Exclusive: Huge Networks CEO Blames Breach for Botnet That Hammered Brazilian ISPs
SAO PAULO — A Brazilian cybersecurity firm specializing in DDoS protection was itself the source of a massive botnet that has battered internet service providers across Brazil for years, KrebsOnSecurity has learned. The company's chief executive now says the malicious campaign stemmed from a security breach, likely orchestrated by a rival seeking to destroy its reputation.
Security researchers have tracked a series of record-breaking DDoS attacks targeting Brazilian ISPs since 2020, but the perpetrators remained unknown until this month. A confidential source shared an archive exposed in an open directory that contained Portuguese-language Python malware and the private SSH keys of Huge Networks CEO.
“The attack infrastructure was compromised by an intruder who used it to build a botnet,” Huge Networks CEO told KrebsOnSecurity in an exclusive interview. “We believe a competitor is behind this to damage our brand and steal clients.”
Background: A DDoS Shield Turned Weapon
Founded in Miami in 2014, Huge Networks shifted its focus to protecting Brazilian game servers and ISPs from DDoS attacks. The company had no prior public abuse complaints or known ties to DDoS-for-hire services.
Yet the exposed archive shows a threat actor maintained root access to Huge Networks infrastructure for an extended period. The actor routinely scanned the internet for insecure routers and misconfigured DNS servers to recruit into a powerful botnet.
How the DNS Reflection Attacks Worked
Attackers exploited open DNS resolvers to launch reflection attacks. By sending spoofed queries that appeared to come from the target, they tricked DNS servers into sending massive responses to the victim.
- An attacker crafts a 100-byte DNS query.
- The open resolver replies with a 6,000- to 7,000-byte response — a 60-70x amplification.
- With tens of thousands of compromised devices, the cumulative traffic can overwhelm even large ISPs.
The botnet combined compromised home routers and open DNS servers, making takedowns difficult. Security researchers have long noted the prevalence of such attacks in Brazil, where many smaller ISPs lack robust mitigation.
What This Means
The revelation that an anti-DDoS firm was hijacked to amplify attacks raises troubling questions about trust in the cybersecurity industry. If a company paid to protect networks can become a threat actor’s tool, every ISP must re-examine its supply chain.
“This is a wake-up call,” said Dr. Carla Mendes, a cybersecurity researcher at the University of São Paulo who reviewed the archive. “It shows that even DDoS mitigation providers are not immune to compromise, and that attackers are willing to co-opt their infrastructure for massive retaliation.”
Huge Networks says it has since rotated all SSH keys, closed the open directory, and is cooperating with Brazilian authorities. But the damage may already be done: the botnet’s source code remains in the wild, and the CEO fears copycat attacks.
ISPs that rely on third-party DDoS protection should demand proof of security audits and incident response plans, experts advise. The case also underscores the need for global action against the proliferation of openly recursive DNS servers that enable reflection attacks.
Related Articles
- Russian State Hackers Hijack Aging Routers to Harvest Microsoft Office Tokens
- Major Cybersecurity Wins: Karakurt Negotiator Sentenced, North Korean IT Worker Facilitators Jailed; New Cloud Worm PCPJack Emerges
- Securing Windows Access: How Boundary and Vault Eliminate Static Credentials and Overly Broad Network Permissions
- 7 Critical Security Updates That Demand Your Attention This April 2026
- Understanding Anthropic's Claude Mythos: A New Era in AI-Powered Cybersecurity
- Key Developments in Open Source and Security: May 2026
- 7 Key Steps to Becoming a Cybersecurity Consultant in 2025
- AI-Powered Exploits Now Threaten Enterprises at Unprecedented Speed