The DDoS-for-Hire Paradox: Why Police Crackdowns Aren’t A Quick Fix

by ddos · September 11, 2025

By the close of 2023, it had become evident that the largest coordinated crackdown to date on DDoS-for-Hire services produced a paradoxical outcome. Researchers, presenting their findings at USENIX Security 2025, traced the market’s trajectory following two major enforcement waves — one in December 2022 and another in May 2023. Roughly sixty domains were seized, while authorities supplemented takedowns with decoy platforms and targeted information campaigns within underground communities to dissuade potential clients.

For years, such sites had offered convenient access to DDoS attacks for modest fees, thinly veiled as “stress testing” services. Earlier cleanup efforts, including those in 2018, had quickly fizzled out. This time, however, the strategy extended beyond seizures: law enforcement deliberately worked to undermine trust within the ecosystem, deploying explanatory pages and launching fake “new” services that funneled visitors to warnings about the risks involved.

To assess the aftermath, the research team aggregated multiple independent datasets. Notification pages for seized domains logged more than 20 million visits, providing visibility into who was attempting to access them and from where. Traffic data from Similarweb was compiled for both confiscated and “resurrected” domains. Attack telemetry was drawn from four sources — Hopscotch, AmpPot, Netscout monitoring, and self-statistics from more than 200 services spanning two years — yielding over 47 million DDoS entries. This was further enriched with thousands of forum posts and Telegram discussions between operators and customers about the takedowns.

The market’s reaction was swift but uneasy. After the December wave, more than half of the sites resurfaced, with a median resurrection time of roughly 20 hours. Following the May wave, all services reappeared, averaging about 40 hours to recover. Yet, the familiar interfaces failed to regain their user base: traffic collapsed by 80–90% in both visits and unique users, dwindling to negligible levels by September 2023.

Geographic data showed that most visitors to the takedown notices came from the United States, followed by China, Germany, the UK, and Russia, with smaller shares from France, the Netherlands, Turkey, Poland, and Singapore. Access was overwhelmingly via desktop PCs, consistent with the gaming-centric use case. Strikingly, the proportion of traffic routed through proxies, VPNs, or Tor was minimal, underscoring that the core audience consisted largely of young, inexperienced users. Meanwhile, larger platforms quietly resold capacity through API integrations to second-tier operators, some of whom continued making calls for months without realizing the services had been seized.

The law enforcement honeypots, disguised as genuine services, initially attracted audiences comparable to the “revived” domains, though interest waned within days. Still, their very presence eroded confidence: when buyers cannot be sure whether a new platform is controlled by authorities, the barrier to entry rises.

Attack telemetry reflected the disruption. The December wave coincided with a 20–40% global decline in attack volumes, particularly in UDP-based scenarios, often tied to leased power. Yet within six weeks, activity had rebounded — in some cases surpassing prior levels, echoing the post-2018 pattern. The May crackdown left little discernible mark on the metrics. Data from two of the largest services revealed that they endured both enforcement waves with no dramatic loss of share. The recovery did not hinge on one or two dominant players but rather on a diffuse resurgence of smaller operators.

Community discussions fleshed out the dynamics: some debated the role of the FBI and the UK’s NCA, while others stubbornly attempted to rebuild infrastructure, shut down projects, sold off source code, or sought freelance work. Notably, fear of being caught surfaced — a rare sentiment in a niche long characterized by its perceived low risk.

The central conclusion is that surgical operations yield tangible but fleeting effects. They disrupt attack flows, shatter habitual audience pathways, and force operators into costly cycles of rebuilding. This is especially valuable during peak periods such as the holiday season or school breaks. Yet the market remains elastic: domains reappear within hours, traffic rebounds within weeks. The goal, therefore, is not to achieve a one-time victory, but to sustain instability. If services once marketed as casual gamer tools are pushed toward the domain of more determined adversaries, that alone represents meaningful progress.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal