On Christmas Day in 2014 hackers knocked out the Xbox and PlayStation gaming networks, impacting how video game companies handled cybersecurity for years.

The Andersons are Christmas traditionalists. Dan says it’s more his wife Paige than him, but secretly he also loves all the fuss.

So, there they were on the sofa in their pajamas in front of the twinkling Christmas tree before the sun had risen over a chilly morning in Buffalo, New York. Thirty-two-year-old Dan was proud and smug as he handed over his gift to Paige—a “fancy new Kindle Voyage.” She loved it. Then it was his turn, and he excitedly ripped into the wrapping paper watched over by his confused dogs—one of which was tellingly named after Dan’s favorite computer-game character (Vivi from _Final Fantasy_). As the present revealed itself, the avid gamer saw the instantly recognizable and much-loved logo—it was a brand-new PlayStation 4. Straight away he unpacked it, rigged it up to the TV, and switched it on. The plan was to get it fired up and download _LittleBigPlanet 3_ to play for a few hours before meeting up with family.

Paige had been looking forward to it since she bought the new console. However, it wasn’t to be. “We didn’t even make it as far as starting to download the game, because it wouldn’t let me log in to PlayStation Network,” Dan said. “Nothing was online at all, so we couldn’t even try and download games.” Disappointedly they headed out for the day’s events and couldn’t try again until that evening, when they discovered that the network was still down. A $400 gift they couldn’t play. Dan had to work the next day too, so he couldn’t even try it then. He was gutted.

Five hundred and fifty miles north, in Toronto, 16-year-old Mustafa Aijaz was pumped. Christmas Day—particularly the evening—was the best game time of the year. It’s always been a bit of a holiday within the holiday for serious players. The tradition revolves around a phenomenon called “Christmas Noobs.” At Christmas, so many new players receive new games and consoles that online games are flooded with a tidal wave of gamers who often fumble their way through the top games and act like cannon fodder for the waiting legions of seasoned veterans. Mustafa and his mates were skilled at _Call of Duty: Advanced Warfare_. “We were all ready for a night of easy wins, quick XP \[experience points\] farming, and were looking forward to leveling up like crazy.” So, they waited like crocodiles anticipating herds of migrating buffalo to enter the river. But just as the bullets started flying they were all unceremoniously chucked out of their matches and knocked offline. “None of us could log back in, and party chat was down too, so we couldn’t even talk to each other to figure out what was happening,” Mustafa said.

It was all over social media: A group of hackers called Lizard Squad were bragging about their massive DDoS attack on Xbox Live and PlayStation Network—the crucial services that linked tens of millions of gamers to the Microsoft and Sony servers. Mustafa had seen that the group had already carried out smaller-scale attacks and had for weeks been taunting and threatening a big attack. Apparently it was all linked to some silly and incomprehensible spat with a rival but minor hacking group. Mustafa was angry but also fascinated by the attack and the incredible reaction online. “The fallout was instantaneous. People were furious,” he said.

PlayStation Network at the time had about 110 million subscribers, and Xbox Live had roughly 48 million. Xbox was back to normal within 24 hours—on Boxing Day. But PlayStation struggled for longer. It didn’t just affect existing subscribers. Before you can use any new games, consoles, or vouchers, you need to register them via the gaming company’s servers. It was a catastrophe for the games industry, especially Sony, which had already been having a tough time after a different cyberattack the previous month.

Services were down around the world. Error messages in dozens of languages were being posted as screenshots on YouTube and Twitter. There was nothing anyone could do until the engineers at Sony and Microsoft figured it out or Lizard Squad stopped the attack.

Late in the evening on Boxing Day, BBC Radio 5 Live aired an interview with two members of the group. They showed zero remorse for the impact they’d had on people around the world. Twelve hours later I walked into the newsroom and was given the seemingly impossible task of “getting a Lizard” on the evening TV bulletin at Sky News.

It took hours of trawling Twitter and speaking to dozens of wannabes and fakes, but I eventually succeeded in finding contact details for a British man called Vinnie Omari. Incredibly, he lived a few miles from our newsroom in west London. He agreed to come to us for the interview and was pale, skinny, wore all black and talked fast. He was at pains to distance himself from the gang but left the studios promising that a Lizard Squad hacker called “Ryan” would be in touch. I had no idea at the time of course that this “Ryan” was Julius Kivimäki—an already infamous teenage hacker and delinquent from Finland. It was later that afternoon—at around 3 pm —that “Ryan” called through on Skype. Just in time for us to edit our conversation with him into our news piece.

The 17-year-old looked very young and pale and had a shaved head and soft features. In spite of everything, he was polite and seemed in no rush. But he was also utterly unremorseful and arrogant, struggling to stifle a smirk throughout the interview. When I started by asking him why he wanted to ruin Christmas for tens of millions of people, he gave me the same boilerplate answer about the boys doing it to amuse themselves and embarrass these tech mega corps. “These companies make tens of millions every month from just their subscriber fees, and they should have more than enough funding to be able to protect against these attacks.” We went back and forth for about 15 minutes without him giving any hint of regret or awareness for how many people had been affected by his stunt.

“I’d be worried if those people didn’t have anything better to do than play games on their consoles at Christmas Eve and Christmas Day,” he said. “I mean, I can’t really say I feel bad. I might have forced a couple of kids to spend their time with their families instead of playing games.”

The interview blew up online, with more than a million views on YouTube and thousands of comments on Twitter, where many four-letter words were hurled at the Lizards. PlayStation and Xbox also received a torrent of abuse. Later they would offer a five-day extension to players’ subscription periods and 10 percent off as compensation. The resulting bill for the company must easily have been in the millions.

Kivimäki went on to speak to other reporters, sometimes calling himself Ryan Cleary (a reference to another hacker he had vague and likely acrimonious link to from a previous teen hacker gang called LulzSec). In one interview and debate on YouTube channel DramaAlert he is implored by Kim Dotcom to stop the silly hacker rivalries that were impacting so many innocent people. “Hackers used to be respected; they used to have a magic about them,” Kim said, accusing Lizard Squad of harming the image of hackers around the world with their actions. Kivimäki’s response is fascinating: He laughed it off as old-fashioned thinking. “It’s wrong to connect groups like Lizard Squad with, for example, L0pht from a couple of decades back,” he said. “There’s really no connection with the hacking groups of today and the hacking groups of two decades ago. The meaning is totally different now.”

Although many security experts angrily railed against the media’s portrayal of Lizard Squad as “sophisticated,” people grudgingly came to accept that the Christmas attack did have a big impact on cybersecurity and the gaming industry. There’s little doubt that this was not the group’s motive—despite their clumsy attempts to claim so in interviews. But it was a wake-up call. Security website SecurityAffairs wrote a “lessons learned” piece by dissecting my interview with Kivimäki. Many people considered Lizard Squad script kiddies, they wrote, adding, “This approach is totally wrong.”

