A sweeping international law enforcement action has dismantled 53 DDoS-for-hire platforms and exposed over 3 million user accounts tied to cybercriminals who paid to launch distributed denial-of-service attacks against businesses, government agencies, gaming networks, and critical infrastructure.
The operation, dubbed Operation PowerOFF, was coordinated by Europol and involved agencies from 21 countries — including Australia, Belgium, Brazil, Denmark, Finland, Germany, Japan, the Netherlands, the United Kingdom, and the United States — during an action week beginning April 13, 2026.
What Was Seized
Law enforcement agencies took down 53 domains linked to commercial DDoS-as-a-service platforms — sometimes called "booters" or "stressers" — that offered attack-for-hire subscriptions to anyone willing to pay. These platforms eliminated the technical barrier to launching DDoS attacks: customers simply entered a target IP address and a payment, and the platform did the rest.
In addition to the domain seizures, investigators gained access to backend databases containing more than 3 million registered user accounts. Those records included email addresses, IP addresses, payment histories, and attack logs showing which targets were hit and when.
Authorities also:
- Issued 25 search warrants in multiple countries
- Made 4 arrests of individuals connected to platform administration
- Removed over 100 related URLs from major search engine results
- Placed targeted advertisements on search engines to redirect people searching for DDoS tools to law enforcement warning pages
75,000 Users Notified
One of the more unusual elements of Operation PowerOFF is an active user notification campaign. Rather than simply seizing the platforms and moving on, law enforcement is sending direct messages to an estimated 75,000 identified users whose accounts appeared in seized databases.
The notifications inform recipients that their use of the platforms has been logged, their identities have been identified, and that further criminal activity may result in prosecution. Authorities also targeted blockchain payment wallets associated with criminal DDoS payments, placing warning messages directly in transaction metadata.
Europol described the strategy as designed to create a "deterrence effect" — making it clear to would-be attackers that the anonymity of purchasing an attack subscription does not insulate them from law enforcement attention.
The DDoS-for-Hire Ecosystem
The platforms disrupted in Operation PowerOFF represent the lower end of the DDoS threat landscape — tools marketed to script kiddies, disgruntled gamers, and petty extortionists rather than sophisticated nation-state operators. Subscriptions typically cost between $10 and $200 per month and offered attack traffic measured in tens to hundreds of gigabits per second.
Despite their accessibility, booter services have caused significant real-world damage. Prior Operation PowerOFF actions (the operation has run in several phases since 2018) identified platforms responsible for millions of attacks globally, including attacks on hospitals, schools, and emergency services.
The DDoS-for-hire market has proven resilient: platforms are typically rebuilt or replaced within weeks of takedowns. This iteration's user-notification strategy appears designed to attack the customer base rather than just the infrastructure, making it harder for replacement platforms to rebuild their user pools.
What Comes Next
Europol has not disclosed which specific platforms were taken down, keeping that information close as prosecutions proceed. However, the volume — 53 domains simultaneously — suggests a broad sweep across multiple provider networks rather than a targeted strike against one or two major operators.
Cybersecurity researchers and incident responders note that DDoS activity should be expected to temporarily decline for customers of the disrupted platforms before migrating to surviving services or newly stood-up replacements.
Organizations that experienced unexplained network availability issues in the weeks before the takedown may find it worthwhile to correlate those events against the timing of the Operation PowerOFF action week (April 13–17, 2026).
Protecting Your Organization
While law enforcement actions reduce supply-side DDoS capacity, organizations should maintain their own defenses:
- Deploy DDoS mitigation upstream: CDN-level or transit-level scrubbing absorbs volumetric attacks before they reach your infrastructure
- Rate-limit API and application endpoints: Layer 7 flood attacks bypass network-level filtering
- Establish an incident playbook: Know your ISP's abuse contact, your CDN's DDoS response process, and your internal escalation chain before an attack occurs
- Monitor for reconnaissance: SYN sweeps and port scans often precede DDoS attacks — alert on anomalous inbound traffic patterns
- Test your limits: Know your infrastructure's baseline capacity so you can recognize an attack quickly
Sources: The Hacker News, Europol, BleepingComputer