Six DDoS-for-Hire Services Had Domains Seized and Operators Arrested

An international law enforcement operation has dismantled a major network of six DDoS-for-hire platforms.

The Polish authorities arrested four administrators accused of running six illegal stresser/booter services. Simultaneously, the United States seized nine domains linked to the criminal infrastructure, striking a significant blow to the market for commercialized DDoS attacks.

Stresser and booter services remain a persistent threat, industrializing DDoS attacks by offering low-cost, on-demand disruption capabilities. Unlike traditional DDoS attacks relying on hijacked botnets, these services operate through centralized rented infrastructure and appeal to a wide range of actors — from petty cybervandals to serious cybercriminals.

The operation, led by Poland’s Central Cybercrime Bureau with support from Germany, the Netherlands, and the United States, targeted the administrators of platforms including Cfxapi, Cfxsecurity, neostress, jetstress, quickdown, and zapcut. These services were responsible for thousands of distributed denial-of-service (DDoS) attacks launched globally between 2022 and 2025. Customers could access the services for as little as €10, selecting targets and attack durations via intuitive interfaces designed to require no technical expertise.

The services functioned by renting powerful infrastructure capable of overwhelming websites and servers with traffic, effectively shutting them down. Targets ranged from government institutions and schools to gaming services and private businesses, demonstrating the widespread impact of the platforms’ operations. These tools have long blurred the line between professional penetration testing utilities and criminal instruments, frequently being advertised on underground forums and used for disruptive purposes.

The action was part of Operation PowerOFF, an ongoing international initiative aimed at dismantling the infrastructure behind DDoS-for-hire services. Europol provided operational coordination and analytical support throughout the investigation, helping to piece together intelligence across jurisdictions.

The Dutch National Police contributed by operating honeypot booter websites — fake DDoS platforms meant to lure and identify users. These deceptive services not only captured valuable intelligence but also served a deterrent function, warning users that their activity was being monitored. Seized data from real booter websites, located in Dutch data centers, was shared with Polish investigators and played a critical role in identifying and apprehending the four suspects.

In the United States, the Department of Justice, working alongside the FBI, Homeland Security Investigations (HSI), and the Defense Criminal Investigative Service (DCIS), seized nine domain names as part of the same coordinated week of action.