Overview
An international law enforcement operation dubbed Operation PowerOFF has delivered a significant blow to the global DDoS-for-hire ecosystem. The coordinated action seized 53 domains tied to commercial booter and stresser services, arrested four individuals, and exposed the account data of over 3 million registered users of these criminal platforms.
The ongoing operation, involving agencies from multiple countries under Europol and Interpol coordination, disrupted services used by more than 75,000 cybercriminals to launch distributed denial-of-service attacks against gaming platforms, financial services, government websites, and critical infrastructure.
What Are DDoS-for-Hire Services?
DDoS-for-hire platforms, commonly called booters or stressers, allow paying customers to launch volumetric DDoS attacks against arbitrary targets with no technical expertise required. Subscription packages typically range from a few dollars per month to hundreds of dollars for high-bandwidth attack capacity.
These services have been directly responsible for:
- Disruption of online gaming networks and streaming platforms
- Extortion attacks against small businesses demanding ransom to stop attacks
- Political and ideological attacks against government and NGO websites
- Infrastructure attacks targeting ISPs and hosting providers
Operation Details
Domains Seized
Law enforcement agencies seized 53 domains that served as the front-end web presence for DDoS-for-hire platforms. The domains were replaced with standard law enforcement seizure pages, immediately disabling attack-launch functionality for paying customers.
Arrests
Four individuals were arrested in connection with operating or administering the seized platforms. Law enforcement has not publicly identified all suspects, but at least one arrest was made in Europe and one in North America.
Criminal Account Exposure
Perhaps most significantly for deterrence, Operation PowerOFF resulted in the exposure of over 3 million registered criminal accounts across the seized platforms. Law enforcement agencies indicated that they are actively cross-referencing this data with other criminal investigations to identify and prosecute customers who paid to launch attacks.
This approach — targeting not just operators but paying users — represents a meaningful escalation in the operational strategy behind Operation PowerOFF.
Timeline of Operation PowerOFF
Operation PowerOFF has been running as an ongoing international effort since 2018, with major action waves in:
- 2018: Initial takedowns targeting European booter services
- 2022: 48 domains seized in a coordinated US-EU-UK action
- 2023: Six arrests and dozens of domains taken down
- 2024: Focus on cryptocurrency payment infrastructure supporting booters
- 2026: Current wave — 53 domains, 4 arrests, 3 million accounts exposed
Implications for Defenders
Organizations that have previously been targeted by DDoS campaigns should take this as an opportunity to review and strengthen resilience posture:
- DDoS mitigation services — Ensure cloud-based DDoS scrubbing is in place, particularly for externally accessible services.
- Anycast routing — For DNS and other critical services, anycast routing distributes attack traffic globally, reducing single-point-of-failure exposure.
- Rate limiting and traffic shaping — Configure upstream rate limiting at the edge to absorb volumetric attacks.
- Incident response planning — Confirm that your DDoS response runbook is current and your mitigation provider contacts are up to date.