All news with #ddos tag

🛡️ Dutch authorities arrested two co-owners of related hosting companies and seized over 800 servers on May 18, alleging they operated infrastructure used by Russia for cyberattacks and influence operations targeting the EU. The arrests follow investigative reporting that linked MIRhosting and WorkTitans to Stark Industries, an ISP sanctioned by the EU for facilitating DDoS, proxy, and anonymity services tied to Russia-backed actors. Officials searched businesses and data centers and charged the suspects with violating sanctions law by making economic resources available to sanctioned entities. Both suspects deny wrongdoing and one company says it has paused services to the implicated client pending internal review.

🔎 Authorities across Europe and North America announced a coordinated operation that dismantled First VPN, a criminal virtual private network service used to obscure ransomware, data theft, scanning, and DDoS activity. Led by France and the Netherlands with support from many countries and agencies since December 2021, investigators executed concurrent actions in May 2026, seizing servers, domains, and infrastructure while interviewing the service administrator. Europol and the FBI say First VPN marketed anonymity to cybercriminals on Russian-language forums, offered multiple protocols and payment methods, and provided exit nodes across 27 countries used by at least 25 ransomware groups.

🔍 Canadian and U.S. authorities arrested 23-year-old Jacob Butler (aka "Dort") in Ottawa under an extradition warrant after unsealing a criminal complaint in the District of Alaska linking him to the KimWolf DDoS botnet. Investigators tied Butler to the botnet through IP address logs, transaction records, and online messages, and he now faces a charge of aiding and abetting computer intrusions with a potential 10-year sentence. KimWolf operated as a DDoS-for-hire service that enslaved nearly two million devices and powered attacks up to nearly 30 Tbps, causing substantial global disruption and financial losses.

🛡️ The U.S. Department of Justice announced the arrest of 23-year-old Canadian Jacob Butler (aka Dort) for allegedly operating the Kimwolf DDoS botnet, a variant of AISURU. The botnet enslaved devices like digital photo frames and webcams and was offered via a cybercrime-as-a-service model to launch global attacks, including against DoD network addresses. Authorities linked Butler through IP, account data, and Discord messages, and charged him with aiding and abetting computer intrusion.

🚀Amazon CloudFront's Premium flat-rate plan now offers multiple self-service monthly usage tiers ranging from 500 million to 6 billion requests and 50 TB to 600 TB. Customers can select and change their tier in the CloudFront console with instant pricing and no commitment. All Premium features — including AWS WAF, DDoS protection, bot management, Amazon Route 53 DNS, Amazon CloudWatch Logs ingestion, serverless edge compute, and Amazon S3 storage credits — are included with no overage charges.

🔐 Modern DDoS attacks have evolved from simple volumetric floods to multi-vector, application-layer abuse amplified by AI-enabled tooling and expansive botnets. Microsoft reports a sharp rise in attack volume since mid‑March 2024 and urges a system-level, defense-in-depth approach that combines fingerprinting (JA4), layered controls, and operational visibility. Cloud-native protections such as Azure DDoS Protection and Azure WAF help when integrated with resilient application design and pretested graceful-degradation plans.

🛡️ Hunt.io has uncovered a Mirai-derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running Android Debug Bridge (ADB) to conscript them into DDoS campaigns. The malware supports 21 flood variants across TCP, UDP, and raw protocols and is offered as a DDoS-for-hire service aimed at game servers and Minecraft hosts. It targets devices with ADB enabled by default—such as Android TV boxes, set-top boxes, smart TVs—and includes multi-architecture binaries for routers and IoT hardware. The bot probes device bandwidth to tier victims and uses a "killer" subsystem to evict competing malware.

📈 The Milano Cortina 2026 Winter Games coincided with a dramatic rise in DDoS activity against Italian infrastructure, with attack frequency increasing 181% year-over-year from 2025. NETSCOUT ASERT recorded 12,963 attacks during the core Games window (Feb 6–23), peaking at more than 2,200 attacks on single days and shifting tactics from high-bandwidth floods to packet-rate–intensive vectors. The hacktivist group NoName057(16) dominated public claims, while ransomware groups and other actors also asserted responsibility. Adaptive defenses such as NETSCOUT ATLAS and Arbor products were highlighted as important mitigations.

🤖 A botnet is a network of compromised internet-connected devices controlled by attackers to perform coordinated criminal tasks such as DDoS, spam, crypto-mining, or malware distribution. Modern botnets use distributed architectures — from centralized command-and-control servers to peer-to-peer propagation — and often hide control traffic via IRC, HTTP, Telnet, or even public platforms. Defenders combine user training, patching, IoT hardening, antivirus, traffic filtering and CDN services with threat hunting methods like flow analysis and malware reverse-engineering.

🔒 Amazon CloudFront now supports WebSockets through VPC origins, allowing customers to host real-time, bidirectional applications entirely in private subnets. You can place Application Load Balancers, Network Load Balancers, and EC2 instances inside private subnets and expose them via a CloudFront distribution as the single entry point. This reduces attack surface, simplifies security management, and brings built-in DDoS protection to WebSockets workloads. WebSockets via VPC origins is available in all AWS Commercial Regions that support VPC origins at no additional cost.

