wsj.com By
Robert McMillan
Sept. 15, 2025 7:00 am ET
Botnets, massive networks of hacked devices, are being used for dangerous attacks, one of which recently set a world record
The Federal Bureau of Investigation recently disrupted a network of hacked devices used by criminals in some of the largest online attacks yet seen. Now those devices have been hacked by someone new to build an even bigger weapon.
Law-enforcement agencies and technology companies are waging a war against increasingly powerful networks of hacked devices, called botnets, that can knock websites offline for a fee. They are used for extortion and by disreputable companies to knock rivals offline, federal prosecutors say.
But lately, a new age of dangerous botnets has arrived, and existing internet infrastructure isn’t prepared, some network operators say. These botnets are leveraging new types of internet-connected devices with faster processors and more network bandwidth, offering them immense power.
The criminals controlling the botnets now have the capabilities to move beyond website takedowns to target internet connectivity and disrupt very large swaths of the internet.
“Before the concern was websites; now the concern is countries,” said Craig Labovitz, head of technology with Nokia’s Deepfield division.
In August, federal prosecutors charged a 22-year-old Oregon man with operating a botnet that had shut down the X social-media site earlier this year.
But the FBI’s takedown last month appeared to have an unwanted consequence: freeing up as many as 95,000 devices to be taken over by new botnet overlords. That led to a free-for-all to take over the machines “as fast as possible,” said Damian Menscher, a Google engineer.
The operators of a rival botnet, called Aisuru, seized control of more than one-fourth of them and immediately started launching attacks that are “breaking records,” he said.
On Sept. 1, the network services company Cloudflare said it had measured an attack that clogged up computer networks with 11.5 trillion bits of junk information per second. That is enough to consume the download bandwidth of more than 50,000 consumer internet connections. In a post to X, Cloudflare declared this attack, known as a distributed denial of service, or DDoS, a “world record” in terms of intensity. Some analysts see it almost as an advertisement of the botnet’s capabilities.
It was one of several dozen attacks of a similar size that network operators have witnessed over the past weeks. The attacks were very short in duration—often lasting just seconds—and may be demonstrations of the Aisuru capabilities, likely representing just a fraction of their total available bandwidth, according to Nokia.
With the world’s increasing dependence on computer networks, denial-of-service attacks have become weapons of war. Russia’s intelligence service, the GRU, used DDoS attacks on Ukraine’s financial-services industry as a way to cause disruption ahead of its 2022 invasion, U.K. authorities have said.
Botnets such as Aisuru are made up of a range of internet-connected devices—routers or security cameras, for example—rather than PCs, and often these machines can only join one botnet at a time. Their attacks can typically be fended off by the largest cloud-computing providers.
One massive network that Google disrupted earlier this year had mushroomed from at least 74,000 Android devices in 2023 to more than 10 million devices in two years. That made it the “largest known botnet of internet-connected TV devices,” according to a July Google court filing.
This network was being used to click billions of Google advertisements in an ad fraud scheme, Google said, but the massive network “could be used to commit more dangerous cybercrimes, such as ransomware” or denial-of-service attacks, the Google filing said.
To date, denial-of-service attacks are spawned from networks like Aisuru that typically include tens of thousands of computers, not millions, making them easier to defend against.
In the past year, a very large botnet that has typically been used for fraud began launching online attacks. Called ResHydra, it is made up of tens of millions of devices, according to Nokia.
Res Hydra represents a whole new level of problem, said Chris Formosa, a researcher with the networking company Lumen’s Black Lotus Labs. Harnessing a botnet of that size would “do extreme damage to a country.”
securityweek.com ByIonut Arghire| September 2, 2025 (11:02 AM ET)
Updated: September 3, 2025 (2:45 AM ET)
Cloudflare on Monday said it blocked the largest distributed denial-of-service (DDoS) attack ever recorded, at 11.5 Tbps (Terabits per second).
In a short message on X, Cloudflare only shared that the attack was a UDP flood mainly sourced from Google Cloud infrastructure, which lasted approximately 35 seconds.
“Cloudflare’s defenses have been working overtime. Over the past few weeks, we’ve autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps. The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud,” the company said.
In a Tuesday update, Cloudflare said that Google Cloud was one source of attack, but not the majority, and that several IoT and cloud providers were used to launch the assault.
“Defending against this class of attack is an ongoing priority for us, and we’ve deployed numerous strong defenses to keep users safe, including robust DDoS detection and mitigation capabilities,” a Google Cloud spokesperson told SecurityWeek.
