Disruption of 53 DDoS-for-hire domains in global law enforcement operation
Summary
Hide ▲
Show ▼
Law enforcement agencies from 21 countries executed Operation PowerOff, a coordinated takedown of 53 domains linked to DDoS-for-hire services. Four individuals were arrested, 25 search warrants executed, and over 3 million criminal user accounts exposed. Infrastructure was seized to disrupt ongoing attacks, and 75,000 warning communications were sent to identified service users. The operation expanded into a prevention phase targeting remaining online resources, including the removal of over 100 URLs from search engines and warnings placed on cryptocurrency and blockchain platforms used by cybercriminals. Europol described DDoS-for-hire services as one of the most accessible cybercrime trends, enabling low-skilled attackers to execute disruptive attacks.
Timeline
-
17.04.2026 09:40 2 articles · 1d ago
Global takedown of 53 DDoS-for-hire domains in Operation PowerOff
The article reinforces the global scope of Operation PowerOff, confirming the involvement of 21 countries, the seizure of 53 booter service domains, and the arrest of four individuals. It adds technical context from Europol and the FBI, highlighting the prevention phase including the removal of over 100 DDoS-for-hire advertising URLs from search engines and warnings posted to cryptocurrency and blockchain platforms used by cybercriminals. Infrastructure seizures and the exposure of 3 million criminal user accounts are reiterated, along with the issuance of 75,000 warnings to service users.
Show sources
- 53 DDoS Domains Taken Down by Law Enforcement — www.securityweek.com — 17.04.2026 09:40
- DDoS-For-Hire Services Disrupted by International Police Action in ‘Operation PowerOff’ — www.infosecurity-magazine.com — 17.04.2026 14:30
Information Snippets
-
Operation PowerOff involved authorities from Australia, Austria, Belgium, Brazil, Bulgaria, Denmark, Estonia, Finland, Germany, Japan, Latvia, Lithuania, Luxembourg, the Netherlands, Norway, Poland, Portugal, Sweden, Thailand, the UK, and the US.
First reported: 17.04.2026 09:402 sources, 2 articlesShow sources
- 53 DDoS Domains Taken Down by Law Enforcement — www.securityweek.com — 17.04.2026 09:40
- DDoS-For-Hire Services Disrupted by International Police Action in ‘Operation PowerOff’ — www.infosecurity-magazine.com — 17.04.2026 14:30
-
53 booter service domains were seized, disrupting services that facilitate DDoS attacks for financial, ideological, or other motivations.
First reported: 17.04.2026 09:402 sources, 2 articlesShow sources
- 53 DDoS Domains Taken Down by Law Enforcement — www.securityweek.com — 17.04.2026 09:40
- DDoS-For-Hire Services Disrupted by International Police Action in ‘Operation PowerOff’ — www.infosecurity-magazine.com — 17.04.2026 14:30
-
Four individuals were arrested during the operation, with 25 search warrants executed across jurisdictions.
First reported: 17.04.2026 09:402 sources, 2 articlesShow sources
- 53 DDoS Domains Taken Down by Law Enforcement — www.securityweek.com — 17.04.2026 09:40
- DDoS-For-Hire Services Disrupted by International Police Action in ‘Operation PowerOff’ — www.infosecurity-magazine.com — 17.04.2026 14:30
-
Over 3 million criminal user accounts tied to these services were exposed as part of the investigation.
First reported: 17.04.2026 09:402 sources, 2 articlesShow sources
- 53 DDoS Domains Taken Down by Law Enforcement — www.securityweek.com — 17.04.2026 09:40
- DDoS-For-Hire Services Disrupted by International Police Action in ‘Operation PowerOff’ — www.infosecurity-magazine.com — 17.04.2026 14:30
-
75,000 warning emails and letters were sent to identified users of the disrupted booter services.
First reported: 17.04.2026 09:402 sources, 2 articlesShow sources
- 53 DDoS Domains Taken Down by Law Enforcement — www.securityweek.com — 17.04.2026 09:40
- DDoS-For-Hire Services Disrupted by International Police Action in ‘Operation PowerOff’ — www.infosecurity-magazine.com — 17.04.2026 14:30
-
Infrastructure components (servers, databases) supporting the booter services were seized to prevent further criminal activity.
First reported: 17.04.2026 09:402 sources, 2 articlesShow sources
- 53 DDoS Domains Taken Down by Law Enforcement — www.securityweek.com — 17.04.2026 09:40
- DDoS-For-Hire Services Disrupted by International Police Action in ‘Operation PowerOff’ — www.infosecurity-magazine.com — 17.04.2026 14:30
-
The prevention phase includes removal of 100 booter-related URLs from search engines, targeted ads to dissuade new users, and warnings placed on blockchains used by cybercriminals.
First reported: 17.04.2026 09:402 sources, 2 articlesShow sources
- 53 DDoS Domains Taken Down by Law Enforcement — www.securityweek.com — 17.04.2026 09:40
- DDoS-For-Hire Services Disrupted by International Police Action in ‘Operation PowerOff’ — www.infosecurity-magazine.com — 17.04.2026 14:30
Similar Happenings
Hacktivist-Driven DDoS Attacks Dominate Public Sector Cyber Incidents
Distributed denial of service (DDoS) attacks, primarily driven by hacktivist groups, represented the majority of cybersecurity incidents in the public sector in 2024. Although DDoS attacks were the most frequent, data breaches and ransomware incidents caused significant disruption. The public sector, which manages large volumes of sensitive data and delivers critical services, remains a key target for cyber threats. The European Union Agency for Cybersecurity (ENISA) reported that 60% of cybersecurity incidents in the public sector were DDoS attacks, with 63% attributed to hacktivist groups. Cybercriminals and state actors were responsible for most of the remaining incidents, which included data breaches and ransomware attacks. The public sector's resilience to cyber threats is still not optimal, and ENISA warns of increased attacks in the mid- to long-term.
