PowerOFF widens global strike on DDoS trade

A sweeping international law-enforcement campaign has disrupted one of the cybercrime market’s most accessible attack models, with authorities saying Operation PowerOFF warned more than 75,000 suspected users of distributed denial-of-service-for-hire services, took down 53 domains, issued 25 search warrants and made four arrests during a coordinated action week on 13 April. The effort, backed by Europol and involving agencies from 21 countries, targeted both the operators and customers of so-called booter platforms that let users pay to overwhelm websites and servers with malicious traffic.

The latest phase marks a broader shift in cyber policing: not only seizing infrastructure, but also trying to deter first-time and low-level offenders before they move deeper into the criminal ecosystem. Authorities said warning emails and letters were sent to identified users, while parallel disruption measures included the removal of more than 100 URLs advertising illegal DDoS services from search results and messages placed on blockchains used for payments linked to such activity.

Booter or stresser services have long occupied a grey space in the public imagination, often presenting themselves as tools for network stress-testing. Law-enforcement agencies have repeatedly argued that the model becomes criminal when users do not own, or lack permission to test, the systems being targeted. Earlier United States court documents tied to booter seizures described a market used by hundreds of thousands of registered users to launch millions of attacks against schools, universities, financial institutions and government sites, underlining why authorities regard the services as more than juvenile mischief.

This month’s operation also lands after a separate March takedown of four large botnets — Aisuru, KimWolf, JackSkid and Mossad — that investigators said had infected more than 3 million internet-connected devices, many of them webcams, digital video recorders and routers. According to officials, those botnets were used to carry out hundreds of thousands of DDoS attacks around the world, including against systems linked to the United States Department of Defense. German investigators said searches were carried out in Germany and Canada and that cryptocurrencies along with digital evidence were seized.

The overlap between botnet takedowns and the PowerOFF campaign highlights the industrial structure of the DDoS-for-hire economy. The customer-facing websites are only one layer; behind them sits a deeper technical supply chain made up of infected consumer devices, leased infrastructure, payment rails and user databases. Reporting on the April action said investigators also obtained access to databases containing more than 3 million criminal accounts, giving authorities a wider picture of how these services recruit, retain and monetise users.

That matters because the market remains resilient even after repeated disruption efforts. Operation PowerOFF has been running since 2017, and law-enforcement agencies have spent years seizing domains and prosecuting operators, yet attack capacity has continued to expand. Industry data show the threat environment has become more intense rather than less. Cloudflare said DDoS attacks more than doubled in 2025 to 47.1 million, while NETSCOUT reported more than 8 million attacks globally in the second half of 2025 alone and said the apparent stability in volume masked deeper changes in sophistication and capacity.

Those same industry reports indicate why the authorities are trying to move upstream and downstream at once. Cloudflare said hyper-volumetric network-layer attacks surged sharply in 2025 and recorded a 31.4 terabits-per-second attack, while NETSCOUT said botnet-driven campaigns were growing in scale and increasingly targeting critical infrastructure. The implication is that cheap, easy-to-use booter services are plugging into a much more powerful underlying attack environment than in earlier years, giving even unsophisticated users access to outsized disruptive capability.

Authorities involved in the April operation stretched across Europe as well as Australia, Brazil, Japan, Thailand, Britain and the United States, reflecting how the customer base and infrastructure for these services now span jurisdictions. That breadth helps explain why investigators have leaned on simultaneous seizures and mass notification campaigns rather than country-by-country enforcement. By targeting domains, payment traces, search visibility and user records at the same time, agencies are trying to raise the cost of running or using these services and to undermine the perception that short-lived DDoS attacks are anonymous, low-risk offences.