“Our abuse defenses detected the attack, and we followed proper protocol in customer notification and response. Initial reports suggesting that the majority of traffic came from Google Cloud are not accurate,” the spokesperson said.
A UDP flood attack consists of a high volume of UDP (User Datagram Protocol) packets being sent to a target, which becomes overwhelmed and unresponsive when attempting to process and respond to them.
Because UDP packets are small and the receiver spends resources trying to process them, the attackers also increased the packet rate to 5.1 Bpps (billion packets per second) to deplete those resources and take down the target.
This record-setting DDoS attack takes the lead as the largest in history roughly three months after Cloudflare blocked a 7.3 Tbps DDoS attack.
Seen in mid-May, the assault targeted a hosting provider and lasted for only 45 seconds. Approximately 37.4 Tb of traffic, or the equivalent of over 9,000 HD movies, was delivered in the timeframe.
The same as the newly observed attack, the May DDoS assault mainly consisted of UDP floods. It originated from over 122,000 IP addresses.
Cloudflare mitigated 27.8 million DDoS attacks in the first half of 2025, a number that surpassed the total observed in 2024 (21.3 million HTTP and Layer 3/4 DDoS attacks).
*Updated with statement from Google Cloud Cloudflare
newsukraine.rbc.ua - Cyber specialists from Ukraine's Defense Intelligence (HUR) have carried out a large-scale special operation targeting the occupation authorities in Crimea.
According to a Ukrainian intelligence source speaking to RBC-Ukraine, the operation lasted several days.
A powerful DDoS attack effectively paralyzed the information systems and network infrastructure in Crimea.
While the Russian occupiers were scrambling to identify the cause of the government systems' failure, HUR cyber experts infiltrated the electronic accounts of the leadership of the occupation administration in temporarily occupied Crimea. They gained access to the following digital resources:
ictjournal.ch - Pendant des années, le groupe de hackers pro-russe «Noname057(16)» a mené des attaques DDoS contre des serveurs occidentaux, y compris des infrastructures critiques en Suisse. Les autorités judiciaires ont désormais démantelé un botnet du groupe et procédé à des arrestations. Le Ministère public de la Confédération suisse (MPC) a émis trois mandats d’arrêt.
Les autorités judiciaires de plusieurs pays ont mené une opération coordonnée contre le groupe de hackers «Noname057(16)». Lors de l’Action-Day, lancée par Europol après plusieurs années d’enquête, des perquisitions ont eu lieu dans plusieurs pays, selon un communiqué du Ministère public de la Confédération suisse (MPC). Les autorités ont saisi des équipements et arrêté des personnes – tandis qu’en Suisse, «aucun ordinateur impliqué dans le réseau et dans les attaques ni aucune personne domiciliée dans le pays n’ont été identifiés».
Les mesures coordonnées à l’échelle internationale, baptisées Opération Eastwood, ont permis de démanteler un botnet constitué de plusieurs centaines de serveurs répartis dans le monde entier, selon l’Office fédéral de la police criminelle allemande (BKA). Le groupe «Noname057(16)» exploitait ce réseau pour lancer des attaques DDoS, des cyberattaques visant à surcharger délibérément des serveurs.
Trois mandats d’arrêt émis par la Suisse
Le groupe «Noname057(16)» s’est constitué un casier judiciaire conséquent ces dernières années. Le groupe pro-russe se manifeste régulièrement depuis le début de la guerre en Ukraine en mars 2022, indique le MPC. Ce collectif de hackers a mené des attaques DDoS contre de nombreux pays occidentaux qu’il considère comme pro-ukranien. À plusieurs reprises, des serveurs suisses, y compris des infrastructures sensibles, ont été ciblés. Ces attaques interviennent généralement lors d’événements liés à l’Ukraine.
Pour rappel, le groupe hacktiviste a paralysé les sites web du Parlement en été 2023, à l’occasion d’un discours vidéo du président ukrainien Volodymyr Zelensky devant l’Assemblée fédérale. En janvier 2024, les hackers sont redevenus actifs lors de la visite du président ukrainien au Forum économique mondial (WEF). Un an plus tard, les sites de la ville de Lucerne ainsi que de la Banque cantonale vaudoise ont également été ciblés. Des attaques hacktivistes ont aussi eu lieu en juin 2024 lors de la conférence de Bürgenstock pour la paix et pendant le Concours Eurovision de la chanson en mai 2025.
