What happened
More than 20 countries participated in a coordinated takedown of multiple DDoS-for-hire platforms as part of the latest wave of Operation PowerOFF, the long-running international effort to dismantle the booter-stresser industry.
Europol announced four arrests and 25 search warrants executed, though it declined to provide detail on those detained. More than 50 domains were seized, and European authorities identified approximately 75,000 users across the affected sites. Data from previously seized databases also allowed Europol to geolocate more than three million criminal user accounts, which drove coordinated enforcement actions during the operation week.
U.S. prosecutors in Alaska announced the seizure of eight sites, including Vac Stresser and Mythical Stress, and said they conducted searches of DDoS-for-hire backend servers. One of the seized platforms claimed to have been used to launch more than 142 million attacks. An FBI agent purchased a Mythical Stress subscription plan offering a month of DDoS attacks for $45, with the most expensive tier running $950 per month for attacks targeting up to 90 victim IPs. The Justice Department said the services targeted schools, government agencies, gaming platforms, critical infrastructure, and U.S. Department of War resources, among others.
Eleven people have now been charged in the U.S. over four years of Operation PowerOFF enforcement, and 100 domains have been seized in total. Despite that, Justice Department officials acknowledged that DDoS-for-hire services have continued to proliferate due to their low barrier to entry.
Who is affected
The takedown directly disrupted services used by an estimated 75,000 identified users across the seized platforms. Victims of past attacks span a wide range, from schools and government agencies to critical infrastructure operators. The low cost of access, $45 for a monthly subscription on Mythical Stress, means the user base skews toward opportunistic actors rather than sophisticated ones, which makes the victim pool broad and unpredictable.
Why CISOs should care
$45 a month. That’s the price point for a tool that can knock services offline for 40 minutes at a time. The takedown is a positive development, but the DOJ’s own acknowledgment that these services keep proliferating despite years of enforcement is the part worth sitting with. For every platform seized, others emerge. The infrastructure enabling cheap, scalable disruption isn’t going away, and the targets range from gaming servers to federal systems within the same subscription tier.
Organizations that haven’t stress-tested their DDoS resilience against volume-based attacks recently should treat this as a timely reminder that the threat is accessible to nearly anyone with a credit card.
3 practical actions
- Review DDoS mitigation coverage and thresholds: Confirm that your current mitigation services are calibrated for sustained volumetric attacks, not just short bursts, given that higher-tier subscriptions on these platforms can run attacks continuously for hundreds of hours.
- Assess exposure of public-facing infrastructure: Identify which externally facing services, APIs, and network endpoints would be most affected by a sustained DDoS campaign, and prioritize resilience investment accordingly.
- Monitor operational continuity plans for DDoS scenarios: Ensure your incident response and business continuity plans include specific playbooks for extended DDoS events, not just data breaches, since availability attacks against schools, agencies, and infrastructure are documented targets in this ecosystem.
For more news about disruptive intrusions affecting business operations, click Cyberattack to read more.