Operation PowerOFF disrupts DDoS-for-hire platforms and arrests administrators
An international law enforcement campaign under Operation PowerOFF has repeatedly dismantled major DDoS-for-hire or booter/stresser services, seizing domains and infrastructure, arresting alleged administrators, and targeting customers across dozens of countries. In one major phase, authorities shut down 48 services and arrested seven suspected operators after U.S. charges tied defendants to platforms including Booter.sx, Astrostress.com, and SecurityTeam.io; officials said one seized service alone had been used in more than 30 million attacks. A later coordinated action involving the United States and about 20 partner countries seized 53 domains, made four arrests, executed 25 search warrants, and sent more than 75,000 warning messages to users, while also removing more than 100 URLs advertising booter sites.
The crackdown builds on earlier takedowns such as the seizure of Webstresser.org, which Europol described as the world’s largest DDoS-for-hire marketplace, with more than 136,000 registered users and 4 million attacks recorded before it was dismantled. Investigators said these services marketed themselves as legitimate network testing tools but were used to launch attacks against schools, government agencies, gaming platforms, critical infrastructure, Department of Defense resources, businesses, and individuals, often for as little as EUR 15 per month. Authorities also expanded disruption efforts beyond arrests and seizures by placing warning ads in search results and reaching users through cryptocurrency payment channels, underscoring a sustained multinational effort to raise the cost of operating and buying low-barrier DDoS attack services.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Operation PowerOFF seizes 53 domains and makes four arrests
In April 2026, the United States and 20 partner countries carried out a coordinated Operation PowerOFF action that seized 53 domains tied to booter services, made four arrests, and executed 25 search warrants. Authorities also sent more than 75,000 warning messages to customers and removed more than 100 URLs advertising the services.
Operation PowerOFF disrupts 27 DDoS platforms across 15 countries
In December 2024, an international crackdown under Operation PowerOFF took down 27 DDoS-for-hire platforms across 15 countries. The action marked a renewed multinational effort against booter services.
Operation Power Off shuts down 48 DDoS-for-hire services and arrests seven
In December 2022, Europol announced an international operation that shut down 48 DDoS-for-hire websites and led to the arrest of seven alleged administrators, including one suspect in the United Kingdom. Authorities said one seized service had been used to conduct more than 30 million attacks against schools, government agencies, gaming platforms, and individuals.
U.S. charges six defendants tied to booter services
Before the December 2022 enforcement action, the U.S. Department of Justice charged six defendants linked to DDoS-for-hire services including Booter.sx, Astrostress.com, and SecurityTeam.io. The charges formed part of a broader crackdown on services marketed as network testing tools but used to launch attacks.
Operation Power Off takes down Webstresser and arrests administrators
On 2018-04-24, law enforcement arrested the administrators of Webstresser.org, described by Europol as the world's largest DDoS-for-hire marketplace. Authorities shut down the service and seized infrastructure in the Netherlands, the United States, and Germany as part of Operation Power Off.
Sources
6 references tracked. Mallory keeps watching after this page renders.
US joins nearly two dozen other countries in striking back against DDoS-for-hire platforms | Cybersecurity Dive
cybersecuritydive.com
Open sourceInternational crackdown disrupts DDoS-for-hire operations | CyberScoop
cyberscoop.com
Open sourceOperation PowerOFF took down 27 DDoS platforms across 15 countries
securityaffairs.com
Open sourcePolice shut down 48 DDoS-for-hire services, arrest 7 alleged administrators | The Record from Recorded Future News
therecord.media
Open sourceThe FBI and International Law Enforcement Partners Intensify Efforts to Combat Illegal DDoS Attacks - FBI
fbi.gov
Open sourceWorld’s biggest marketplace selling internet paralysing DDoS attacks taken down - Webstresser.org sold Distributed Denial of Service attacks that could knock the internet offline for as little as EUR 15.00 a month | Europol
europol.europa.eu
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Authorities Seize DDoS-for-Hire Domains in Operation PowerOFF Crackdown
U.S. and international law enforcement agencies expanded **Operation PowerOFF** by seizing additional domains tied to DDoS-for-hire, or **booter/stressor**, services used to launch distributed denial-of-service attacks on demand. The U.S. Department of Justice said the FBI took control of 13 more domains linked to prolific platforms, including services that had resurfaced after an earlier disruption of 48 booter sites. Investigators found the platforms had amassed **hundreds of thousands of registered users** and had been used against school districts, government websites, businesses, and other targets; FBI testing on government-controlled systems showed some attacks were strong enough to completely cut off internet connectivity. The takedowns build on years of coordinated enforcement that has included the seizure of 15 booter websites, action against users of major DDoS-for-hire platforms, and prosecutions of operators tied to services such as **RoyalStresser.com**, **SecurityTeam.io**, **Astrostress.com**, and **Booter.sx**. Europol says the long-running campaign targets services that sell attacks for as little as **EUR 10**, lowering the barrier for low-skilled offenders and sometimes supporting broader criminal activity, including ransomware operations. The effort has involved the FBI, Europol, the U.K. National Crime Agency, Dutch police, and other global partners, alongside prevention campaigns aimed at deterring would-be users.
May 25, 2026
Operation PowerOFF Disrupts DDoS-for-Hire Services and Identifies 3 Million Accounts
Authorities from 21 countries carried out a coordinated Operation PowerOFF crackdown against **DDoS-for-hire** infrastructure, dismantling booter services used to launch attacks against online marketplaces, telecommunications providers, and other internet-facing services. The action resulted in **53 domain takedowns**, **4 arrests**, and **25 search warrants**, while investigators seized servers, infrastructure, and databases tied to the illegal platforms. Data recovered during the operation helped investigators identify **more than 3 million criminal user accounts**, and law enforcement sent **over 75,000 warning emails and letters** to suspected users. Europol said the services lowered the barrier to launching disruptive attacks for motives ranging from curiosity and hacktivism to extortion and anti-competitive activity; prevention measures also included removing **more than 100 URLs** advertising booter services from search results, posting blockchain warning messages, and updating the Operation PowerOFF website as the international enforcement effort continues.
Apr 24, 2026
Authorities Disrupt Four IoT Botnets Behind 30 Tbps DDoS Attacks
U.S., Canadian, and German authorities disrupted the command-and-control infrastructure of four major IoT botnets — **Aisuru, KimWolf, JackSkid, and Mossad** — that collectively compromised more than **three million** internet-connected devices worldwide. Investigators said the botnets, built largely from vulnerable **DVRs, IP cameras, web cameras, and enterprise Wi‑Fi routers**, were used in hundreds of thousands of distributed denial-of-service attacks, including operations targeting **U.S. Department of Defense** systems, other high-value networks, and critical infrastructure. Officials said the malware networks were capable of generating traffic above **30 Tbps**, with one attack reaching roughly **31.4 Tbps**, placing them among the largest DDoS threats recorded. The operators allegedly ran the infrastructure as a **DDoS-for-hire** service and also used it for extortion, threatening victims with sustained attacks unless they paid. The U.S. action, led by the Defense Criminal Investigative Service with support from the FBI Anchorage Field Office, included seizure warrants for domains and virtual servers, while Germany’s **BKA** and Canada’s **RCMP** carried out parallel enforcement steps. Private-sector partners including **Akamai, AWS, Cloudflare, Team Cymru, and The Shadowserver Foundation** supported the disruption. Authorities said the takedown degraded the botnets’ ability to operate, but warned that the underlying risk remains because millions of infected or insecure devices are still online with weak credentials or outdated firmware.
Mar 25, 2026