En juin 2023, le Ministère public de la Confédération a ouvert une enquête pénale contre des inconnus pour détérioration de données et contrainte, selon le communiqué. Dans le cadre des investigations internationales coordonnées, plusieurs membres du groupe de hackers ont pu être identifiés dont trois personnes clés présumées. Le MPC a étendu son enquête contre ces derniers et a émis des mandats d’arrêt à leur encontre.
Dans le cadre de l’Action-Day du 15 juillet 2025, les autorités de Suisse et d’Allemagne ont été rejointes par celles des États-Unis, des Pays-Bas, de la Suède, de la France, de l’Espagne et de l’Italie. L’opération a bénéficié du soutien d’Europol, d’Eurojust et d’autres pays européens, précise la police fédérale allemande (BKA). En Suisse, le MPC et l'Office fédéral de la police (Fedpol) ont contribué à l'enquête.
Le MPC considère les résultats de l’opération comme la preuve que «les autorités de poursuite pénale sont aussi en mesure d’identifier des cybercriminels hautement professionnels et d’offrir une protection contre leurs attaques». Le MPC souligne l’importance de la coopération internationale dans la lutte contre la cybercriminalité transfrontalière.
europol.europa.eu - Between 14 and 17 July, a joint international operation, known as Eastwood and coordinated by Europol and Eurojust, targeted the cybercrime network NoName057(16). Law enforcement and judicial authorities from Czechia, France, Finland, Germany, Italy, Lithuania, Poland, Spain, Sweden, Switzerland, the Netherlands and the United States took simultaneous actions against offenders and infrastructure belonging to the pro-Russian cybercrime network. The investigation was also supported by ENISA, as well as Belgium, Canada, Estonia, Denmark, Latvia, Romania and Ukraine. The private parties ShadowServer and abuse.ch also assisted in the technical part of the operation.
The actions led to the disruption of an attack-infrastructure consisting of over one hundred computer systems worldwide, while a major part of the group's central server infrastructure was taken offline. Germany issued six warrants for the arrest of offenders living in the Russian Federation. Two of these persons are accused of being the main instigators responsible for the activities of "NoName057(16)". In total, national authorities have issued seven arrest warrants, which are directed, inter alia, against six Russian nationals for their involvement in the NoName057(16) criminal activities. All of the suspects are listed as internationally wanted, and in some cases, their identities are published in media. Five profiles were also published on the EU Most Wanted website.
National authorities have reached out to several hundred of individuals believed to be supporters of the cybercrime network. The messages, shared via a popular messaging application, inform the recipient of the official measures highlighting the criminal liability they bear for their actions pursuant to national legislations. Individuals acting for NoName057(16) are mainly Russian-speaking sympathisers who use automated tools to carry out distributed denial-of-service (DDoS) attacks. Operating without formal leadership or sophisticated technical skills, they are motivated by ideology and rewards.
NSFOCUS Fuying Lab's Global Threat Hunting System has discovered a new botnet family called "hpingbot" that has been quickly expanding.
This cross-platform botnet, built from scratch using the Go programming language, targets both Windows and Linux/IoT environments and supports multiple processor architectures including amd64, mips, arm, and 80386.
Unlike derivatives of well-known botnets like Mirai or Gafgyt, hpingbot showcases remarkable innovation by leveraging unconventional resources for stealth and efficiency, such as using the online text storage platform Pastebin for payload distribution and the network testing tool hping3 to execute Distributed Denial of Service (DDoS) attacks.
According to the Report, this approach not only enhances its ability to evade detection but also significantly reduces the costs associated with development and operation, making hpingbot a formidable and evolving threat in the digital realm.
Hpingbot’s operational strategy is notably distinct, as it employs Pastebin to host and dynamically update malicious payloads, allowing attackers to adjust their load distribution frequently.
DDoS Attacks
Attack method
Monitoring data from Fuying Lab indicates that Pastebin links embedded in the botnet have shifted content multiple times since mid-June 2025, from hosting IP addresses to providing scripts for downloading additional components.
This flexibility is paired with the botnet’s reliance on hping3, a versatile command-line tool typically used for network diagnostics, to launch a variety of DDoS attacks such as SYN, UDP, and mixed-mode floods.
Interestingly, while the Windows version of hpingbot cannot utilize hping3 for DDoS attacks due to environmental limitations, its persistent activity underscores a broader focus on downloading and executing arbitrary payloads, hinting at intentions beyond mere network disruption.
