On April 21, 2025, Adyen, a major Dutch payment processor, was targeted by a series of three DDoS attacks. The attacks disrupted Adyen’s payment services, including online and in-store payment systems, for several hours. The first attack occurred at 7:00 p.m., followed by additional waves at 8:35 p.m. and 11:35 p.m. Adyen reported that the attacks caused “limited availability” of its services, leading to payment difficulties for some users in Europe.
Adyen’s engineers immediately began working to mitigate the impact of the DDoS attacks, which caused saturation of critical infrastructure components. The attack targeted services within Adyen’s European data centers, resulting in intermittent service outages and degraded performance for several hours. The affected services included customer-facing applications, ecommerce platforms, and transaction processing systems, with disruptions primarily impacting payment transactions between 6:51 p.m. and 7:35 p.m. CEST. Despite these challenges, Adyen was able to restore services by 3:20 a.m. CEST on April 22, 2025.
The company employed various mitigation strategies during the attack, including the activation of anti-DDoS protections and scaling its defenses.
Adyen’s engineers deployed filtering rules to block malicious traffic and offloaded it from affected services to reduce further impact. While most services were restored quickly, some services, including checkout integrations, remained impacted throughout the incident.
Adyen is continuing to monitor the situation and prevent future attacks by deploying more robust defenses. A post-incident review and root cause analysis will be conducted to evaluate the attack’s impact and improve long-term resilience. The company acknowledged the importance of platform reliability and assured customers that the business would continue working on securing its services.
Reference: