assault generated millions of requests per minute from a globally distributed and shifting set of IP addresses. While core systems remained operational, certain services including onboarding and money transfers were degraded, leading to failed or delayed transactions for some customers.
Adyen, which serves major clients like Uber, eBay, and Spotify, confirmed that the incident was resolved by 3 a.m. CEST on Tuesday. The company stated it would conduct a detailed post-incident review for customers, outlining the attack’s scope and long-term prevention measures, though no timeline was provided.
DDoS attacks, a common threat to financial services, typically aim to overwhelm systems rather than steal data. While such attacks rarely compromise internal operations at cyber-mature organizations, they can erode customer trust and disrupt service availability. Adyen did not disclose whether U.S. operations were affected.
Source: https://www.paymentsdive.com/news/adyen-hit-with-cyberattack-in-europe/746064/
Adyen cybersecurity rating report: https://www.rankiteo.com/company/adyen
"id": "ADY1768444061",
"linkid": "adyen",
"type": "Cyber Attack",
"date": "4/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Merchants and end-users in '
'Europe',
'industry': 'Financial Services',
'location': 'Amsterdam, Netherlands',
'name': 'Adyen',
'type': 'Payment Processor'}],
'attack_vector': 'Overwhelming traffic from globally distributed and shifting '
'IP addresses',
'customer_advisories': 'Public disclosure via company website',
'date_detected': '2024-04-22T18:50:00+02:00',
'date_publicly_disclosed': '2024-04-21',
'date_resolved': '2024-04-23T03:00:00+02:00',
'description': 'Adyen experienced a distributed denial of service (DDoS) '
'attack that temporarily disrupted some of its payment '
'processing services in Europe. The attack unfolded in three '
'distinct waves, generating millions of requests per minute '
'and degrading services such as onboarding and money '
'transfers.',
'impact': {'brand_reputation_impact': 'Potential impact on credibility and '
'customer trust',
'operational_impact': 'Failed or delayed transactions for some '
'customers',
'systems_affected': 'European payment systems, onboarding, money '
'transfers'},
'investigation_status': 'Resolved',
'post_incident_analysis': {'corrective_actions': 'Long-term prevention '
'measures to be detailed in '
'post-incident review',
'root_causes': 'DDoS attack with three distinct '
'waves and shifting IP addresses'},
'references': [{'date_accessed': '2024-04-22',
'source': 'Adyen Website',
'url': 'https://www.adyen.com'},
{'date_accessed': '2024-04-22',
'source': 'Cybersecurity Dive'}],
'response': {'communication_strategy': 'Public disclosure via company website',
'containment_measures': 'Continuous adjustments to mitigation '
'strategies',
'incident_response_plan_activated': True},
'stakeholder_advisories': 'Detailed post-incident review to be shared with '
'customers',
'title': 'Adyen DDoS Attack Disrupts European Payment Services',
'type': 'Distributed Denial of Service (DDoS)'}