Krebs Investigation: Anti-DDoS Firm Huge Networks Found Enabling Botnet That Attacked Brazilian ISPs

Krebs on Security has uncovered that Huge Networks — a Brazilian DDoS protection firm — has been enabling a Mirai-based botnet that attacked other Brazilian ISPs, with the CEO's own SSH keys found in the malicious archive.

BRAZIL — A trusted source shared a curious file archive exposed in an open directory online with KrebsOnSecurity earlier this month. The archive contained several Portuguese-language malicious programs written in Python — and the private SSH authentication keys belonging to Erick Nascimento, CEO of Huge Networks, a Brazilian ISP that primarily offers DDoS protection to other Brazilian network operators. The discovery revealed that a threat actor had maintained root access to Huge Networks' infrastructure and built a powerful DDoS botnet by mass-scanning the internet for insecure routers and unmanaged DNS servers — then using that botnet to launch sustained attacks against the very Brazilian ISPs that Huge Networks was supposed to protect.

Incident profile

The discovery: an open directory and stolen SSH keys

The exposed archive contained Python scripts written in Portuguese that selected IP address prefixes and attacked each for 10–60 seconds using four parallel processes before moving to the next target. Every script referenced private SSH keys belonging to Nascimento personally — not a generic service account but the CEO's own authentication credentials. The botnet infrastructure was built by routinely mass-scanning the internet for insecure routers and unmanaged DNS servers that could be enlisted as attack nodes. The malicious software powering the botnet is based on Mirai — the malware strain that made its debut in 2016 when it was used by the co-owners of a DDoS mitigation firm to attack gaming servers and scare up new clients. Krebs noted the pattern: in 2017, he identified Mirai's authors as co-owners of a DDoS mitigation company running the same playbook.

Nascimento's response and the attribution question

Nascimento told KrebsOnSecurity he did not write the attack programs and was unaware of the extent of the campaigns until contacted by Krebs. He acknowledges the January 2026 intrusion that compromised two development servers and his SSH keys — and says he has "strong evidence stored on the blockchain" that a competitor is responsible for framing him. He flatly denied being involved in DDoS attacks against Brazilian operators to generate new clients. The attribution question remains open: whether Nascimento's infrastructure was weaponized by an external threat actor using his stolen SSH keys, or whether the activity reflects insider knowledge, is not definitively resolved by the Krebs investigation. What is resolved: Huge Networks' infrastructure was used to attack Brazilian ISPs for an extended period, and the CEO's own SSH keys were used to operate the attack scripts. For broader context on the most common cybersecurity threats in 2026

, and all cyber attack coverage

is tracked on The CyberSignal.

What to do now

Brazilian ISPs and network operators should immediately audit upstream DDoS mitigation vendor relationships — including reviewing whether vendors have access to infrastructure that could be weaponized against them. Check firewall and traffic logs for anomalous traffic bursts in 10–60 second intervals originating from Brazilian IP ranges. If you operate TP-Link Archer AX21 routers, apply the latest firmware update immediately — Mirai variants specifically target this device model. Any organization contracting DDoS mitigation services should require vendors to demonstrate their own network security posture, including evidence of access controls on development infrastructure.

The CyberSignal Analysis

Signal 01 — The DDoS-for-protection racket playbook resurfaces

The pattern Krebs documented in 2017 — DDoS mitigation firms using botnets to attack potential clients and scare them into buying protection — appears to be active again in the Brazilian ISP market. Whether Nascimento is a victim of a competitor running this playbook against him, or whether his own infrastructure was the source, the structural dynamic is identical: a firm with both the motivation and the infrastructure to conduct such attacks is found with attack code in its systems. This is not a new threat. It is a recurring one that the industry has consistently failed to structurally eliminate.

Signal 02 — SSH key exposure is a root-access gift to attackers

The discovery of the CEO's personal SSH keys in the attack archive is the most operationally significant detail in this story. An attacker with the CEO's SSH keys has root access to every system those keys are authorized on — without needing to maintain separate compromise infrastructure. Key management hygiene is consistently underinvested in at ISP scale: keys are generated, shared across systems, and rarely rotated. A single development server breach that yields an executive's SSH private key can provide persistent access across an entire company's infrastructure.

Signal 03 — Mirai-based ISP targeting is a Brazil-specific threat with global implications

The pattern of Mirai-based botnets specifically targeting Brazilian ISPs is not new — Krebs documented in May 2025 a record-setting DDoS attack against his own site tied to a Brazilian operator. Brazil's combination of large consumer router deployments, varied firmware patch rates, and a concentrated ISP market creates a durable attack surface. As Brazilian ISPs become more interconnected with global internet infrastructure, attacks that appear locally scoped have increasingly global traffic implications.

Sources