Inside the Takedown of the World’s Largest DDoS-for-Hire Botnet — and Why It Won’t Be the Last

International law enforcement dismantled the world's largest DDoS-for-hire botnet, responsible for record 5.6 Tbps attacks and 31.4 Tbps cumulative global traffic. Four men were indicted after a 21-year operation exploiting hundreds of thousands of IoT devices across dozens of countries.
Inside the Takedown of the World’s Largest DDoS-for-Hire Botnet — and Why It Won’t Be the Last
Written by Dave Ritchie

For years, a sprawling network of compromised routers, cameras, and internet-connected devices quietly served as the backbone of the most powerful distributed denial-of-service operation ever documented. At its peak, the botnet marshaled enough firepower to launch attacks exceeding 5.6 terabits per second — volumes that could flatten even well-defended corporate networks and government infrastructure. Now, a coordinated international law enforcement operation has dismantled it, but the story of how it grew so large, and what comes next, is far more complicated than a simple takedown.

The operation, announced in late May 2025, targeted a network of services marketed under multiple brand names — most prominently anyproxy.com and 5socks.net — that collectively formed what U.S. and international authorities describe as the world’s largest DDoS-for-hire botnet. According to TechRadar, the botnet was responsible for cumulative attack traffic of 31.4 terabits per second globally, with individual attacks reaching record-breaking intensities. The U.S. Department of Justice unsealed indictments against four foreign nationals — three Russian and one Kazakhstani — charging them with operating the infrastructure that enabled paying customers to rent attack capacity on demand.

The defendants are Alexei Viktorovich Chechyorin, Kirill Vladimirovich Morozov, Aleksandr Aleksandrovich Shishkin, and Dmitriy Rubtsov. According to the DOJ’s announcement, the men allegedly operated the botnet since at least 2004, cycling through various domain names and service brands over two decades. That’s not a typo. Twenty-one years.

What made this operation distinctive wasn’t just its scale but its commercial model. The services operated essentially as subscription businesses, offering tiered access to proxy and attack infrastructure. Customers could purchase access for as little as $10 per day, scaling up to monthly plans. The 5socks.net service alone advertised more than 7,000 proxies available at any given time, sorted by country, state, and internet service provider — a level of granularity that speaks to the sophistication of the backend infrastructure. The sites accepted cryptocurrency payments, naturally, but also more traditional methods, making the barrier to entry remarkably low for would-be attackers.

The technical underpinning of the botnet relied on exploiting end-of-life and poorly secured Internet of Things devices. Wireless routers with default credentials. IP cameras running outdated firmware. Digital video recorders never designed to withstand active exploitation. These devices, numbering in the hundreds of thousands across dozens of countries, were silently conscripted into the network through automated scanning and exploitation tools. Once compromised, each device became a node capable of generating and relaying attack traffic, its owner typically none the wiser.

This is a pattern that security researchers have warned about for nearly a decade, dating back to the original Mirai botnet attacks of 2016 that temporarily knocked major websites offline across the eastern United States. But the scale here dwarfs Mirai’s original capabilities by orders of magnitude. And the commercial wrapper around it — the slick websites, the customer support, the pricing tiers — represents an evolution in how cybercrime infrastructure gets monetized.

The law enforcement action was coordinated across multiple jurisdictions. The FBI led the U.S. side of the investigation, working alongside the Dutch National Police, the Netherlands Public Prosecution Service, and authorities in Thailand, Germany, and other countries. The operation resulted in domain seizures, infrastructure disruption, and the unsealing of the indictments. Whether the defendants will ever see the inside of an American courtroom remains an open question — Russia does not extradite its citizens, and Kazakhstan’s cooperation on such matters has been inconsistent at best.

But the infrastructure itself has been meaningfully degraded. According to TechRadar, the seized domains now display law enforcement banners, and the command-and-control servers that orchestrated attack traffic have been taken offline. The FBI also worked with internet service providers and device manufacturers to notify owners of compromised equipment, though the practical impact of such notifications on a global fleet of aging IoT hardware is debatable.

The record-setting 5.6 Tbps attack attributed to this botnet infrastructure reportedly targeted an unnamed entity in Eastern Asia in late 2024. To put that figure in context, Cloudflare — which disclosed mitigating the attack — noted it was the largest DDoS attack ever recorded at the time, surpassing previous records by a significant margin. The attack lasted only about 80 seconds, suggesting it may have been a demonstration of capability or an automated burst rather than a sustained campaign. Still, 80 seconds at 5.6 Tbps is enough to cause serious damage to organizations without top-tier DDoS mitigation in place.

The cumulative 31.4 Tbps figure cited by authorities represents aggregate attack capacity across multiple simultaneous campaigns, not a single event. That distinction matters. It indicates the botnet could sustain high-volume attacks against multiple targets simultaneously — a capability that puts it in a different category from most DDoS-for-hire services, which typically concentrate their firepower on one target at a time.