Technology Sector Surpasses Gaming as Top DDoS Attack Target in Q1–Q2 2025
The Gcore Radar report for Q1–Q2 2025 reveals a 41% year-on-year increase in DDoS attack volume, with the technology sector now the most targeted, surpassing gaming. The largest recorded attack peaked at 2.2 Tbps, demonstrating growing scale and sophistication in DDoS campaigns. Attacks are longer, multi-layered, and increasingly target web applications and APIs. The financial services industry remains a significant target, facing heightened risks. The report highlights the rising complexity and impact of DDoS attacks, driven by accessible attack tools, vulnerable IoT devices, geopolitical tensions, and advanced attack techniques. The shift in targeted industries and the increasing use of multi-vector and application-layer attacks underscore the need for robust, proactive defenses.
Aisuru botnet conducts record-breaking DDoS attacks, targeting U.S. ISPs and Microsoft Azure
The **Aisuru/Kimwolf botnet ecosystem** has reached a **critical disruption milestone** after a **multi-national law enforcement operation** led by the **U.S. Department of Justice (DoJ)**, alongside **Canadian and German authorities**, successfully **dismantled the command-and-control (C2) infrastructure** of four interconnected botnets—**AISURU, Kimwolf, JackSkid, and Mossad**—on **March 20, 2026**. This **court-authorized takedown**, supported by **18+ tech firms** (including Akamai, Cloudflare, Google, AWS, and Oracle), targeted the botnets’ **3 million+ infected devices** (including **2 million+ Android TVs, routers, DVRs, and IoT cameras**), which had been weaponized to launch **record-breaking DDoS attacks** (e.g., **31.4 Tbps in November 2025**) and **hyper-volumetric campaigns** averaging **3 Bpps, 4 Tbps, and 54 Mrps**. The botnets’ **cybercrime-as-a-service model** enabled operators to sell access to compromised devices for **DDoS extortion, residential proxy monetization, and lateral movement in corporate/government networks**, with **hundreds of thousands of attack commands** issued across sectors like **telecom, gaming, IT, and critical infrastructure**. The disruption **severed C2 communications**, aiming to **prevent further infections** and **eliminate the botnets’ ability to launch future attacks**, including those targeting **U.S. Department of Defense (DoD) networks**. Despite this **first major law enforcement strike**, **persistent infections and operator evasion tactics** (e.g., **ENS-based C2, decentralized proxy abuse**) underscore the **ongoing challenge of full eradication**. Prior milestones include the botnets’ **accidental Sybil attack on the I2P anonymity network** (February 2026), their **exploitation of residential proxy networks (IPIDEA)** for internal network infiltration (January 2026), and **Google’s takedown of IPIDEA** (January 29, 2026), which reduced millions of proxy exit nodes. The DoJ’s action follows a **year of escalating hyper-volumetric attacks**, including **Cloudflare’s mitigation of 47.1 million DDoS attacks in 2025** (a **100% YoY increase**) and **Akamai’s reports of attacks exceeding 30 Tbps/14 Bpps**. While the operation marks a **significant blow to the botnets’ operational capacity**, their **adaptive resilience** and **global scale of infections** demand continued vigilance.
Large-scale Africa-wide cybercrime crackdown arrests over 1,200 suspects
Operation Serengeti 2.0, an INTERPOL-led international operation, resulted in the arrest of 1,209 cybercriminals across Africa. The operation targeted cross-border cybercrime gangs involved in ransomware, online scams, and business email compromise (BEC). The operation, conducted from June to August 2025, involved law enforcement from 18 African countries and the UK. Authorities seized $97.4 million and dismantled 11,432 malicious infrastructures linked to attacks on 88,000 victims worldwide. Following this, Operation Sentinel, conducted between October 27 and November 27, 2025, led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents. The operation took down more than 6,000 malicious links and decrypted six distinct ransomware variants. The cybercrime cases investigated are connected to more than $21 million in financial losses. Most recently, Operation Red Card 2.0, conducted between December 8, 2025, and January 30, 2026, resulted in the arrest of 651 suspects and the recovery of over $4.3 million. The operation targeted investment fraud, mobile money scams, and fake loan applications, identifying 1,247 victims and seizing 2,341 devices and 1,442 malicious websites, domains, and servers. The operation involved law enforcement agencies from 16 African countries: Angola, Benin, Cameroon, Côte d'Ivoire, Chad, Gabon, Gambia, Ghana, Kenya, Namibia, Nigeria, Rwanda, Senegal, Uganda, Zambia, and Zimbabwe. The operations were supported by data from private sector partners, including Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs, and Uppsala Security. Cybercrime now accounts for 30% of all reported crime in Western and Eastern Africa and is increasing rapidly elsewhere on the continent. Interpol's 2025 Africa Cyberthreat Assessment Report noted that two-thirds of African member countries claim cyber-related offenses now account for a 'medium-to-high' (i.e., 10-30% or 30%+) share of all crimes. Interpol director of cybercrime, Neal Jetton, warned that the scale and sophistication of cyber-attacks across Africa are accelerating, especially against critical sectors like finance and energy. Additionally, Operation Synergia III, conducted between July 2025 and January 2026, involved authorities from 72 countries. The operation resulted in 94 arrests and 110 suspects under investigation. Police in Togo arrested 10 suspects operating a fraud ring involving social media hacking, romance scams, and sextortion. Bangladeshi police arrested 40 suspects and seized 134 electronic devices related to loan scams, job scams, identity theft, and credit card fraud. Chinese investigators in Macau identified over 33,000 phishing and fraudulent websites impersonating casinos, banks, government sites, and payment services.