A coordinated law enforcement action across 21 countries has dismantled a significant slice of the DDoS-for-hire ecosystem. Operation PowerOFF, led by Europol and executed during an April 13, 2026 action week, resulted in the seizure of 53 booter/stresser domains, four arrests in Poland, 25 search warrants, and the capture of backend databases holding more than 3 million criminal user accounts. Over 75,000 suspected customers received warning emails or letters.
This is the largest single action in the long-running Operation PowerOFF campaign, a multi-year effort to dismantle the commercial infrastructure that lets anyone rent a distributed denial-of-service attack for a few dollars an hour.
What happened
Between April 13 and 16, 2026, law enforcement agencies from Australia, Austria, Belgium, Brazil, Bulgaria, Denmark, Estonia, Finland, Germany, Japan, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Portugal, Sweden, Thailand, the U.K., and the U.S. executed simultaneous takedowns. Europol provided analytical and operational coordination from The Hague.
Key results released on April 16:
- 53 domains seized, including services identified by name as Vac Stresser and Mythical Stress. The U.S. seized nine of those domains unilaterally.
- Four arrests in Poland of suspects alleged to have operated a network of platforms tied to thousands of DDoS attacks worldwide. Germany identified one of the suspects and shared intelligence on the others.
- 25 search warrants executed across participating jurisdictions.
- Backend databases captured containing over 3 million user accounts — customer records, attack logs, and payment data that are now in law enforcement hands.
- 75,000+ warning notifications sent to identified users via email and physical letter, with additional on-chain warning messages posted to cryptocurrency wallets and blockchain platforms used to pay for attacks.
Why DDoS-for-hire infrastructure matters
Booter and stresser services — nominally marketed as “network stress-testing tools” — are the industrialized layer of the DDoS economy. A subscription costs anywhere from five to a few hundred dollars a month and gives the buyer a web dashboard that launches volumetric and protocol-layer floods against any target they specify. The buyer doesn’t need any technical skill, doesn’t need to build a botnet, and doesn’t need to understand how amplification works. They just type in an IP or domain and click.
The services themselves run on rented VPS infrastructure, often behind reverse proxies and Cloudflare-like providers. Behind the storefront sits the actual attack infrastructure: compromised IoT devices, misconfigured DNS resolvers, NTP/memcached reflectors, and increasingly, rented cloud capacity used to amplify traffic.
The customer base skews young and decentralized. Europol has been explicit that many users are teenagers motivated by gaming grudges or school-related grievances — one reason the operation’s prevention arm leans heavily on warning letters rather than prosecutions for the bulk of the 75,000.
What’s in the 3 million accounts
The captured databases are, by volume, the largest single disclosure from any PowerOFF iteration to date. Based on prior takedowns in the same campaign, the records typically contain:
- Email addresses and usernames tied to each account
- Hashed (and sometimes plaintext) passwords
- Attack history: target IP, date, duration, attack vector
- Payment records, including cryptocurrency wallet addresses and in some cases PayPal or credit card fragments
Expect credential-stuffing follow-on: the usernames and password hashes from seized booter databases have historically leaked into the wider criminal ecosystem within weeks.
Why this matters for infrastructure teams
The DDoS threat hasn’t gone away — but the barrier to launching one just got raised. Taking 53 services offline doesn’t eliminate the ecosystem, but it meaningfully disrupts it. Expect a short-term dip in opportunistic volumetric attacks against public-facing services, followed by migration of customers to whichever services survived the operation.
Attribution databases are now being built. Law enforcement now has three million records linking email addresses, crypto wallets, and attack targets. If your service was previously hit by a booter, the IP that attacked you is now potentially tied to a customer identity. Organizations that preserved attack logs and filed reports stand to benefit from this data pipeline over the next 12 to 24 months.
Crypto payment rails are the weak point. The on-chain warning messages tied to illicit payment wallets are a relatively new enforcement tactic. They work because booter payments flow through a small set of known exchanges and mixers, and those choke points are tractable for law enforcement in a way that the underlying attack infrastructure is not.
The prevention model is now the main event. Historically, these takedowns leaned on prosecution. This one is explicitly described by Europol as “entering its prevention phase,” with ad buys targeting young searchers of DDoS tools, 100+ URLs removed from search results, and letters to identified users. If you operate public infrastructure, expect the baseline volume of opportunistic DDoS to decline as a result — but not the sophisticated nation-state or ransomware-adjacent DDoS activity, which is unaffected.
What to do
- Review DDoS protection posture. Confirm your upstream provider (Cloudflare, AWS Shield, Akamai, etc.) is actually in the path for every public endpoint, not just the obvious ones. Look at API endpoints, staging environments, origin IPs that have leaked into DNS history, and any bare TCP/UDP services.
- Rate-limit authentication and expensive endpoints. Layer 7 attacks from booter services are increasingly targeting login pages, search APIs, and anything that triggers backend compute. Volumetric mitigation at the edge does not help if 50 RPS of valid HTTP requests can exhaust your database pool.
- Preserve attack logs. If you’ve been hit in the past 12-18 months, retain the packet captures, NetFlow, and load balancer logs. Law enforcement requests related to the seized databases are likely to follow.
- Audit your own infrastructure for reflector exposure. Open DNS resolvers, misconfigured NTP servers, memcached on public IPs, SSDP-enabled devices — all of these are the upstream amplifiers that power booter services. Check
shodan.iofor your own ASN. - Monitor for migration. Services surviving the takedown are actively onboarding refugees from the seized platforms. Expect short-term bursts of test attacks as operators reconstitute customer bases on new domains.
Sources
- Europol-supported global operation targets over 75 000 users engaged in DDoS attacks — Europol
- Operation PowerOFF identifies 75k DDoS users, takes down 53 domains — BleepingComputer
- Operation PowerOFF Seizes 53 DDoS Domains, Exposes 3 Million Criminal Accounts — The Hacker News
- Operation PowerOFF: 53 DDoS domains seized and 3 Million criminal accounts uncovered — Security Affairs
- Officials seize 53 DDoS-for-hire domains in ongoing crackdown — CyberScoop
- European police email 75,000 people asking them to stop DDoS attacks — TechCrunch