The size of the attack unleashed on that day would be shrugged off by most modern sites, but DDoS attacks are still commonplace and are getting more powerful. Expensive protection services are now a must-have for any organization that needs to stay online.

The attacks also started something of a cybercrime trend. In 2024 Europol unveiled an international law enforcement operation to take DDoS services down in December: “The festive season has long been a peak period for hackers to carry out some of their most disruptive DDoS attacks, causing severe financial loss, reputational damage, and operational chaos for their victims,” the organization said in a statement.

At the time of Lizard Squad’s attacks, the general public was stunned. Despite Lizard Squad being on the tail end of a wave of teenage hacking groups in the 2010s, there was little awareness of the power that could be wielded by these otherwise amateur attackers. There might have been a vague feeling in the zeitgeist that “hackers in hoodies in their bedrooms” were increasingly causing problems, but this attack was immediate, unmissable, and easy to understand. It was of course also easy to get angry about. Over the next couple of days I came back to the story with follow-ups about the fallout as other Lizard Squad members spoke to YouTubers about the so-called “drama.” But the big thing the newsroom kept asking me was, When would these kids be arrested?

Vinnie Omari was the first. On New Year’s Eve he was raided by the South East Regional Organized Crime Unit, which collared him on suspicion of cyber fraud offenses committed in 2013 and 2014. It looked like the raid was for other alleged offenses involving PayPal fraud, but the search warrant, which later surfaced online, also referenced the Christmas DDoS attacks. “They took everything: Xbox One, phones, laptops, computer USBs, etc.,” Omari told reporter William Turton from the Daily Dot. He was later cleared of any involvement.

After Omari’s arrest, other Lizards were taken out too. On January 16, 2015, police announced that they had arrested an 18-year-old in Southport, near Liverpool. They didn’t give a name, but reporters at the Daily Mail identified him: “The ‘quiet’ teenager, named locally as Jordan Lee-Bevan, was arrested during a raid at his semi-detached home in Southport, Merseyside, today, with officers seizing computers as he was taken away in a police car.”

In 2016 teenager Zachary Buchta from Maryland was also arrested for his role in Lizard Squad and another group called PoodleCorp. As a boy he had been warned in 2014 about his criminal path by police who had caught him carrying out minor cybercrime activity. But he was undeterred and even changed his Twitter profile at one stage to @fbiarelosers to taunt the cops.

At the same time that Buchta was arrested, Dutch police raided and arrested another 19-year-old. Bradley van Rooy, who used the names “Uchiha” or “UchihaLS,” was accused of conspiring with other members of Lizard Squad to operate websites that provided cyberattack-for-hire services, facilitating thousands of DDoS attacks and trafficking stolen payment card account information for thousands of victims.

Bradley was put on bail for two years and eventually given a two-year suspended sentence and 180 hours of community service. The vast majority of charges against him were dropped as they had taken place when he was a minor. He ended up being convicted of the DDoS-for-hire operation and handling stolen credit cards. I tracked him down, and he openly talked about that period of his life, which he had put behind him a long time ago. “I’m now 27, and I see the damage that I did and understand that there could have been a higher punishment,” he says. “But then I also see that I was just a kid, and I had a troubled time at school and just fell into the hacking life after meeting the wrong people when I was playing the game _RuneScape_.”

Bradley’s journey and words track so perfectly to the experiences of almost every hacker I have met or interviewed. It’s as though there is a universal constant, whereby a subset of gamers in every generation is pulled into cybercrime in exactly the same way. There are literally billions of gamers in the world, so these people represent only a tiny fraction. But it seems to be inevitable and cyclical as hacker groups rise and fall.

The differentiating and more important aspect, though, is how these boys and young men react when they cross the line and are caught.

So what of Julius Kivimäki, aka “Ryan,” aka “Ryan Cleary” and many other aliases including the by now infamous “Zeekill”?

Surely, after appearing on TV and radio admitting that he was part of the gang, he too would be rearrested sharpish? Officers did indeed visit Kivimäki to interview him, but they did not arrest him—contrary to reports in the international media. It’s not clear why they took no further action, but perhaps when the teenager confidently said that police would find nothing on his computer he was right. “They’d have to let me go,” he had cockily asserted in our interview. If so, maybe his run-in with police years earlier had taught him to cover his tracks more effectively. Or maybe he hadn’t taken as much of a leading role in the DDoS attacks as he had claimed.

For Finnish cybercrime cop Antti Kurittu, seeing Kivimäki on TV was especially galling. Antti had raided and arrested Kivimaki two years earlier for other cyberattacks carried out with a different teenage cyber gang called HTP. “I remember watching your Sky News interview and just thinking ‘wow, this guy is not even trying to cover up his crimes. He’s just a different sort of person,’” Antti recalls.

It wasn’t until July 2015 that Kivimäki received his first criminal conviction. He was found guilty of the rather preposterous total of 50,700 instances of aggravated computer break-ins—one for every computer enslaved into HTPs botnet. He was also convicted of other offenses including data breach, money laundering, and being in possession of, and using, stolen credit cards. For all of these offenses, he was handed a two-year suspended sentence. If he had been an adult he could have got years behind bars, but as a minor and first-time offender he served no time in prison. So Kivimäki, just a few weeks from his 18th birthday, remained free. He began calling himself the “Untouchable Hacker God” on Twitter.

A year after Kivimäki’s sentencing, in a bizarre coincidence, Antti bumped into Kivimäki in Amsterdam. It was April 2016 and Antti was walking through the departures lounge of Schiphol Airport when he passed the by-then 18-year-old. Antti did a double take, gobsmacked to see him. It was so surreal that they both found it amusing and took a selfie. After a short chat, Antti asked Kivimäki if he was now “staying out of trouble.” Kivimäki replied, “Of course.” But when Antti asked him for a contact email address, he made one up with “@FBI.gov” at the end. They laughed and went their separate ways.

But, as Antti predicted, the Untouchable Hacker God would be back. Four years later he was. And this time he was linked to the cruelest cyberattack in history and had a new alias: ransom\_man.

_Excerpt adapted from_ Ctrl+Alt+Chaos: How Teenage Hackers Hijack the Internet _by Joe Tidy. Published by arrangement with Elliott & Thompson. Copyright © 2025 by Joe Tidy._

What Really Happened in the Aftermath of the Lizard Squad Hacks

Today, your internet presence is much more than just a website or social media profile, it’s like your…

Today, your internet presence is much more than just a website or social media profile, it’s like your business card, reputation and main medium of staying connected. However, with this visibility comes genuine danger. Do you know what’s one of the most troublesome threats hiding out there? DDoS attacks! If you have not heard this term before, no need to worry. Let’s simplify it and understand how to protect your online space from it.

