# Operation PowerOFF Seizes 53 DDoS Domains, Exposes 3 Million Criminal Accounts


An international law enforcement coalition has dealt a significant blow to the distributed denial-of-service (DDoS)-for-hire economy, seizing 53 domains, arresting four suspected operators, and obtaining data on more than three million user accounts tied to commercial attack platforms that served an estimated 75,000 cybercriminals. The coordinated takedown, carried out under the continuing banner of Operation PowerOFF, represents one of the most expansive disruptions of the so-called "booter" and "stresser" ecosystem to date and exposes the identities and operational histories of a massive swath of the paid DDoS underground.


## Background and Context


Operation PowerOFF is a long-running, multi-jurisdictional effort led by Europol and the U.S. Department of Justice, with participation from the FBI, the U.K. National Crime Agency, the Dutch National Police, the German Federal Criminal Police (BKA), and law enforcement agencies across more than a dozen additional countries. Since its first major wave of takedowns in 2018, the operation has systematically targeted commercial DDoS platforms — websites that, for subscription fees ranging from a few dollars to several hundred per month, allow any paying customer to direct floods of junk traffic at a target of their choosing.


The latest phase, coinciding with the pre-holiday period when DDoS attacks historically spike against gaming networks, financial services, and e-commerce platforms, expands the operation's footprint considerably. Where earlier waves dismantled individual flagship services such as webstresser.org, quantum-stress.net, and stresser.net, this iteration went broader, targeting a constellation of 53 storefronts that collectively acted as the retail front end of the DDoS industry. Investigators say the seized infrastructure handled millions of attacks against schools, hospitals, government portals, online games, and critical private-sector services.


The exposure of three million user accounts is particularly consequential. Booter customers have long operated under the false assumption that payment obfuscation, VPN use, and throwaway email addresses provide adequate cover. The seized account databases contain payment records, IP logs, attack histories, chat transcripts, and in many cases reused identifiers that directly link pseudonymous accounts to real-world identities.


## Technical Details


DDoS-for-hire platforms are essentially software-as-a-service products for cybercrime. Customers log into a web dashboard, enter a target IP address or domain, choose an attack method, specify a duration, and click "launch." The attack is executed by back-end "stresser" infrastructure comprising botnets of compromised devices (IoT cameras, routers, servers) and networks of vulnerable internet-facing services used for reflection and amplification.


The seized platforms offered a familiar menu of attack vectors:


  • Volumetric reflection/amplification attacks leveraging misconfigured DNS, NTP, Memcached, CLDAP, and SSDP servers to multiply traffic by factors of 50× to 50,000×.
  • Layer 7 HTTP/HTTPS floods designed to exhaust web server worker pools with seemingly legitimate requests, frequently routed through residential proxy networks to defeat IP-based filtering.
  • TCP state-exhaustion attacks (SYN floods, ACK floods, RST floods) targeting firewalls, load balancers, and stateful middleboxes.
  • Protocol-specific attacks against online games using custom UDP payloads crafted to bypass generic anti-DDoS scrubbing.

    • Investigators report that several of the seized services advertised capacity in the hundreds of gigabits per second, with premium tiers claiming the ability to sustain multi-terabit bursts — figures consistent with observed attacks over the past year. The services typically laundered subscription payments through cryptocurrency mixers, prepaid cards, and compromised PayPal accounts, though forensic analysis of the seized servers has reportedly recovered substantial transaction records that law enforcement can correlate with blockchain analytics.


    ## Real-World Impact


    For defenders, the most immediate significance is the sheer scale of the customer base exposed. Organizations that have been targeted by booter-driven attacks now have a realistic prospect of attribution, civil recovery, and — for attacks against regulated sectors — criminal referrals against specific individuals. Incident responders holding unattributed DDoS cases from the past several years should consider revisiting those investigations in light of the newly available data.


    Downstream effects on the threat landscape are likely to include a short-term decline in low-skill DDoS activity, followed by customer migration to surviving platforms and decentralized alternatives such as Telegram-channel-based attack services. Historically, each wave of Operation PowerOFF has produced a 15 to 30 percent temporary reduction in observed stresser traffic, with capacity recovering within three to six months as displaced operators relaunch under new branding.


    Organizations that rely on third-party DDoS scrubbing should not mistake the takedown for lasting relief. The underlying botnet infrastructure — particularly IoT-based networks such as Mirai derivatives — remains intact, and reflection-capable misconfigured servers continue to proliferate across the public internet.


    ## Threat Actor Context


    The four arrested individuals, whose identities have not been publicly disclosed pending charges, are described as administrators and senior operators of multiple seized platforms rather than individual end-users. This follows a deliberate Operation PowerOFF strategy of prioritizing the "top of the stack": platform owners, infrastructure providers, and payment processors, rather than the much larger pool of customers.


    Many of the exposed customer accounts are expected to resolve to juvenile or young-adult users, consistent with prior booter takedowns in which the median customer age hovered around 19. Law enforcement agencies, particularly the U.K. NCA and Dutch police, have indicated they will pursue a graduated response — formal warnings and diversion programs for minor users, prosecution for repeat offenders, and full criminal proceedings for those who directed attacks against critical infrastructure, healthcare, or education.


    ## Defensive Recommendations


    Security teams should treat the takedown as an opportunity to reassess baseline DDoS readiness rather than a reason to relax posture. Recommended actions include:


  • Validate upstream mitigation. Confirm contractual scrubbing capacity with ISPs and DDoS providers, and verify that BGP-based or DNS-based failover mechanisms can be triggered within documented RTO targets.
  • Harden Layer 7. Deploy rate limiting, bot-management rules, and JavaScript/CAPTCHA challenges on high-value endpoints; tune WAF signatures for HTTP flood variants.
  • Reduce reflection surface. Audit outbound exposure of DNS, NTP, Memcached, and SSDP services. Unnecessary UDP services should be firewalled; required ones should enforce response-rate limiting.
  • Prepare an attribution playbook. Retain full packet captures and NetFlow data for the duration of any DDoS incident so that, if a source platform is later seized, logs can be cross-referenced against released account data.
  • Tabletop the scenario. Run an exercise that specifically models a sustained Layer 7 attack during peak business hours, including customer communications and regulatory notification timelines.

    • ## Industry Response


    Major DDoS mitigation providers including Cloudflare, Akamai, and Radware have publicly welcomed the operation, with several committing to share telemetry with law enforcement to support follow-on investigations. Gaming platforms, which consistently absorb the largest share of booter-driven attacks, are expected to issue account-level warnings and bans to users whose identifiers appear in the seized databases.


    The broader security community views Operation PowerOFF as a proof of concept for sustained, intelligence-led disruption of commodity cybercrime — a model increasingly applied to ransomware affiliates, infostealer markets, and phishing-as-a-service platforms. While no takedown eliminates a criminal ecosystem outright, the compounding effect of repeated seizures, arrests, and customer identification is gradually raising both the cost and the perceived risk of participating in the DDoS-for-hire economy.


    ---


    **