Operation PowerOFF Disrupts DDoS-for-Hire Services and Identifies 3 Million Accounts
Authorities from 21 countries carried out a coordinated Operation PowerOFF crackdown against DDoS-for-hire infrastructure, dismantling booter services used to launch attacks against online marketplaces, telecommunications providers, and other internet-facing services. The action resulted in 53 domain takedowns, 4 arrests, and 25 search warrants, while investigators seized servers, infrastructure, and databases tied to the illegal platforms.
Data recovered during the operation helped investigators identify more than 3 million criminal user accounts, and law enforcement sent over 75,000 warning emails and letters to suspected users. Europol said the services lowered the barrier to launching disruptive attacks for motives ranging from curiosity and hacktivism to extortion and anti-competitive activity; prevention measures also included removing more than 100 URLs advertising booter services from search results, posting blockchain warning messages, and updating the Operation PowerOFF website as the international enforcement effort continues.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
U.S. seizes eight booter domains and searches backend servers
On 2026-04-17, the U.S. Justice Department announced court-authorized cyber operations against major DDoS-for-hire services, including seizure of eight domains in the District of Alaska and searches of backend servers. The action, part of Operation PowerOFF, targeted services such as Vac Stresser and Mythical Stress that allegedly enabled attacks against schools, government agencies, gaming platforms, critical infrastructure, and individuals.
Europol publicly announces latest Operation PowerOFF results
On 2026-04-16, Europol announced the results of the coordinated international crackdown, detailing arrests, domain seizures, warning notices, and investigative findings. The agency said the operation remained ongoing.
Prevention measures remove booter ads and issue warnings
As part of the same April 2026 enforcement effort, authorities removed more than 100 URLs advertising booter services from search engine results, posted blockchain warning messages, and updated the Operation PowerOFF website. These measures were intended to deter use of DDoS-for-hire platforms alongside the law-enforcement action.
Investigators identify millions of booter-service user accounts
Using seized infrastructure and recovered databases during the April 2026 operation, investigators identified more than 3 million criminal user accounts tied to DDoS-for-hire activity. Authorities also sent over 75,000 warning emails and letters to identified users.
Operation PowerOFF action week targets DDoS-for-hire ecosystem
On 2026-04-13, authorities from 21 countries carried out a coordinated Operation PowerOFF action week against DDoS-for-hire services and their users. The operation included 53 domain takedowns, 4 arrests, 25 search warrants, infrastructure and database seizures, and disruption of illegal booter services.
Polish authorities arrest alleged booter administrators
In May 2025, authorities in Poland arrested alleged administrators of DDoS-for-hire platforms linked to thousands of attacks carried out between 2022 and 2025. This was cited as part of earlier Operation PowerOFF-related enforcement activity preceding the 2026 crackdown.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
11 references tracked. Mallory keeps watching after this page renders.
Operation PowerOFF dismantles DDoS-for-hire services, nabs suspects | brief | SC Media
scworld.com
Open sourceOperation PowerOFF: 53 DDoS domains seized and 3 Million criminal accounts uncovered
securityaffairs.com
Open sourceOperation PowerOFF Seizes 53 DDoS Domains, Exposes 3 Million Criminal Accounts
thehackernews.com
Open sourceFour arrested in latest ‘PowerOFF’ DDoS-for-hire takedown | The Record from Recorded Future News
therecord.media
Open sourceOperation PowerOFF identifies 75k DDoS users, takes down 53 domains
bleepingcomputer.com
Open sourceEuropean police email 75,000 people asking them to stop DDoS attacks | TechCrunch
techcrunch.com
Open sourceEuropol-supported global operation targets over 75 000 users engaged in DDoS attacks - Operation PowerOFF is a global effort aimed at dismantling criminal DDoS-for-hire infrastructure | Europol
europol.europa.eu
Open sourceOperation PowerOFF
operation-poweroff.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Operation PowerOFF disrupts DDoS-for-hire platforms and arrests administrators
An international law enforcement campaign under **Operation PowerOFF** has repeatedly dismantled major **DDoS-for-hire** or **booter/stresser** services, seizing domains and infrastructure, arresting alleged administrators, and targeting customers across dozens of countries. In one major phase, authorities shut down **48 services** and arrested **seven** suspected operators after U.S. charges tied defendants to platforms including `Booter.sx`, `Astrostress.com`, and `SecurityTeam.io`; officials said one seized service alone had been used in more than **30 million attacks**. A later coordinated action involving the United States and about **20 partner countries** seized **53 domains**, made **four arrests**, executed **25 search warrants**, and sent more than **75,000 warning messages** to users, while also removing more than **100 URLs** advertising booter sites. The crackdown builds on earlier takedowns such as the seizure of **Webstresser.org**, which Europol described as the world’s largest DDoS-for-hire marketplace, with more than **136,000 registered users** and **4 million attacks** recorded before it was dismantled. Investigators said these services marketed themselves as legitimate network testing tools but were used to launch attacks against **schools, government agencies, gaming platforms, critical infrastructure, Department of Defense resources, businesses, and individuals**, often for as little as **EUR 15 per month**. Authorities also expanded disruption efforts beyond arrests and seizures by placing warning ads in search results and reaching users through cryptocurrency payment channels, underscoring a sustained multinational effort to raise the cost of operating and buying low-barrier DDoS attack services.