****DDoS: What it Means****

DDoS is short for Distributed Denial of Service. It may sound complicated, but basically, it means overwhelming a server or website with excessive fake traffic until it falls apart. Imagine a coffee shop where suddenly many people arrive at the same time, not to buy anything, just to block the space. In this situation, real customers are unable to enter and the business comes to a halt. This is primarily what occurs during a DDoS attack – it’s bots that cause this blockage.

Usually, these kinds of attacks are started by using networks of computers that have been taken over – many times they belong to people who don’t even know. This is what is meant by “distributed”. When it starts, your website could either become very slow or completely unavailable.

****Why You Should Care (Even If You’re a Small Business)****

At this point, it’s normal to think, “I don’t have a major brand, just a small business” or “I just run a personal blog.” DDoS attacks can also be used against much smaller businesses. Smaller sites are targeted quite often because attackers believe their security is not as strong. Truth is, when your website goes down, even briefly, it affects your reputation, and your budget and makes your customers or users unhappy.

In addition, a DDoS attack can stop your service or online store from operating. People can’t order or get answers which causes them to doubt the business. It can be very irritating, but it can also be truly harmful.

****Start with Strong Hosting****

A solid first action is to select a reliable hosting provider. Hosting providers are not all the same and some are better prepared to handle DDoS attacks than others. Find hosting providers that guarantee or promote DDoS protection through their services. This is because they have effective steps to prevent and handle an attack early on.

Don’t hesitate and ask your hosting provider which security measures they have for your website. If their responses are unclear or they treat security lightly, this is a warning sign. You should choose a provider that handles the back-end work and protects your site from malicious users at the same time.

****Get a CDN Working for You****

For even better performance, allow your website to tap into a CDN. A Content Delivery Network uses multiple servers worldwide to distribute the activities involved in content delivery. Therefore, all the requests are not delivered to your main server at the same time. If there is a DDoS attack, the distribution system can save you.

****Firewalls and Rate Limiting****

Firewalls act like filters, they inspect incoming traffic and stop suspicious things before reaching your main systems. Web Application Firewalls (WAFs) are specially designed to block the kind of unwanted traffic that DDoS attacks cause.

Next, we have rate limiting – this is a background function that restricts how frequently someone can interact with your site. If something is making constant requests to your server, it will be flagged or stopped.

****Keep an Eye on What’s Happening****

A lot of damage from DDoS attacks happens because people don’t notice it early enough. So, make sure to monitor your site’s traffic. Sudden increases, constant hits to one page or visits from strange places can all suggest concerns. 

Many tools exist today that make website monitoring easy. Some of these are included in hosting plans, while others can be added by you manually. You don’t need advanced coding skills – just some understanding of this domain is quite helpful.

****Have a Contingency Plan****

Regardless of how strong your security is, things can still go wrong. So it’s smart to have a plan in case you do get hit. Be aware of who you should reach out to when problems occur – this could be your host, a protective service or someone experienced in such matters.

Maintain updated backups and ensure you are familiar with quick restoration. Additionally, inform your users about the ongoing situations. Clear communication can go a long way in keeping trust intact during tough times.

****Call in the Pros if You Need to****

Feeling overwhelmed? Managed security services exist for a reason. These individuals are experts in detecting threats and reacting quickly, so you don’t need to be on guard all the time.

Yes, it costs money. However, if your business relies on your online presence, the expense may be worthwhile simply for the reassurance. Think of it as employing a security guard for the night shift at your virtual store.

****Keep Everything up to Date****

This may seem like the basics of cybersecurity, but it’s important to keep your devices updated. Old plugins, CMS versions or themes can be great opportunities for hackers. Fix those gaps before anyone else discovers them.

Nevertheless, DDoS attacks are very serious, but they’re not impossible to defeat. By using intelligent strategies such as improving hosting services, CDNs, traffic filters and constant monitoring you can significantly reduce your risk.

(Image by Free stock photos from www.rupixen.com from Pixabay)

How to Protect Your Online Presence from Devastating DDoS Attacks

Shift in cyberattack focus puts APAC region under growing pressure.

India, China and the US were the top DDoS attacks targets in Q1 2025, with APAC facing over half of global attacks, according to new data from cybersecurity firm StormWall.

A new report from cybersecurity firm StormWall reveals that nearly half of all DDoS attacks in the first quarter of 2025 were aimed at China, India and the United States. Instead of focusing heavily on the usual targets, attackers are now directing more of their efforts toward infrastructure in the Asia-Pacific region.

According to StormWall’s analytics center, India topped the chart with 18.1% of the global DDoS traffic, followed by China at 16.2% and the US at 14.7%. Japan (12.3%) and Taiwan (10.2%) rounded out the top five. When it comes to industry-wise attacks, Telecommunications became the top target in APAC, with 136% year-over-year (YOY) growth.

Four of the five most targeted countries now sit in the APAC region, with 57% of all malicious requests focused there. This shows that attackers are moving their focus away from the usual targets in Europe and North America, at least for now. The reasons may be geopolitical, economic, or a combination of both.

“You can always count on US targets attracting a lot of attention,” said Ramil Khantimirov, founder of StormWall. It’s the world’s largest GDP and hackers are always going to target that, but we’ve never seen so much activity in APAC and so densely concentrated.”

According to StormWall’s report shared with Hackread.com ahead of publishing on Thursday, the main force behind these attacks is botnets. These networks of infected devices were responsible for nearly 70% of all DDoS traffic tracked by StormWall in the first quarter of 2025.

Botnets, often run by state-sponsored groups, hacktivists, or organized cyber criminals, allow attackers to direct massive traffic at targeted systems. One such botnet identified in the report, named “Eleven11bot,” used a network of 86,000 compromised IP cameras and DVRs. It was frequently used in politically motivated campaigns.

While APAC faced an increase in DDoS attacks, other regions haven’t been spared. Belgium, though much smaller, experienced significant attacks, with 9.7% of global DDoS activity aimed at its national digital infrastructure, including MyGov.be and the Walloon Parliament. Saudi Arabia was also hit hard, at 6.8%, largely due to pro-Palestinian attacks linked to ongoing regional tensions.

Countries like Italy, Russia, and Switzerland appeared further down the list with lower attack volumes, but experts caution that even minor increases in activity can pose serious threats to unprepared networks.

Via StormWall

StormWall’s data paints a picture of a fast-evolving threat environment, driven by automation, political motives, and shifting strategic interests. While botnet-powered campaigns grow in scale, the need for mitigation services is more important than ever.

However, separate research from NordPass shows that many industries still fall short on basic cybersecurity. In most cases, weak and easily guessed passwords like 123456 and passwords@, are still in use, making systems vulnerable to breaches and turning devices into part of larger botnets.

StormWall Reveals India, China and US Faced Most DDoS Attacks in Q1 2025

Among all ages, Minecraft still rules the gaming scene as a preferred choice. The game provides a broad…

Among all ages, Minecraft still rules the gaming scene as a preferred choice. The game provides a broad spectrum of activities from building huge constructions and joining multiplayer servers to investigating blocky environments. But your PC configuration is more important than you would realize for seamless, lag-free gameplay.

