Operation PowerOFF Seizes 53 DDoS Domains, Exposes 3M Accounts

A coordinated strike by 21 countries has dismantled major DDoS-for-hire infrastructure, seizing 53 domains and obtaining access to databases containing over 3 million criminal user accounts. Europol announced the results of Operation PowerOFF's latest action week, which ran from April 7-13, 2026.

The operation marks the largest coordinated crackdown on "booter" and "stresser" services—platforms that let anyone launch distributed denial-of-service attacks for a few dollars.

What Operation PowerOFF Achieved

The action week delivered concrete enforcement results:

• 53 domains seized hosting DDoS-for-hire services
• 4 arrests of individuals allegedly operating booter platforms
• 25 search warrants executed across participating countries
• 3+ million user accounts exposed from compromised databases
• 75,000+ warning communications sent to identified criminal users

Participating nations included Australia, Austria, Belgium, Brazil, Bulgaria, Denmark, Estonia, Finland, Germany, Japan, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Portugal, Sweden, Thailand, the U.K., and the U.S.

The U.S. Department of Justice simultaneously announced the seizure of 8 additional DDoS domains, including Vac Stresser and Mythical Stress—two services that had attracted substantial user bases before the takedown.

How Booter Services Enable Attacks

Booter services democratize DDoS attacks. For as little as $10-50, anyone can direct traffic floods at a target without technical knowledge or botnet infrastructure. The platforms handle everything—the user just enters a target IP address.

"Booter services allow users to launch DDoS attacks against targeted websites, servers, or networks," Europol explained. "By seizing these infrastructures, authorities hinder criminal operations that have enabled thousands of attacks against critical infrastructure, businesses, and individuals."

These services have fueled attacks against hospitals, schools, gaming platforms, financial institutions, and government websites. The low barrier to entry makes them attractive to everyone from disgruntled gamers to extortionists.

This latest action builds on previous W3LL phishing takedowns that targeted cybercriminal infrastructure, reflecting an ongoing strategy of dismantling the tools that enable mass-scale attacks.

Prevention Phase Targets Future Users

Operation PowerOFF has now shifted into a prevention phase targeting potential future offenders. The measures include:

1. Search engine advertising - Ads warning young people about the legal consequences of using DDoS tools, placed where users search for these services
2. URL removals - Over 100 URLs promoting illegal booter services removed from search results
3. On-chain warnings - Messages tied to cryptocurrency payments for DDoS services, alerting users their transactions are being monitored

The 75,000 warning emails represent an unusual approach—directly contacting individuals identified in seized databases to inform them their activities are known to law enforcement. The communications explain the legal risks and encourage users to reconsider future involvement.

Why This Matters

Operation PowerOFF represents the kind of sustained, international pressure that actually disrupts cybercriminal ecosystems. Single-site takedowns rarely achieve lasting impact—operators simply migrate infrastructure. But seizing 53 domains simultaneously, arresting key operators, and obtaining user databases creates compounding problems for the ecosystem.

The exposed user accounts present particular risk. Anyone who paid for booter services through accounts linked to their real identity now faces potential legal exposure. Law enforcement has signaled it may pursue criminal charges against heavy users, not just operators.

For defenders, the immediate benefit is a temporary reduction in DDoS-for-hire capacity. But the services will eventually reconstitute elsewhere—the demand hasn't disappeared. Organizations protecting against DDoS should treat this as a reprieve, not a permanent solution.

The operation also demonstrates that international coordination on cybercrime has matured significantly. Getting 21 countries to execute simultaneous enforcement actions requires substantial planning and trust-building between agencies. That infrastructure, once established, makes future operations faster to execute.

Recommendations

Organizations that have experienced DDoS attacks from booter services should:

1. Preserve evidence - Log data from past attacks may now be correlated with seized infrastructure
2. Report incidents - Law enforcement agencies are actively building cases and need victim information
3. Review DDoS mitigation - Use the current lull to assess whether existing protections are adequate

The cybercriminal ecosystem is resilient, but sustained pressure does work. Operation PowerOFF's multi-year campaign has made booter services measurably more difficult and risky to operate.