Operation PowerOFF disrupts DDoS-for-hire ecosystem, exposing 75,000 botnet operators across 21 countries
Law enforcement and private sector security research identified and disrupted 75,000 DDoS botnet operators and took down 53 infrastructure domains in a coordinated operation spanning 21 countries. This represents significant progress against organised DDoS-as-a-service providers but signals the need for sustained pressure on the ecosystem.
Affected
Operation PowerOFF represents a significant enforcement action against the DDoS-as-a-service ecosystem, identifying a substantial population of botnet operators and successfully disrupting hosting infrastructure. The identification of 75,000 users across 21 jurisdictions demonstrates the global scale and distributed nature of DDoS-for-hire operations, confirming what threat researchers have long suspected: the market operates across multiple hosting providers, payment processors, and operational centres with considerable geographic redundancy.
The takedown of 53 domains is notable but contextually limited. DDoS infrastructure has evolved beyond traditional domain-based command-and-control, with operators favouring bulletproof hosting, decentralised coordination channels, and rapid domain rotation. The enforcement action likely disabled one operational tier rather than dismantling the underlying capability. The identification of 75,000 users is more significant than the domain count, as it provides investigative leads for national law enforcement, though attribution and prosecution of distributed actors remains challenging and resource-intensive.
What defenders should prioritise: organisations should expect continued DDoS activity as operators migrate to alternative infrastructure. This is an ideal moment to audit DDoS mitigation strategies, validate rate-limiting rules, and review incident response playbooks. ISPs and hosting providers should recognise that infrastructure seizures create temporary displacement rather than elimination of threats. Threat intelligence teams should monitor for communications discussing infrastructure alternatives and new command-and-control arrangements among the identified operator population.
The broader implication is that enforcement against DDoS ecosystems remains reactive and supply-chain focused rather than demand-focused. Until the economics of launching attacks become unfavourable for customers rather than operators, the underlying market will persist. One-off operations, whilst operationally sound, do not address the incentive structure that drives these services. The 75,000 identified operators represent a fraction of the global botnet operator base, suggesting significant unidentified infrastructure remains operational.
Sources