The company that ran the online voting system used to help choose the winner of the weekend's NDP leadership race is now blaming several hours of delays on a "malicious, massive" attack on its voting system.

In a news release, Barcelona-based Scytl said "well over 10,000 malevolent IP addresses" were used in a Distributed Denial of Service attack, which generated hundreds of thousands of false voting requests to the system.

"We deeply regret the inconvenience to NDP voters caused by this malicious, massive, orchestrated attempt to thwart democracy," Susan Crutchlow, general manager of Scytl Canada said in a statement.

The attack effectively "jammed up the pipe" into the voting system, delaying voter access, the statement said.

"This network of malevolent computers, commonly known as a 'botnet,' was located on computers around the world but mainly in Canada."

The system slowdown was a frustration for delegates at the NDP convention on Saturday in Toronto, who had been told they would be able to cast their ballots online to avoid long lineups at the Toronto convention.

However, many members could not access the system at all, or their attempt to vote timed out.

Because of the delays, Thomas Mulcair was not declared the winner until around 9 p.m. ET. Results were originally expected by late afternoon, and many delegates eventually left the convention before the results were in.

Sally Housser, NDP convention organizer and the party's acting deputy national director, said Scytl was able to "quickly identify" the problem and fix it.

Despite the voting headaches, "ultimately, we had a great convention over the weekend," she told CTV's Power Play.

The NDP is investigating and has not ruled out calling police if there is evidence of a potential cyber crime, Housser said.

"We're not going to get into any form of speculation about who or what may have been able to co-ordinate this until we get more information," she said.

Denial-of-service attacks are "fairly common" online, digital public affairs strategist Mark Blevis told Power Play.

Typical targets include government and e-commerce websites, he said.

"It's relatively easy to do, it's malicious enough without actually, say, breaking the law by, for example, stealing credit card numbers," Blevis said

Despite the slowdown, Scytle bragged in the news release that security was not compromised and the integrity of the system was not affected.

"While the attack temporarily slowed down the voting process, at no time was Scytl's highly sophisticated security system penetrated," the release stated, noting that an independent audit by Price Waterhouse Coopers confirmed no ballots were affected.

The statement said a team of 12 high-level personnel were brought in as soon as the problem was identified as an external attack, and "Scytl was able to allow the voting process to proceed with an overall three-hour delay."

Crutchlow praised the NDP for its "level-headed" response to the problems.

"They were calm and co-operative and extended the voting time to ensure the integrity of the process, even in the face of media criticism and groundless speculation," Crutchlow said in the statement.

At first, long delays were attributed by the party to larger-than-expected voter turnout.

However, only about 9,500 votes of the 65,000 total were generated on the weekend, with the vast majority of party members voting in advance.

Scytle is based in Barcelona and has subsidiaries in Toronto, Baltimore, New Delhi, Athens and Kiev.