Minecraft may seem visually basic, but depending on shaders, modifications, or custom servers it may be shockingly resource-intensive. Performance depends on your computer’s meeting of the optimal system criteria. Equally crucial, particularly in multiplayer settings, is having access to a solid good Minecraft hosting to maintain server-side gaming robust and responsive.

****Minimum against Suggested System Requirements****

Your playing style will affect Minecraft’s performance needs. Most entry-level systems let Vanilla Minecraft (unmodified) operate. The demand rises greatly, though, if you’re experimenting with high-end shaders or diving into sophisticated modpacks.

****Here’s what you should know:****

**Vanilla Minecraft’s minimum requirements:**

*   CPU: Intel Core i3-3210 / AMD A8-7600  
    
*   RAM: 4 GB  
    
*   GPU: Intel HD4000 / AMD Radeon R5 integrated graphics  
    
*   Storage: Free 2 GB  
    
*   OS: Windows 7 or anything later  
    

**For Modded or Shader-Enhanced Minecraft, recommended requirements:**

*   CPU: Intel Core i5, AMD Ryzen 5 or above  
    
*   RAM: 8 GB or above  
    
*   GPU: Specifically designed graphics (GTX 1650 / RX 570 or above)  
    
*   Storage: SSD with at least 4 GB free capacity  
    
*   OS: latest macOS/Linux or Windows 10/11  
    

Although these requirements offer a minimum, gaming may also be impacted by Java settings and background apps.

****What Affects Minecraft Performance?****

Especially in single-player or slightly modified gameplay, Minecraft mostly depends on CPU and RAM rather than GPU. But when you include shaders or higher-resolution texture packs, GPU capability becomes crucial. Storage also plays a part; loading worlds on SSDs is clearly faster than on conventional hard disks.

New performance requirements are presented by server-based games. Stuttering, latency, or crashes might result from hosting your own server on the same system you are using for play. Many players thus choose outside solutions that guarantee a better experience for the host and users by providing solid Minecraft hosting with 24/7 uptime, mod support, and DDoS protection.

****Single-Player Versus Multiplayer: Hardware Division****

Running Minecraft in single-player mode mostly runs on resources from your machine, but adding multiplayer alters the dynamic. Even a little server calls for more RAM and CPU when hosted. Particularly if your environment has farms, redstone contraventions, or modified material, more players mean an exponentially increasing burden.

Separating your games from your hosting will help to ensure the best performance. While the hosting provider manages world data and multiplayer traffic, using an outside host lets your computer concentrate on producing your game.

****Essential Items to Give Minecraft Top Priority****

Here’s the only list you should concentrate on whether you are constructing or updating your PC for Minecraft:

*   **CPU:** Pick a high-performance CPU – AMD Ryzen 5/7 or Intel i5/i7. Particularly with add-ons, Minecraft uses CPU heavily.  
    
*   **RAM:** Try a minimum of 8 GB. Should you be modifying, use the launcher to allot 4–6 GB to Minecraft.  
    
*   **GPU:** Shaders and HD textures call for this. A GTX 1650 or above will offer a smooth ride.  
    
*   **Storage:** For rapid startup times and speedy world loading, use an SSD.  
    
*   **Cooling:** Minecraft may be taxing over long sessions; excellent ventilation helps to reduce overheating.  
    

This configuration guarantees both performance and long-term dependability so you may enjoy every feature of Minecraft free from restrictions.

****Tips for Optimizing Performance: Tweaks****

Changing in-game settings will help to increase performance even with a good machine. FPS may be much improved by cutting render distance, turning off fancy visuals, and decreasing particle count. Another great approach to improving graphic quality and keeping smooth gameplay is installing OptiFine. It also provides sophisticated shader support and visual settings.

Simple actions that increase stability and speed are allocating more RAM through the launcher and maintaining Java runtime updated for your drivers.

****Considerations for Hosting Multiple Player Servers****

If you intend to operate a Minecraft server, especially one available to friends or the public, you should give some thought to an outside hosting provider. While it’s possible to host locally, your performance and security may suffer.

A well-reviewed Minecraft server hosting provider can make all the difference. From one-click modpack installations to reliable support, hosted services ensure that your server remains online, optimized, and protected. It also frees up your personal computer for gameplay instead of acting as both client and server.

****Conclusion: Build Smart, Play Smooth****

Minecraft offers limitless creativity, but your PC’s hardware determines how enjoyable the experience is. From exploring vast modded worlds to managing thriving multiplayer servers, having the right specifications can transform gameplay from sluggish to seamless.

Choosing high-quality components and pairing them with good Minecraft hosting not only enhances your in-game experience but also ensures your community remains connected and lag-free. And if you’re diving into server management, don’t overlook the importance of selecting reliable Minecraft server hosting to handle the backend with efficiency and speed.

Photo by Oberon Copeland @veryinformed.com on Unsplash

Maximize Your Minecraft: Optimal PC Setup and Server Hosting Essentials

Operation Endgame takes down DanaBot malware network; 300 servers neutralized, €21.2M in crypto seized, 16 charged, 20 international warrants.

In a major international operation coordinated by Europol and Eurojust, law enforcement agencies and private sector partners have successfully dismantled the DanaBot malware network.

This global effort, part of the ongoing Operation Endgame, led to federal charges against 16 individuals, the neutralization of approximately 300 servers and 650 domains worldwide between May 19 and 22, 2025, and the issuance of international arrest warrants for 20 targets. Over EUR 21.2 million in cryptocurrency has also been seized in total during Operation Endgame, including EUR 3.5 million during this latest action week.

The DanaBot malware, controlled by a Russia-based cybercrime organization, infected over 300,000 computers globally, causing at least an estimated $50 million in damages through fraud and ransomware. Among those charged by the US Department of Justice (DoJ) are Aleksandr Stepanov, 39, and Artem Aleksandrovich Kalinkin, 34, both from Novosibirsk, Russia, who remain at large.

****DanaBot’s Evolution Tactics****

DanaBot, first identified in May 2018, operated as a _malware-as-a-service_ (MaaS), renting its capabilities to other criminals. It was highly versatile, stealing banking credentials, browsing history, and even cryptocurrency wallet information, while also offering remote access, keylogging, and screen recording. Initial infections often came via spam emails. Hackread.com notably reported on DanaBot’s emergence in 2019, when Proofpoint researchers first detailed its spread.

ESET, which has carefully tracked DanaBot since 2018, confirmed its evolution into a top banking malware, noting that countries like Poland, Italy, Spain, and Turkey were historically among its most targeted.

ESET researcher Tomáš Procházka added, “Apart from exfiltrating sensitive data, we have observed that Danabot is also used to deliver further malware, which can include ransomware, to an already compromised system.”

