On 30 April 2026 Canonical’s monitoring flagged blog.ubuntu.com as down, and within minutes ubuntu.com, its security‑API endpoints, developer portal and training platform followed. The cascade knocked out the entire public web presence for roughly twenty hours before service resumed on 1 May. A self‑described pro‑Iranian group, the Islamic Cyber Resistance in Iraq, claimed responsibility, saying it rented a commercial DDoS tool called Beamed.

Beamed markets itself as a Cloudflare‑bypass service, advertising residential IP rotation and manual endpoint hunting to locate origins hidden behind Cloudflare’s reverse‑proxy. Both beamed.su and beamed.st resolve to Cloudflare AS13335, the same network Canonical uses for its archive.ubuntu.com and security.ubuntu.com addresses, meaning the attacker paid a Cloudflare‑fronted service that later billed Canonical for mitigation.

The underlying infrastructure traces back to Immaterialism Limited, a UK‑registered firm whose director changes link the service to privacy‑focused entities like Njalla and to former Pirate Bay founders. On 27 February the AS39287 prefix housing Beamed’s IP space switched operators three times, coinciding with Let’s Encrypt issuing new apex certificates for Canonical’s repositories. The timing fuels speculation that the outage was leveraged for profit, not extortion.