In the latest blow to the criminal market for distributed denial of service (DDoS)-for-hire services, Polish authorities have arrested four individuals who allegedly ran a network of platforms used to launch thousands of cyberattacks worldwide. The suspects are believed to be behind six separate stresser/booter services that enabled paying customers to flood websites and servers with malicious traffic — knocking them offline for as little as EUR 10.

The now defunct platforms – Cfxapi, Cfxsecurity, neostress, jetstress, quickdown and zapcut – are thought to have facilitated widespread attacks on schools, government services, businesses, and gaming platforms between 2022 and 2025.

The platforms offered slick interfaces that required no technical skills. Users simply entered a target IP address, selected the type and duration of attack, and paid the fee — automating attacks that could overwhelm even well-defended websites.

Global law enforcement response
The arrests in Poland were part of a coordinated international action involving law enforcement authorities in 4 countries, with Europol providing analytical and operational support throughout the investigation.

Dutch authorities have deployed fake booter sites designed to warn users seeking out DDoS-for-hire services, reinforcing the message that those who use these tools are being watched and could face prosecution. Data from booter websites, seized by Dutch law enforcement in data centres in the Netherlands, was shared with international partners, including Poland, contributing to the arrest of the four administrators.

The United States seized 9 domains associated with booter services during the coordinated week of action, continuing its broader campaign against commercialised DDoS platforms.

Germany supported the Polish-led investigation by helping identify one of the suspects and sharing critical intelligence on others.

The National Crime Agency has infiltrated a significant DDoS-for-hire service which has been responsible for tens of thousands of attacks every week across the globe.

The disruption targeting digitalstress.su, a criminal marketplace offering DDos capabilities, was made in partnership with the Police Service of Northern Ireland.

It comes after the PSNI arrested one of the site’s suspected controllers earlier this month.

Key Attack Insights:

• Web DDoS attack campaign lasted six days and peaked at 14.7 Million RPS
• Featured multiple attack waves amounting to a total of 100 hours of attack time
• Sustained an average of 4.5 million RPS
• Targeted a financial institution in the Middle East
• Averaged a 0.12% ratio of legitimate to malicious web requests
• Attributed by Radware to SN_BLACKMETA, a pro-Palestinian hacktivist with potential ties to Sudan that may operate from within Russia
• Possibly leveraged the InfraShutdown premium DDoS-for-hire service

The U.K.'s National Crime Agency said it disrupted DigitalStress, a DDoS-for-hire operation that has been “responsible for tens of thousands of attacks every week across the globe.”

NoName057(16) relies heavily on HTTPS application-layer DDoS attacks, with many attacks repeatedly sourced from the same attack harness, networks, and targeting similar countries and industries.