More recently, a new version of DanaBot has been found hidden in pirated software keys for “free VPN, anti-virus software and pirated games,” tricking users downloading from bogus sites.

DanaBot Infrastructure (Source: ESET)

Beyond financial crime, the investigation revealed DanaBot’s sinister dual purpose. A variant, tracked by CrowdStrike as SCULLY SPIDER, targeted military, diplomatic, and government entities in North America and Europe for espionage, and was observed by ESET launching DDoS attacks against targets like Ukraine’s Ministry of Defense following the Russian invasion.

According to Europol’s press release, this massive takedown is an evidence to extensive international cooperation. The investigation was spearheaded by the FBI’s Anchorage Field Office and the Defense Criminal Investigative Service (DCIS), with significant assistance from Germany’s Bundeskriminalamt (BKA), the Netherlands National Police, and the Australian Federal Police.

Europol and Eurojust provided crucial coordination, with a command post at Europol HQ involving investigators from Canada, Denmark, France, Germany, Netherlands, UK, and US.

Numerous private cybersecurity companies provided critical technical assistance, including Amazon, CrowdStrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Team Cymru, and ZScaler. ESET Research specifically contributed technical analysis of the malware and its backend infrastructure, along with identifying DanaBot’s command and control servers.

German authorities will add 18 suspects to the EU Most Wanted list from May 23, 2025. This coordinated action is a major blow to cybercriminal networks, showing the power of global partnerships against growing cybersecurity threats.

Operation Endgame is aimed at breaking the “ransomware kill chain.” So far authorities have neutralised initial access malware like Bumblebee, Latrodectus, Qakbot, Hijackloader, Trickbot and Warmcookie.

Operation Endgame Takes Down DanaBot Malware, Neutralizes 300 Servers

The U.S. government today unsealed criminal charges against 16 individuals accused of operating and selling DanaBot, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The FBI says a newer version of DanaBot was used for espionage, and that many of the defendants exposed their real-life identities after accidentally infecting their own systems with the malware.

The U.S. government today unsealed criminal charges against 16 individuals accused of operating and selling **DanaBot**, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The **FBI** says a newer version of DanaBot was used for espionage, and that many of the defendants exposed their real-life identities after accidentally infecting their own systems with the malware.

DanaBot’s features, as promoted on its support site. Image: welivesecurity.com.

Initially spotted in May 2018 by researchers at the email security firm **Proofpoint**, DanaBot is a malware-as-a-service platform that specializes in credential theft and banking fraud.

Today, the **U.S. Department of Justice** unsealed a criminal complaint and indictment from 2022, which said the FBI identified at least 40 affiliates who were paying between $3,000 and $4,000 a month for access to the information stealer platform.

The government says the malware infected more than 300,000 systems globally, causing estimated losses of more than $50 million. The ringleaders of the DanaBot conspiracy are named as **Aleksandr Stepanov**, 39, a.k.a. “**JimmBee**,” and **Artem Aleksandrovich Kalinkin**, 34, a.k.a. “**Onix**”, both of Novosibirsk, Russia. Kalinkin is an IT engineer for the Russian state-owned energy giant **Gazprom**. His Facebook profile name is “Maffiozi.”

According to the FBI, there were at least two major versions of DanaBot; the first was sold between 2018 and June 2020, when the malware stopped being offered on Russian cybercrime forums. The government alleges that the second version of DanaBot — emerging in January 2021 — was provided to co-conspirators for use in targeting military, diplomatic and non-governmental organization computers in several countries, including the United States, Belarus, the United Kingdom, Germany, and Russia.

“Unindicted co-conspirators would use the Espionage Variant to compromise computers around the world and steal sensitive diplomatic communications, credentials, and other data from these targeted victims,” reads a grand jury indictment dated Sept. 20, 2022. “This stolen data included financial transactions by diplomatic staff, correspondence concerning day-to-day diplomatic activity, as well as summaries of a particular country’s interactions with the United States.”

The indictment says the FBI in 2022 seized servers used by the DanaBot authors to control their malware, as well as the servers that stored stolen victim data. The government said the server data also show numerous instances in which the DanaBot defendants infected their own PCs, resulting in their credential data being uploaded to stolen data repositories that were seized by the feds.

“In some cases, such self-infections appeared to be deliberately done in order to test, analyze, or improve the malware,” the criminal complaint reads. “In other cases, the infections seemed to be inadvertent – one of the hazards of committing cybercrime is that criminals will sometimes infect themselves with their own malware by mistake.”

Image: welivesecurity.com

A statement from the DOJ says that as part of today’s operation, agents with the **Defense Criminal Investigative Service** (DCIS) seized the DanaBot control servers, including dozens of virtual servers hosted in the United States. The government says it is now working with industry partners to notify DanaBot victims and help remediate infections. The statement credits a number of security firms with providing assistance to the government, including **ESET**, **Flashpoint**, **Google**, **Intel 471**, **Lumen**, **PayPal**, **Proofpoint**, **Team CYMRU**, and **ZScaler**.

It’s not unheard of for financially-oriented malicious software to be repurposed for espionage. A variant of the **ZeuS Trojan**, which was used in countless online banking attacks against companies in the United States and Europe between 2007 and at least 2015, was for a time diverted to espionage tasks by its author.

As detailed in this 2015 story, the author of the ZeuS trojan created a custom version of the malware to serve purely as a spying machine, which scoured infected systems in Ukraine for specific keywords in emails and documents that would likely only be found in classified documents.

The public charging of the 16 DanaBot defendants comes a day after **Microsoft** joined a slew of tech companies in disrupting the IT infrastructure for another malware-as-a-service offering — Lumma Stealer, which is likewise offered to affiliates under tiered subscription prices ranging from $250 to $1,000 per month. Separately, Microsoft filed a civil lawsuit to seize control over 2,300 domain names used by Lumma Stealer and its affiliates.

Further reading:

Danabot: Analyzing a Fallen Empire

ZScaler blog: DanaBot Launches DDoS Attack Against the Ukrainian Ministry of Defense

Flashpoint: Operation Endgame DanaBot Malware

Team CYMRU: Inside DanaBot’s Infrastructure: In Support of Operation Endgame II

March 2022 criminal complaint v. Artem Aleksandrovich Kalinkin

September 2022 grand jury indictment naming the 16 defendants

Oops: DanaBot Malware Devs Infected Their Own PCs

A new US indictment against a group of Russian nationals offers a clear example of how, authorities say, a single malware operation can enable both criminal and state-sponsored hacking.

The hacker ecosystem in Russia, more than perhaps anywhere else in the world, has long blurred the lines between cybercrime, state-sponsored cyberwarfare, and espionage. Now an indictment of a group of Russian nationals and the takedown of their sprawling botnet offers the clearest example in years of how a single malware operation allegedly enabled hacking operations as varied as ransomware, wartime cyberattacks in Ukraine, and spying against foreign governments.