🚨 A Romanian national, Thomasz Szabo, was sentenced to four years in U.S. federal prison after pleading guilty to conspiracy and threats involving explosives. Extradited from Romania in November 2024, Szabo led an online swatting community that organized bomb threats and swatting calls beginning in late 2020 and targeting more than 75 public officials, journalists, and religious institutions. The court also ordered three years of supervised release.

🛡️ A Brazilian DDoS-mitigation firm, Huge Networks, was implicated in enabling a Mirai-based botnet that launched sustained DDoS attacks against regional Brazilian ISPs. An exposed archive contained Portuguese Python attack scripts, private SSH keys belonging to CEO Erick Nascimento, and tooling that mass-scanned for TP-Link Archer AX21 devices vulnerable to CVE-2023-1389. The CEO says the malicious activity followed a January 2026 intrusion, that affected droplets were wiped and keys rotated, and that a third-party forensics firm has been engaged.

🔒 Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 report that threat actors are exploiting a command injection flaw, CVE-2024-3721, in TBK DVR devices to deliver a Mirai-family loader tracked as Nexcorium. The loader installs architecture-specific binaries, establishes persistence via crontab and systemd, and uses hard-coded credential lists plus an exploit for CVE-2017-17215 to spread to Huawei HG532 devices. Unit 42 also observed automated scans targeting EoL TP-Link routers via CVE-2023-33538, though initial attempts were flawed and did not achieve compromise. Researchers warn that unpatched, unsupported IoT devices and default credentials continue to enable large-scale DDoS botnets and recommend replacing EoL hardware and removing default passwords.

🛡️ FortiGuard Labs analyzed exploitation of CVE-2024-3721 against TBK DVR devices that delivered a Mirai-style, multi-architecture botnet named Nexcorium. The campaign used a downloader called "dvr" (nexuscorp-prefixed binaries) and a custom "X-Hacked-By" HTTP header linked to a suspected "Nexus Team" actor. Nexcorium includes scanning, brute-force credential lists, multiple persistence methods, integrity checks, and a broad DDoS toolkit controlled by a central C2.

🔒 A multinational law enforcement operation disrupted DDoS-for-hire infrastructure, seizing servers and databases and resulting in 53 domains being taken down and four arrests. Operation PowerOff, coordinated across 21 countries and outlined by Europol on April 16, removed backend components and more than 100 URLs advertising these services. Authorities recovered data on over three million criminal user accounts, sent roughly 75,000 warning notices to identified users, and posted additional warnings to cryptocurrency platforms to limit further abuse.

🔒 Operation PowerOFF disrupted 53 domains tied to commercial DDoS-for-hire services and resulted in four arrests. Authorities seized servers and supporting infrastructure and obtained access to databases containing over 3 million criminal user accounts linked to more than 75,000 alleged attackers, issuing 25 search warrants. Law enforcement partners across 21 countries coordinated domain seizures, infrastructure disruption, and notification efforts to hinder further attacks and support follow-up investigations.

🔎 Operation PowerOFF has notified more than 75,000 suspected users of DDoS-for-hire platforms and taken 53 domains offline as part of a coordinated international law enforcement effort. Supported by Europol and authorities across 21 countries, the action included four arrests, 25 search warrants, and the dismantling of critical booter infrastructure. The operation is now shifting into a prevention phase featuring awareness campaigns, search-engine ad interventions, URL removals, and on-chain payment warnings to deter future abuse.

🚀 Cloudflare announced it has provisioned 500 Tbps of external interconnection capacity across 330+ cities, a milestone reflecting 16 years of global network scaling. This figure represents aggregate provisioned ports to transit providers, IXPs, private peers and CNI — not peak traffic, with the unused portion reserved as the DDoS budget. The company attributes resilience to running security and developer platforms on every server and to automated, server‑level mitigation using eBPF, dosd and global propagation via Quicksilver.

🛡️ Arelion has expanded its DDoS protection capabilities by deepening its partnership with NETSCOUT, building on over 16 years of collaboration. NETSCOUT introduced enhancements — Sightline with the Sentinel orchestration add-on, the ATLAS Intelligence Feed (AIF) for TMS, and Adaptive DDoS Protection (ADP) — to improve automation, threat intelligence, and mitigation scaling. These upgrades increase visibility and automated response across Arelion’s global backbone, improving protection for both internal systems and customer services.

🛡️ NETSCOUT’s Arbor Threat Mitigation System (TMS) earned five G2 winter 2026 badges, including Leader distinctions for Enterprise DDoS Protection, DDoS Protection, and Web Security, plus a regional nod in Asia. Arbor Sightline also secured a leader badge for enterprise network management. G2 awards reflect verified user reviews and NETSCOUT’s market presence; customers praise AI/ML-driven visibility, automated defenses, and carrier-grade, hybrid/cloud mitigation.