Hacktivist attacks surge on U.S. targets after Iran bombings, with groups claiming DDoS hits on military, defense, and financial sectors amid rising tensions.
The U.S. has become a target in the hacktivist attacks that have embroiled several Middle Eastern countries since the start of the Israel-Iran conflict.
Several hacktivist groups have claimed DDoS attacks against U.S. targets in the wake of U.S. airstrikes on Iranian nuclear sites on June 21.
The attacks—most notably from hacktivist groups Mr Hamza, Team 313, Cyber Jihad, and Keymous+—targeted U.S. Air Force domains, major U.S. Aerospace and defense companies, and several banks and financial services companies.
The cyberattacks follow a broader campaign against Israeli targets that began after Israel launched attacks on Iranian nuclear and military targets on June 13. Israel and Iran have exchanged missile and drone strikes since the conflict began, and Iran also launched missiles at a U.S. military base in Qatar on June 23.
The accompanying cyber warfare has included DDoS attacks, data and credential leaks, website defacements, unauthorized access, and significant breaches of Iranian banking and cryptocurrency targets by Israel-linked Predatory Sparrow. Electronic interference with commercial ship navigation systems has also been reported in the Strait of Hormuz and the Persian Gulf.
Attacker rained down the equivalent of 9,300 full-length HD movies in just 45 seconds.
Large-scale attacks designed to bring down Internet services by sending them more traffic than they can process keep getting bigger, with the largest one yet, measured at 7.3 terabits per second, being reported Friday by Internet security and performance provider Cloudflare.
The 7.3Tbps attack amounted to 37.4 terabytes of junk traffic that hit the target in just 45 seconds. That's an almost incomprehensible amount of data, equivalent to more than 9,300 full-length HD movies or 7,500 hours of HD streaming content in well under a minute.
Indiscriminate target bombing
Cloudflare said the attackers “carpet bombed” an average of nearly 22,000 destination ports of a single IP address belonging to the target, identified only as a Cloudflare customer. A total of 34,500 ports were targeted, indicating the thoroughness and well-engineered nature of the attack.
The vast majority of the attack was delivered in the form of User Datagram Protocol packets. Legitimate UDP-based transmissions are used in especially time-sensitive communications, such as those for video playback, gaming applications, and DNS lookups. It speeds up communications by not formally establishing a connection before data is transferred. Unlike the more common Transmission Control Protocol, UDP doesn't wait for a connection between two computers to be established through a handshake and doesn't check whether data is properly received by the other party. Instead, it immediately sends data from one machine to another.
No longer a neutral state, Sweden is now facing a wave of cyberattacks targeting key institutions.
Sweden is under attack, Prime Minister Ulf Kristersson said on Wednesday, following three days of disruptions targeting public broadcaster SVT and other key institutions.
"We are exposed to enormous cyberattacks. Those on SVT have now been recognised, but banks and Bank-id have also been affected," Kristersson told journalists in parliament.
The attacks have been identified as Distributed Denial-of-Service (DDoS) events and disrupted services, raising concerns about the resilience of Sweden’s digital infrastructure.
While Kristersson did not name a specific perpetrator, he referred to earlier reports by the Swedish Security Service, which has identified Russia, China, and Iran as frequent actors behind such cyber operations.
The incidents have heightened concerns about vulnerabilities in Sweden’s cybersecurity systems and underscored the growing threat to critical infrastructure in one of the world’s most connected nations, where over 93% of households have internet access.
Cybersecurity experts have warned that such breaches could escalate, impacting not just digital services, but also public trust.
The attacks come amid heightened geopolitical tensions. Sweden's recent accession to NATO and its support for Ukraine have likely made it a more prominent target for cyberattacks, including those originating from hostile states.
Previously known for its military neutrality, Sweden now faces what Kristersson described earlier this year as a "new and more dangerous reality" since joining NATO in 2024.
As part of its pledge to meeting NATO's 2% of GDP defence spending target, the Swedish government has committed to invest heavily in cybersecurity and military capabilities.
KrebsOnSecurity last week was hit by a near record distributed denial-of-service (DDoS) attack that clocked in at more than 6.3 terabits of data per second (a terabit is one trillion bits of data). The brief attack appears to have been…
For reference, the 6.3 Tbps attack last week was ten times the size of the assault launched against this site in 2016 by the Mirai IoT botnet, which held KrebsOnSecurity offline for nearly four days. The 2016 assault was so large that Akamai – which was providing pro-bono DDoS protection for KrebsOnSecurity at the time — asked me to leave their service because the attack was causing problems for their paying customers.