So who was buying these services? The DOJ hasn’t released a detailed customer list, and likely won’t. But DDoS-for-hire operations historically attract a wide spectrum of buyers: competitors looking to knock rivals offline, extortionists demanding ransom payments, hacktivists pursuing political agendas, and occasionally state-affiliated actors looking for plausible deniability. The low cost of entry — again, as little as $10 — means the customer base almost certainly included teenagers alongside more sophisticated threat actors. That’s part of what makes these services so dangerous. They democratize destructive capability.

The timing of this takedown aligns with a broader push by Western law enforcement agencies against DDoS-for-hire infrastructure. In December 2023, the FBI and international partners executed Operation PowerOFF, which seized dozens of booter and stresser service domains. The UK’s National Crime Agency has run similar operations. And Europol has increasingly prioritized disruption of cybercrime-as-a-service models, recognizing that taking down infrastructure often has a greater impact than arresting individual users.

There’s a growing body of academic research supporting this approach. Studies from Cambridge and Delft University of Technology have found that takedowns of booter services produce measurable, if temporary, reductions in global DDoS activity. The key word is temporary. New services tend to emerge within weeks or months, often operated by individuals who learned the trade on the platforms that were shut down. It’s a whack-a-mole problem, and law enforcement agencies are candid about that reality.

The IoT dimension of this case deserves particular attention. The devices that comprised this botnet — routers, cameras, DVRs — are overwhelmingly consumer-grade products with minimal security features. Many were manufactured by companies that no longer exist or that have long since stopped issuing firmware updates. The owners of these devices, scattered across every continent, generally have no idea their hardware has been weaponized. And even when notified, the remediation path is often unclear. Update the firmware? There may not be an update available. Replace the device? That costs money. Change the default password? Many of these devices don’t make that easy, or the owner doesn’t know how.

This is a structural problem that no single law enforcement action can solve. The global installed base of insecure IoT devices numbers in the billions, and it grows every day. Manufacturers face limited regulatory pressure to build security into cheap consumer hardware, and consumers face limited incentive to maintain devices they’ve plugged in and forgotten about. The result is an essentially infinite supply of recruitable botnet nodes.

Industry groups have pushed for mandatory security standards for IoT devices. The European Union’s Cyber Resilience Act, which takes full effect in 2027, will require manufacturers selling into EU markets to meet baseline security requirements and provide security updates for a defined period. The United States has taken a lighter touch, relying primarily on voluntary labeling programs like the FCC’s Cyber Trust Mark. Whether either approach will meaningfully reduce the pool of exploitable devices remains to be seen.

For enterprise defenders, the takedown offers a temporary reprieve but not a strategic shift. Organizations that rely on cloud-based DDoS mitigation services from providers like Cloudflare, Akamai, or AWS Shield are better positioned to absorb volumetric attacks, but even these services have limits — and they aren’t free. Smaller organizations, municipalities, hospitals, and educational institutions often lack the budget for enterprise-grade protection, making them particularly vulnerable to DDoS extortion.

The financial mechanics of DDoS-for-hire are worth understanding. At $10 a day or roughly $200 a month for premium access, the operators of anyproxy.com and 5socks.net were running what amounted to a SaaS business with extraordinarily low overhead. The infrastructure costs were borne involuntarily by the owners of compromised devices. The bandwidth costs were externalized onto ISPs and victims. And the revenue, even at modest per-customer rates, could scale dramatically with volume. Thousands of active subscribers paying $200 monthly translates to millions of dollars annually — more than enough to fund continued development, customer acquisition, and operational security.

The indictments suggest the operators were careful about their own security, using layered anonymization techniques, cryptocurrency mixing services, and compartmentalized communication channels. But 21 years is a long time to maintain operational security, and the investigation apparently benefited from cooperation across multiple intelligence and law enforcement agencies. The specific investigative techniques that led to the identification of the defendants haven’t been disclosed, which is typical — agencies protect their methods to preserve their utility in future cases.

And there will be future cases. The demand for DDoS-for-hire services isn’t going away. If anything, it’s growing. Geopolitical tensions, the proliferation of hacktivism, the increasing dependence of critical services on internet connectivity — all of these factors create sustained demand for tools that can take targets offline. The supply side, fueled by billions of insecure IoT devices, shows no signs of contracting.

Growing up in the Midwest, I spent a lot of time tinkering with routers and networking equipment — the same kinds of devices that now form the backbone of botnets like this one. There’s something deeply unsettling about knowing that the consumer-grade router sitting in someone’s living room, the kind my parents might have bought at a big-box store a decade ago, could be silently participating in an attack against a hospital or a power utility on the other side of the world. The people who own these devices aren’t negligent. They’re just not equipped to deal with threats that didn’t exist when they bought the hardware.

The takedown of this botnet is a significant operational achievement. Full stop. But it’s also a snapshot of a much larger problem — one that sits at the intersection of consumer electronics manufacturing, internet governance, international law enforcement cooperation, and the basic economics of cybercrime. Solving it will require action on all of those fronts simultaneously. And if history is any guide, the next record-breaking botnet is already being assembled, one compromised router at a time.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us