May 25, 2026
Authorities Seize DDoS-for-Hire Domains in Operation PowerOFF Crackdown
U.S. and international law enforcement agencies expanded **Operation PowerOFF** by seizing additional domains tied to DDoS-for-hire, or **booter/stressor**, services used to launch distributed denial-of-service attacks on demand. The U.S. Department of Justice said the FBI took control of 13 more domains linked to prolific platforms, including services that had resurfaced after an earlier disruption of 48 booter sites. Investigators found the platforms had amassed **hundreds of thousands of registered users** and had been used against school districts, government websites, businesses, and other targets; FBI testing on government-controlled systems showed some attacks were strong enough to completely cut off internet connectivity. The takedowns build on years of coordinated enforcement that has included the seizure of 15 booter websites, action against users of major DDoS-for-hire platforms, and prosecutions of operators tied to services such as **RoyalStresser.com**, **SecurityTeam.io**, **Astrostress.com**, and **Booter.sx**. Europol says the long-running campaign targets services that sell attacks for as little as **EUR 10**, lowering the barrier for low-skilled offenders and sometimes supporting broader criminal activity, including ransomware operations. The effort has involved the FBI, Europol, the U.K. National Crime Agency, Dutch police, and other global partners, alongside prevention campaigns aimed at deterring would-be users.
Jun 21, 2026
Operation Lightning Takedown of SocksEscort Residential Proxy Botnet
An international law-enforcement operation dubbed **Operation Lightning** disrupted **SocksEscort**, a paid “residential proxy” service that routed criminal traffic through compromised home/small-business routers and IoT devices to provide anonymity for fraud and other cybercrime. Authorities from the US and multiple European countries (including Austria, France, and the Netherlands), supported by **Europol** and **Eurojust** and assisted by private-sector partners **Lumen’s Black Lotus Labs** and the **Shadowserver Foundation**, reported the botnet had leveraged exploited vulnerabilities in edge devices and was powered by **AVRecon** (Linux) malware. Officials said SocksEscort advertised access to roughly **369,000 IP addresses** since 2020, with Europol stating the infrastructure compromised **369,000+** routers/IoT devices across **163 countries** and offered customers tens of thousands of proxies; reporting also noted that, as of February 2026, the service listed about **8,000 infected routers**, including roughly **2,500 in the United States**. During the coordinated action, authorities **seized 34 domains and 23 servers** across **seven countries**, replaced the service’s website with a seizure notice, and the US froze approximately **$3.5 million in cryptocurrency** tied to the operation; officials also cited the service’s payment platform receiving about **$5.8 million** from customers. SocksEscort was described as enabling a wide range of downstream criminal activity—including large-scale fraud, account takeovers, identity theft, business email compromise, password spraying, and, per Europol, facilitation of **ransomware**, **DDoS**, and distribution of **CSAM**—with US reporting citing specific victim losses (including a **$1M** cryptocurrency theft and additional six-figure fraud impacts). Investigators indicated the seized infrastructure and customer data (reported as roughly **124,000 users**) will be used to pursue follow-on investigations into both operators and customers of the proxy service.
Mar 24, 2026