Key Findings

• 53 DDoS-for-hire domains seized across 21 countries in coordinated operation

• Four suspects arrested in connection with commercial DDoS services

• Databases containing over 3 million criminal user accounts accessed

• More than 75,000 cybercriminals identified and warned via email and letters

• 25 search warrants issued as part of ongoing investigation

• Operation PowerOFF demonstrates escalating law enforcement focus on dismantling DDoS infrastructure

Background

Operation PowerOFF represents a significant international law enforcement effort targeting the DDoS-for-hire ecosystem, commonly known as "booter services." These platforms operate on a simple premise: for a fee, even technically unsophisticated users can purchase access to launch powerful distributed denial-of-service attacks against websites, servers, and networks. The service has become one of the most prolific and accessible entry points into cybercrime, lowering barriers to entry for criminals worldwide. On April 13, 2026, law enforcement agencies from 21 countries coordinated simultaneous action against this infrastructure.

Scale of Criminal Operations

The sheer number of identified accounts reveals the breadth of DDoS-for-hire adoption among cybercriminals. Over 75,000 criminal users were leveraging these services, indicating that DDoS attacks have become a common tool across multiple crime categories. The fact that authorities gained access to databases containing more than 3 million user accounts suggests these platforms maintained extensive records of their customer base. This data proved invaluable for law enforcement, enabling coordinated global warning campaigns and ongoing investigations into individual users.

International Coordination

The operation united authorities from diverse regions: Australia, Austria, Belgium, Brazil, Bulgaria, Denmark, Estonia, Finland, Germany, Japan, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Portugal, Sweden, Thailand, the United Kingdom, and the United States. This geographic spread reflects both the global nature of DDoS-for-hire services and the coordinated commitment of law enforcement to combat cybercrime at scale. The 25 search warrants issued simultaneously across jurisdictions prevented suspects from coordinating escape or destroying evidence.

Motivations Behind DDoS Attacks

Criminals use DDoS services for varied purposes extending far beyond simple disruption. Financial extortion remains common, with attackers threatening to launch attacks unless victims pay ransom. Ideological actors engage in hacktivism, targeting organizations aligned with opposing viewpoints. Some attackers seek competitive advantage by disrupting rival businesses. Others pursue harassment campaigns or act out of curiosity. Well-resourced threat actors sometimes use these services to test and optimize their own sophisticated attack infrastructure. Notably, some service operators deliberately mask their offerings as legitimate "stress-testing tools" to evade detection, though stress-testing requires explicit permission from network owners.

Disruption Strategy

Law enforcement's approach focused on dismantling the technical backbone supporting DDoS operations. By seizing servers, databases, and associated infrastructure, authorities directly hindered attack capabilities. Seizure banners now greet visitors to compromised domains, informing them of the illegal nature of DDoS services and warning of prosecution. The U.S. Department of Justice seized eight prominent DDoS-for-hire domains including Vac Stresser and Mythical Stress, which had conducted thousands of attacks daily. This infrastructure removal creates immediate operational friction for would-be attackers.

Prevention and Public Awareness

Beyond enforcement actions, authorities launched multi-channel prevention campaigns. Advertising targeted potential cybercriminals searching for DDoS services online, emphasizing legal consequences. Over 100 malicious URLs were removed from circulation. Warning messages were sent through blockchain-based payment channels commonly used by criminals. Law enforcement updated official resources to educate the public about DDoS illegality and risks. The coordinated warning emails and letters to identified criminal users represented perhaps the most direct deterrent, putting individuals on notice that their identities and activities are known to authorities.

Context and Momentum

Operation PowerOFF builds on escalating law enforcement momentum against DDoS infrastructure. In December 2024, authorities had disrupted 27 popular platforms and arrested three administrators in France and Germany. In August 2025, the U.S. dismantled the RapperBot botnet, which had been conducting large-scale attacks across more than 80 countries since at least 2021. These successive operations demonstrate sustained commitment and improving international coordination in targeting criminal DDoS ecosystems.

Sources

• https://thehackernews.com/2026/04/operation-poweroff-seizes-53-ddos.html

• https://securityaffairs.com/190932/cyber-crime/operation-poweroff-53-ddos-domains-seized-and-3-million-criminal-accounts-uncovered.html

• https://www.socdefenders.ai/item/a6ab7069-8fbe-492e-91be-69a076cf397c

• https://x.com/TheCyberSecHub/status/2045032162509103136

• https://www.cypro.se/2026/04/17/operation-poweroff-seizes-53-ddos-domains-exposes-3-million-criminal-accounts/