The US Department of Justice today announced criminal charges today against 16 individuals law enforcement authorities have linked to a malware operation known as DanaBot, which according to a complaint infected at least 300,000 machines around the world. The DOJ’s announcement of the charges describes the group as “Russia-based,” and names two of the suspects, Aleksandr Stepanov and Artem Aleksandrovich Kalinkin, as living in Novosibirsk, Russia. Five other suspects are named in the indictment, while another nine are identified only by their pseudonyms. In addition to those charges, the Justice Department says the Defense Criminal Investigative Service (DCIS)—a criminal investigation arm of the Department of Defense—carried out seizures of DanaBot infrastructure around the world, including in the US.

Aside from alleging how DanaBot was used in for-profit criminal hacking, the indictment also makes a rarer claim—it describes how a second variant of the malware it says was used in espionage against military, government, and NGO targets. “Pervasive malware like DanaBot harms hundreds of thousands of victims around the world, including sensitive military, diplomatic, and government entities, and causes many millions of dollars in losses,” US attorney Bill Essayli wrote in a statement.

Since 2018, DanaBot—described in the criminal complaint as “incredibly invasive malware”—has infected millions of computers around the world, initially as a banking trojan designed to steal directly from those PCs' owners with modular features designed for credit card and cryptocurrency theft. Because its creators allegedly sold it in an “affiliate” model that made it available to other hacker groups for $3,000 to $4,000 a month, however, it was soon used as a tool to install different forms of malware in a broad array of operations, including ransomware. Its targets, too, quickly spread from initial victims in Ukraine, Poland, Italy, Germany, Austria, and Australia to US and Canadian financial institutions, according to an analysis of the operation by cybersecurity firm Crowdstrike.

At one point in 2021, according to Crowdstrike, Danabot was used in a software supply-chain attack that hid the malware in a javascript coding tool called NPM with millions of weekly downloads. Crowdstrike found victims of that compromised tool across the financial service, transportation, technology, and media industries.

That scale and the wide variety of its criminal uses made DanaBot “a juggernaut of the e-crime landscape,” according to Selena Larson, a staff threat researcher at cybersecurity firm Proofpoint.

More uniquely, though, DanaBot has also been used at times for hacking campaigns that appear to be state-sponsored or linked to Russian government agency interests. In 2019 and 2020, it was used to target a handful of Western government officials in apparent espionage operations, according to the DOJ's indictment. According to Proofpoint, the malware in those instances was delivered in phishing messages that impersonated the Organization for Security and Cooperation in Europe and a Kazakhstan government entity.

Then, in the early weeks of Russia's full-scale invasion of Ukraine, which began in February 2022, DanaBot was used to install a distributed denial-of-service (DDoS) tool onto infected machines and launch attacks against the webmail server of the Ukrainian Ministry of Defense and National Security and Defense Council of Ukraine.

All of that makes DanaBot a particularly clear example of how cybercriminal malware has allegedly been adopted by Russian state hackers, Proofpoint's Larson says. “There have been a lot of suggestions historically of cybercriminal operators palling around with Russian government entities, but there hasn't been a lot of public reporting on these increasingly blurred lines,” says Larson. The case of DanaBot, she says, “is pretty notable, because it's public evidence of this overlap where we see e-crime tooling used for espionage purposes.”

In the criminal complaint, DCIS investigator Elliott Peterson—a former FBI agent known for his work on the investigation into the creators of the Mirai botnet—alleges that some members of the DanaBot operation were identified after they infected their own computers with the malware. Those infections may have been for the purposes of testing the trojan, or may have been accidental, according to Peterson. Either way, they resulted in identifying information about the alleged hackers ending up on DanaBot infrastructure that DCIS later seized. “The inadvertent infections often resulted in sensitive and compromising data being stolen from the actor's computer by the malware and stored on DanaBot servers, including data that helped identify members of the DanaBot organization,” Peterson writes.

The operators of DanaBot remain at large, but the takedown of a large-scale tool in so many forms of Russian-origin hacking—both state-sponsored and criminal—represents a significant milestone, says Adam Meyers, who leads threat intelligence research at Crowdstrike.

“Every time you disrupt a multiyear operation, you're impacting their ability to monetize it. It also creates a bit of a vacuum, and somebody else is going to step up and take that place,” Meyers says. “But the more we can disrupt them, the more we keep them on their back heels. We should rinse and repeat and go find the next target.”

Feds Charge 16 Russians Allegedly Tied to Botnets Used in Ransomware, Cyberattacks, and Spying

KrebsOnSecurity hit and survided a record-breaking 6.3 Tbps DDoS attack linked to the Aisuru IoT botnet, but it shows the vulnerable state of IoT devices.

KrebsOnSecurity, the well-known cybersecurity blog run by investigative journalist Brian Krebs, was recently hit by a massive distributed denial-of-service (DDoS) attack that peaked at 6.3 terabits per second (Tbps). The attack, one of the largest recorded to date, is believed to have originated from a new Internet of Things (IoT) botnet named “Aisuru.”

The attack, which lasted around 45 seconds, was short but powerful. Despite the volume of traffic directed at the site, KrebsOnSecurity remained online, protected by Google’s Project Shield, a free service designed to defend news and journalism platforms from cyberattacks.

****Aisuru Botnet Behind the Attack****

According to Krebs, the source of the attack was the Aisuru botnet. Cybersecurity analysts at QiAnXin XLab originally identified the botnet in August 2024 composed primarily of compromised IoT devices such as routers, IP cameras, and digital video recorders. These devices were hijacked and turned into zombie devices, carrying out massive amounts of traffic at Krebs’ site in a coordinated attack.

The name “Aisuru” began appearing in underground forums earlier this year, associated with DDoS-for-hire services. While it’s still under investigation, early indicators suggest the botnet was stress-testing its capabilities, using KrebsOnSecurity as a high-profile target to showcase its power or send a message.

****A Familiar Tactic, But a New Scale****

Brian Krebs is no stranger to DDoS attacks. His blog, known for deep reporting on cybercrime groups and internet abuse, has been a repeated target over the years. As Hackread.com reported in 2016, his site was taken offline by a 620 Gbps attack powered by the Mirai botnet.

The 2025 incident shows just how much the threat has grown. At 6.3 Tbps, the Aisuru-powered DDoS attack was ten times the size of the 2016 attack, showing both the scale of modern botnets and the ongoing security vulnerabilities in consumer-grade IoT devices.

****Who’s Behind It?****

While attribution is always difficult in these cases, Kreb’s blog post detailing the attack points to an individual known online as “Forky.” The alias has been connected to forum posts offering DDoS services and botnet rentals, and security researchers have linked Forky to chatter around Aisuru.

In a Telegram conversation with Krebs, Forky denied orchestrating the attack on Krebs, claiming instead that someone else may have used the botnet without their direct involvement.

