Europol Operation PowerOFF Sends 75,000 Warning Letters to DDoS-for-Hire Customers Across 21 Nations
Operation PowerOFF enters its prevention phase — 75,000 warning letters to identified DDoS-for-hire customers, 53 domains seized, 4 arrests, and 3 million criminal accounts as a persistent enforcement asset.
Europol's Operation PowerOFF has entered its prevention phase — sending 75,000 warning letters to identified DDoS-for-hire customers, seizing 53 domains, and making 4 arrests across a 21-nation coordinated action built on 3 million criminal user accounts seized from booter service infrastructure.
THE HAGUE — On April 13, 2026, Europol coordinated a joint action week involving law enforcement agencies from 21 countries targeting the global DDoS-for-hire ecosystem. The operation, the latest phase of the ongoing Operation PowerOFF initiative, produced four arrests, 53 domain takedowns, and 25 search warrants — but the most significant element was the most unusual: over 75,000 warning emails and letters sent directly to identified customers of illegal DDoS-for-hire platforms, not just their operators. The customer-targeting approach marks a deliberate strategic shift, attacking the DDoS-for-hire business model from the demand side rather than through infrastructure seizure alone.
Operation profile
The demand-side strategy
The most operationally novel element of the April 2026 phase is the explicit targeting of customers rather than operators alone. Previous PowerOFF phases focused on seizing infrastructure and arresting platform operators — a whack-a-mole approach that produced temporary disruption but allowed rapid re-establishment under new domains. The April 2026 phase adds a deterrence layer aimed at the user base. When an FBI undercover agent purchased a subscription to one seized service for $45 per month — allowing simultaneous attacks on three targets for up to 40 minutes each — that transaction became part of a criminal record. Law enforcement now has 3 million such records from seized server databases. The 75,000 warning letters signal to the broader user base that paying for a DDoS attack leaves a traceable trail and may result in direct contact from law enforcement, even without formal charges.
The criminal pipeline problem
Frank Tutty of the UK National Crime Agency articulated the core issue directly: DDoS-for-hire is "an attractive entry-level cyber crime, and users can go on to even more serious offending." The warning letter campaign is designed to disrupt that criminal development pipeline. One prolific operator identified in earlier PowerOFF phases — a 26-year-old from Barneveld — was suspected of personally conducting 4,169 DDoS attacks. In May 2025, Polish police arrested four people running six platforms operating from 2022 to 2025 charging as little as €10 per attack. In March 2026, authorities disrupted four major botnet networks used as attack infrastructure: Aisuru, KimWolf, JackSkid, and Mossad. The April 2026 phase builds on all of this. All policy and government cybersecurity coverage
is tracked on The CyberSignal, and our NoName057(16) article covers the gamification of DDoS attacks by pro-Russian groups
operating in the same ecosystem.
What to do now
Organizations that have experienced DDoS attacks should report them to their national cybercrime authority and to Europol's reporting portal. If you operate any service that may have been targeted by a booter platform, submit indicators to Operation PowerOFF's dedicated tracking site. Network defenders should review BGP and traffic data for the March 2026 disruption of Aisuru, KimWolf, JackSkid, and Mossad botnets — traffic that was routed through these networks may indicate compromised endpoints still in your environment. Understand the most common cybersecurity threats facing organizations in 2026 to place the DDoS-for-hire ecosystem in broader context.
The CyberSignal Analysis
Signal 01 — Infrastructure seizure alone is not a strategy
Every previous phase of Operation PowerOFF seized infrastructure. Domains came back. Platforms rebranded. New operators emerged. The April 2026 shift to targeting customers is an acknowledgment — implicit but clear — that infrastructure-focused enforcement has a ceiling. The demand side is structurally harder to disrupt than the supply side, but it is where the economic foundation of the DDoS-for-hire industry lives. Without a paying user base, running a commercial booter service is not economically viable.
Signal 02 — 3 million accounts is a compounding enforcement asset
The 75,000 warning letters sent in April 2026 are drawn from a pool of 3 million criminal user accounts on seized servers. Law enforcement is not moving through that list at random — they are prioritizing high-value targets, repeat offenders, and users associated with the most damaging attacks. Every subsequent phase of PowerOFF will draw on the same database. The 3 million accounts are not a one-time intelligence windfall. They are a persistent enforcement asset that will drive actions for years.
Signal 03 — DDoS-for-hire is now formally a criminal career entry point
The explicit framing of DDoS-for-hire as "entry-level cybercrime" by the NCA reflects a broader law enforcement consensus: booter services function as criminal onboarding infrastructure. Disrupting the user base at the earliest stage — before escalation to ransomware, fraud, or state-sponsored activity — is more efficient than disrupting those downstream activities individually. Operation PowerOFF's prevention phase is targeting the pipeline, not just the current output.
