Polish police identify minors selling and administering DDoS attack tools
Poland’s Central Bureau for Combating Cybercrime (CBZC) identified seven minors (aged 12–16 at the time of the alleged activity) accused of distributing and administering online tools designed to facilitate DDoS attacks, in what authorities described as a profit-driven scheme. Investigators said the tools were used to attack a range of services, including auction/sales portals, IT domains, hosting providers, and accommodation booking sites.
The investigation reportedly began after CBZC identified a 14-year-old in the Masovian Voivodeship as an administrator of the DDoS tooling; analysis of seized artifacts led to six additional suspects. CBZC conducted searches across Masovian, Lublin, Łódź, and Greater Poland, seizing alleged attack infrastructure and evidence including smartphones, laptops/computers, storage media, hard drives, a ledger, and handwritten documentation. Due to the suspects’ ages, case materials were referred to family courts for further proceedings.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Poland refers seven juvenile DDoS suspects to family court
Poland's CBZC announced that case materials on seven suspected juvenile cybercriminals had been forwarded to local family courts. Because the suspects are minors, the matter will proceed under Poland's youth justice framework, which emphasizes re-education over punishment.
CBZC raids multiple regions and seizes devices and records
During the investigation, Polish cyber police carried out searches across multiple voivodeships and seized electronic devices and documentation believed to be connected to the DDoS tooling and supporting infrastructure. The operation targeted evidence tied to the alleged online sales and administration of the attack kits.
Investigation expands to six additional juvenile suspects
Following analysis of seized artifacts and investigative findings, CBZC identified six more minors allegedly involved in distributing and administering the DDoS tools. The total number of suspects reached seven, all aged 12 to 16 at the time of the alleged offenses.
Polish investigators identify 14-year-old as DDoS tool administrator
In 2025, Poland's Central Bureau for Combating Cybercrime (CBZC) identified a 14-year-old from the Masovian Voivodeship as an alleged administrator of online DDoS attack tools. Investigators said the profit-driven tooling was linked to attacks on auction and sales portals, IT domains, hosting services, and accommodation booking sites.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Poland Arrests Suspected DDoS Operator and Detains Defense Ministry Employee for Espionage
Poland’s Central Bureau for Combating Cybercrime (**CBZC**) arrested a 20-year-old suspected of conducting **global DDoS attacks** against high-profile and strategically important websites. Authorities said the suspect used a multi-layered botnet control architecture involving **C2 “stressers”** and **command-and-control nodes (CNC)**, and seized computer equipment allegedly used to host and distribute DDoS tooling; the suspect reportedly confessed to most charges, was released on bail after a formal statement, and faces up to five years in prison if convicted. Separately, Polish authorities detained a 60-year-old civilian employee in the Ministry of National Defense’s strategy and planning department on suspicion of **espionage** for a foreign intelligence service, with Polish officials indicating links to **Russian and Belarusian** services. Counterintelligence searched the suspect’s office and residence and seized phones, computers, and storage media; prosecutors filed espionage charges while officials cited “extensive evidence” and framed the case as part of broader **hybrid warfare** pressure on Poland, including sabotage, disinformation, and cyber activity attributed to Russia-linked actors.
Mar 21, 2026
NoName057(16) DDoSia Campaign and Separate Polish Botnet Arrest
SOCRadar reported a coordinated, multi-country **DDoS campaign** attributed to pro-Russian actor **NoName057(16)** using the **DDoSia** tool, with **5,830** recorded attack entries against **160 domains** and **181 IPs** during the Jan 26–Feb 1, 2026 analysis window. The activity showed broad geographic targeting, led by the **UK (55%)**, followed by **Ukraine (12.7%)** and **Czechia (4.9%)**, and focused heavily on public-sector and critical-service targets; the report also noted frequent target-list updates distributed via Telegram and that **port 443** was the most targeted. Separately, Polish authorities (CBCZ) arrested and then bailed a **20-year-old** suspected of running a multi-layered botnet used to DDoS “numerous popular websites,” including sites described as strategically important, using “C2 stresser” and command-and-control nodes; police seized equipment and claimed to have dismantled infrastructure used to host/distribute DDoS tools, with additional arrests possible. An NSFOCUS monthly report on **December 2025 APT activity** (e.g., TransparentTribe, Sidewinder, Konni, Gamaredon) describes broader spear-phishing-led intrusion trends and is not tied to the NoName057(16) DDoSia activity or the Polish DDoS case.
Mar 21, 2026
Poland Arrests Suspected Phobos Ransomware Affiliate in Europol Operation Aether
Polish law enforcement arrested a **47-year-old man** in the Małopolska/Lesser Poland region on suspicion of involvement with the **Phobos ransomware** operation as part of **Europol-coordinated Operation Aether** targeting Phobos-linked infrastructure and affiliates. During a search of the suspect’s residence, Poland’s Central Bureau/Central Office for Combating Cybercrime (**CBZC**) seized devices and data investigators said could enable unauthorized access and ransomware activity, including **stolen credentials**, **passwords**, **credit card numbers**, and **server IP/access data**. Authorities said technical analysis indicated the seized materials could be used to breach electronic security and support “various attacks, including ransomware,” and alleged the suspect used **encrypted messaging** to communicate with the Phobos criminal group. Reporting also noted the seizure of a laptop and multiple smartphones, and that the suspect was charged with offenses related to creating/acquiring/sharing tools or data used to unlawfully obtain information and facilitate unauthorized system access; if convicted, he faces up to **five years** in prison. Operation Aether reporting additionally linked the enforcement activity to efforts against **8Base**, described as a ransomware group believed to be connected to Phobos.
Mar 21, 2026