> _“Forky denied being involved in the attack but acknowledged that he helped to develop and market the Aisuru botnet. Forky claims he is now merely a staff member for the Aisuru botnet team, and that he stopped running the botnet roughly two months ago after starting a family.”_
> 
> Brian Krebs

****What Now?****

Attacks of this scale are a massive threat to the future of online infrastructure. A 6.3 Tbps attack isn’t just a threat to blogs or small sites, it’s enough to knock entire hosting providers or data centers offline if left unmitigated. Remember, the Mirai botnet-powered DDoS attack on DYN DNS in October 2016 had a massive impact on the internet.

It also renews attention to the need for better security in internet-connected devices. Unlike its Airashi variant, most of the hardware used in Aisuru’s botnet is cheap, outdated, and often shipped with weak or default credentials. Until manufacturers take real steps to secure these devices, botnets will continue to grow, and attacks like this one will become more common.

HackRead will continue tracking developments around the Aisuru botnet and similar threats as more information becomes available.

KrebsOnSecurity Hit with 6.3 Tbps DDoS Attack via Aisuru Botnet

KrebsOnSecurity last week was hit by a near record distributed denial-of-service (DDoS) attack that clocked in at more than 6.3 terabits of data per second (a terabit is one trillion bits of data). The brief attack appears to have been a test run for a massive new Internet of Things (IoT) botnet capable of launching crippling digital assaults that few web destinations can withstand. Read on for more about the botnet, the attack, and the apparent creator of this global menace.

KrebsOnSecurity last week was hit by a near record distributed denial-of-service (DDoS) attack that clocked in at more than 6.3 terabits of data per second (a terabit is one trillion bits of data). The brief attack appears to have been a test run for a massive new Internet of Things (IoT) botnet capable of launching crippling digital assaults that few web destinations can withstand. Read on for more about the botnet, the attack, and the apparent creator of this global menace.

For reference, the 6.3 Tbps attack last week was ten times the size of the assault launched against this site in 2016 by the **Mirai** IoT botnet, which held KrebsOnSecurity offline for nearly four days. The 2016 assault was so large that **Akamai** – which was providing pro-bono DDoS protection for KrebsOnSecurity at the time — asked me to leave their service because the attack was causing problems for their paying customers.

Since the Mirai attack, KrebsOnSecurity.com has been behind the protection of **Project Shield**, a free DDoS defense service that **Google** provides to websites offering news, human rights, and election-related content. Google Security Engineer **Damian Menscher** told KrebsOnSecurity the May 12 attack was the largest Google has ever handled. In terms of sheer size, it is second only to a very similar attack that **Cloudflare** mitigated and wrote about in April.

After comparing notes with Cloudflare, Menscher said the botnet that launched both attacks bears the fingerprints of **Aisuru**, a digital siege machine that first surfaced less than a year ago. Menscher said the attack on KrebsOnSecurity lasted less than a minute, hurling large UDP data packets at random ports _at a rate of approximately 585 million data packets per second_.

“It was the type of attack normally designed to overwhelm network links,” Menscher said, referring to the throughput connections between and among various Internet service providers (ISPs). “For most companies, this size of attack would kill them.”

A graph depicting the 6.5 Tbps attack mitigated by Cloudflare in April 2025. Image: Cloudflare.

The Aisuru botnet comprises a globally-dispersed collection of hacked IoT devices, including routers, digital video recorders and other systems that are commandeered via default passwords or software vulnerabilities. As documented by researchers at **QiAnXin XLab**, the botnet was first identified in an August 2024 attack on a large gaming platform.

Aisuru reportedly went quiet after that exposure, only to reappear in November with even more firepower and software exploits. In a January 2025 report, XLab found the new and improved Aisuru (a.k.a. “**Airashi**“) had incorporated a previously unknown zero-day vulnerability in Cambium Networks cnPilot routers.

**NOT FORKING AROUND**

The people behind the Aisuru botnet have been peddling access to their DDoS machine in public **Telegram** chat channels that are closely monitored by multiple security firms. In August 2024, the botnet was rented out in subscription tiers ranging from $150 per day to $600 per week, offering attacks of up to two terabits per second.

“You may not attack any measurement walls, healthcare facilities, schools or government sites,” read a notice posted on Telegram by the Aisuru botnet owners in August 2024.

Interested parties were told to contact the Telegram handle “**@yfork**” to purchase a subscription. The account @yfork previously used the nickname “**Forky**,” an identity that has been posting to public DDoS-focused Telegram channels since 2021.

According to the FBI, Forky’s DDoS-for-hire domains have been seized in multiple law enforcement operations over the years. Last year, Forky said on Telegram he was selling the domain **stresser\[.\]best**, which saw its servers seized by the FBI in 2022 as part of an ongoing international law enforcement effort aimed at diminishing the supply of and demand for DDoS-for-hire services.

“The operator of this service, who calls himself ‘Forky,’ operates a Telegram channel to advertise features and communicate with current and prospective DDoS customers,” reads an FBI seizure warrant (PDF) issued for stresser\[.\]best. The FBI warrant stated that on the same day the seizures were announced, Forky posted a link to a story on this blog that detailed the domain seizure operation, adding the comment, “We are buying our new domains right now.”

A screenshot from the FBI’s seizure warrant for Forky’s DDoS-for-hire domains shows Forky announcing the resurrection of their service at new domains.

Approximately ten hours later, Forky posted again, including a screenshot of the stresser\[.\]best user dashboard, instructing customers to use their saved passwords for the old website on the new one.

A review of Forky’s posts to public Telegram channels — as indexed by the cyber intelligence firms **Unit 221B** and **Flashpoint** — reveals a 21-year-old individual who claims to reside in Brazil \[full disclosure: Flashpoint is currently an advertiser on this blog\].

Since late 2022, Forky’s posts have frequently promoted a DDoS mitigation company and ISP that he operates called **botshield\[.\]io**. The Botshield website is connected to a business entity registered in the United Kingdom called Botshield LTD, which lists a 21-year-old woman from Sao Paulo, Brazil as the director. Internet routing records indicate Botshield (AS213613) currently controls several hundred Internet addresses that were allocated to the company earlier this year.

**Domaintools.com** reports that botshield\[.\]io was registered in July 2022 to a **Kaike Southier Leite** in Sao Paulo. A LinkedIn profile by the same name says this individual is a network specialist from Brazil who works in “the planning and implementation of robust network infrastructures, with a focus on security, DDoS mitigation, colocation and cloud server services.”

**MEET FORKY**

Image: Jaclyn Vernace / Shutterstock.com.

In his posts to public Telegram chat channels, Forky has hardly attempted to conceal his whereabouts or identity. In countless chat conversations indexed by Unit 221B, Forky could be seen talking about everyday life in Brazil, often remarking on the extremely low or high prices in Brazil for a range of goods, from computer and networking gear to narcotics and food.