Since the Mirai attack, KrebsOnSecurity.com has been behind the protection of Project Shield, a free DDoS defense service that Google provides to websites offering news, human rights, and election-related content. Google Security Engineer Damian Menscher told KrebsOnSecurity the May 12 attack was the largest Google has ever handled. In terms of sheer size, it is second only to a very similar attack that Cloudflare mitigated and wrote about in April.
After comparing notes with Cloudflare, Menscher said the botnet that launched both attacks bears the fingerprints of Aisuru, a digital siege machine that first surfaced less than a year ago. Menscher said the attack on KrebsOnSecurity lasted less than a minute, hurling large UDP data packets at random ports at a rate of approximately 585 million data packets per second.
“It was the type of attack normally designed to overwhelm network links,” Menscher said, referring to the throughput connections between and among various Internet service providers (ISPs). “For most companies, this size of attack would kill them.”
In April 2025, the Global Threat Hunting system of NSFOCUS Fuying Lab detected a significant increase in the activity of a new Botnet Trojan developed based on Go language. Given that many of its built-in DDoS attack methods are HTTP-based, Fuying Lab named it HTTPBot. The HTTPBot Botnet family first came into our monitoring scope in August 2024. Over the past few months, it has expanded aggressively, continuously leveraging infected devices to launch external attacks. Monitoring data indicates that its attack targets are primarily concentrated in the domestic gaming industry. Additionally, some technology companies and educational institutions have also been affected. The attack of this Botnet family is highly targeted, with attackers employing a periodical and multi-stage attack strategy to conduct continuous saturation attacks on selected targets.
In terms of technical implementation, the HTTPBot Botnet Trojan uses an “attack ID” to precisely initiate and terminate the attack process. It also incorporates a variety of innovative DDoS attack methods. By employing highly simulated HTTP Flood attacks and dynamic feature obfuscation techniques, it circumvents traditional rule-based detection mechanisms, including but not limited to the following detection bypass mechanisms:
Polish authorities have detained four suspects linked to six DDoS-for-hire platforms, believed to have facilitated thousands of attacks targeting schools, government services, businesses, and gaming platforms worldwide since 2022.
Such platforms are often marketed as legitimate testing tools on the dark web and hacking forums, but are mainly used to disrupt online services, servers, and websites by flooding them with traffic in distributed denial-of-service (DDoS) attacks and causing outages for real users.
The six DDoS services, named Cfxapi, Cfxsecurity, neostress, jetstress, quickdown, and zapcut, have been taken down in a coordinated law enforcement action involving authorities from Germany, the Netherlands, Poland, and the United States.
"In the latest blow to the criminal market for distributed denial of service (DDoS)-for-hire services, Polish authorities have arrested four individuals who allegedly ran a network of platforms used to launch thousands of cyberattacks worldwide," Europol said on Wednesday.
"The suspects are believed to be behind six separate stresser/booter services that enabled paying customers to flood websites and servers with malicious traffic — knocking them offline for as little as EUR 10."
This update outlines what happened, what we’ve done so far, and the actions we are taking to prevent it from happening in the future.
Threat actors have claimed a cyber attack on two businesses owned by US President Donald Trump, allegedly bringing down their websites.
Bohemia Interactive has issued a statement in response to the Arma Reforger and DayZ DDOS attack.
Russian hackers have targeted canton Schaffhausen and the cities of Geneva and Sierre, paralysing their websites on Wednesday morning.
2024 ended with a bang. Cloudflare mitigated another record-breaking DDoS attack peaking at 5.6 Tbps. Overall, Cloudflare mitigated 21.3 million DDoS attacks in 2024, representing a 53% increase compared to 2023.
Since the end of 2024, we have been continuously monitoring large-scale DDoS attacks orchestrated by an IoT botnet exploiting vulnerable IoT devices such as wireless routers and IP cameras.
Several websites were inaccessible for a two-hour period on Friday afternoon
Vendredi matin 10 janvier, l’administration fédérale a été perturbée pendant environ 45 minutes par une panne des systèmes informatiques, en raison d’une attaque DDoS. La téléphonie, Outlook, différents sites Internet de la Confédération ainsi que des applications spécialisées ont entre autres été affectés. Les contre-mesures ont permis de stabiliser la situation.