Reached via Telegram, Forky claimed he was “not involved in this type of illegal actions for years now,” and that the project had been taken over by other unspecified developers. Forky initially told KrebsOnSecurity he had been out of the botnet scene for years, only to concede this wasn’t true when presented with public posts on Telegram from late last year that clearly showed otherwise.

Forky denied being involved in the attack on KrebsOnSecurity, but acknowledged that he helped to develop and market the Aisuru botnet. Forky claims he is now merely a staff member for the Aisuru botnet team, and that he stopped running the botnet roughly two months ago after starting a family. Forky also said the woman named as director of Botshield is related to him.

Forky offered equivocal, evasive responses to a number of questions about the Aisuru botnet and his business endeavors. But on one point he was crystal clear:

“I have zero fear about you, the FBI, or Interpol,” Forky said, asserting that he is now almost entirely focused on their hosting business — Botshield.

Forky declined to discuss the makeup of his ISP’s clientele, or to clarify whether Botshield was more of a hosting provider or a DDoS mitigation firm. However, Forky has posted on Telegram about Botshield successfully mitigating large DDoS attacks launched against other DDoS-for-hire services.

DomainTools finds the same Sao Paulo street address in the registration records for botshield\[.\]io was used to register several other domains, including **cant-mitigate\[.\]us.** The email address in the WHOIS records for that domain is forkcontato@gmail.com, which DomainTools says was used to register the domain for the now-defunct DDoS-for-hire service **stresser\[.\]us**, one of the domains seized in the FBI’s 2023 crackdown.

On May 8, 2023, the **U.S. Department of Justice** announced the seizure of stresser\[.\]us, along with a dozen other domains offering DDoS services. The DOJ said ten of the 13 domains were reincarnations of services that were seized during a prior sweep in December, which targeted 48 top stresser services (also known as “booters”).

Forky claimed he could find out who attacked my site with Aisuru. But when pressed a day later on the question, Forky said he’d come up empty-handed.

“I tried to ask around, all the big guys are not retarded enough to attack you,” Forky explained in an interview on Telegram. “I didn’t have anything to do with it. But you are welcome to write the story and try to put the blame on me.”

**THE GHOST OF MIRAI**

The 6.3 Tbps attack last week caused no visible disruption to this site, in part because it was so brief — lasting approximately 45 seconds. DDoS attacks of such magnitude and brevity typically are produced when botnet operators wish to test or demonstrate their firepower for the benefit of potential buyers. Indeed, Google’s Menscher said it is likely that both the May 12 attack and the slightly larger 6.5 Tbps attack against Cloudflare last month were simply tests of the same botnet’s capabilities.

In many ways, the threat posed by the Aisuru/Airashi botnet is reminiscent of Mirai, an innovative IoT malware strain that emerged in the summer of 2016 and successfully out-competed virtually all other IoT malware strains in existence at the time.

As first revealed by KrebsOnSecurity in January 2017, the Mirai authors were two U.S. men who co-ran a DDoS mitigation service — even as they were selling far more lucrative DDoS-for-hire services using the most powerful botnet on the planet.

Less than a week after the Mirai botnet was used in a days-long DDoS against KrebsOnSecurity, the Mirai authors published the source code to their botnet so that they would not be the only ones in possession of it in the event of their arrest by federal investigators.

Ironically, the leaking of the Mirai source is precisely what led to the eventual unmasking and arrest of the Mirai authors, who went on to serve probation sentences that required them to consult with FBI investigators on DDoS investigations. But that leak also rapidly led to the creation of dozens of Mirai botnet clones, many of which were harnessed to fuel their own powerful DDoS-for-hire services.

Menscher told KrebsOnSecurity that as counterintuitive as it may sound, the Internet as a whole would probably be better off if the source code for Aisuru became public knowledge. After all, he said, the people behind Aisuru are in constant competition with other IoT botnet operators who are all striving to commandeer a finite number of vulnerable IoT devices globally.

Such a development would almost certainly cause a proliferation of Aisuru botnet clones, he said, but at least then the overall firepower from each individual botnet would be greatly diminished — or at least within range of the mitigation capabilities of most DDoS protection providers.

Barring a source code leak, Menscher said, it would be nice if someone published the full list of software exploits being used by the Aisuru operators to grow their botnet so quickly.

“Part of the reason Mirai was so dangerous was that it effectively took out competing botnets,” he said. “This attack somehow managed to compromise all these boxes that nobody else knows about. Ideally, we’d want to see that fragmented out, so that no \[individual botnet operator\] controls too much.”

KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS

DDoSecrets indexes 410GB of breached TeleMessage data, including messages and metadata, from hack tied to unsecured Signal clone used by US government officials.

On the 4th of May 2025, TeleMessage, an Israeli company providing modified versions of encrypted messaging apps like Signal, **suffered a major data breach**. The breach exposed archived messages, contact information of government officials, and backend login credentials.

The hacker, whose identity is still unknown, exploited a vulnerability in the company’s system, accessing a publicly exposed Java heap dump file that contained sensitive information. This incident raised serious concerns about the security of communications at the highest levels of the United States government, especially since former National Security Advisor Mike Waltz was seen using TeleMessage’s TM SGNL app during a cabinet meeting.

Following the breach, TeleMessage temporarily suspended its services and removed references to the app from its website. The company’s parent organization, Smarsh, is reportedly rebranding the service as Capture Mobile.

The incident has prompted investigations into the security practices of TeleMessage and the potential risks associated with using modified messaging apps for official government communications.

****CISA Added TeleMessage Vulnerability to KEV List****

In response, on 13 May 2025, the Cybersecurity and Infrastructure Security Agency (CISA) **added the critical vulnerability** in TeleMessage’s TM SGNL messaging app to its Known Exploited Vulnerabilities (KEV) catalogue.

This vulnerability, identified as CVE-2025-47729, involves the storage of unencrypted message archives, allowing attackers to access plaintext chat logs. Despite a low CVSS score of 1.9, the flaw’s exploitation in the wild prompted CISA to mandate that federal agencies address the issue within three weeks, either by applying vendor-provided mitigations or discontinuing the use of the product.

**DDoSecrets Indexes TeleMessage Breach Data**

Now, Distributed Denial of Secrets (DDoSecrets), a nonprofit focused on sharing leaked and hacked data in the public interest, has added the full set of breached TeleMessage data to its online archive.

In a **post** on Telegram, the organisation said the data includes some plaintext messages, while other parts consist only of metadata like sender and recipient info, timestamps, and group names. To make the material easier to analyze, DDoSecrets also extracted readable text from the original heap dump files.

However, because the dataset contains personal information and includes messages unrelated to government or corporate activity, access is currently limited to journalists and researchers.

Screenshot from DDoSecrets’ Telegram account (Credit: Hackread.com)

As of now, Hackread.com has not received a response to its request for access to the data. Nevertheless, the indexing of the TeleMessage data adds to the company’s troubles. Weeks after the breach, its website still shows limited content, and operations are still suspended.

Tag

#ddos