A Brazilian tech firm specializing in DDoS protection enabled a botnet responsible for massive denial-of-service attacks against other Brazilian network operators. Huge Networks CEO Erick Nascimento attributes the activity to a security breach, suggesting a competitor may have tried to damage his company's image.

Security experts have tracked large DDoS attacks originating from Brazil and targeting local ISPs for several years. The source remained unclear until a trusted source shared an archive exposed in an open online directory. This archive contained malicious Python programs and private SSH authentication keys belonging to Nascimento.

Huge Networks, founded in Miami in 2014, focuses its operations in Brazil, protecting game servers and later providing DDoS mitigation for ISPs. The company has no public abuse complaints or links to known DDoS-for-hire services. However, the exposed archive reveals a Brazil-based threat actor maintained root access to Huge Networks infrastructure. This actor built a powerful DDoS botnet by mass-scanning the internet for insecure routers and unmanaged domain name system (DNS) servers.

DNS reflection attacks exploit misconfigured DNS servers that accept queries from anywhere. Attackers send spoofed DNS queries appearing to come from the target's network. The DNS servers then reply to the spoofed address. Botmasters can amplify these attacks by crafting DNS queries that prompt much larger responses, sometimes 60-70 times the size of the request. This amplification is significant when tens of thousands of compromised devices simultaneously query many DNS servers with spoofed requests.

The exposed file archive included a command-line history detailing how the attacker built the botnet by searching for TP-Link Archer AX21 routers vulnerable to CVE-2023-1389. This unauthenticated command injection vulnerability was patched in April 2023. Malicious domains in the Python scripts, such as hikylover.st and c.loyaltyservices.lol, have been flagged as control servers for an Internet of Things (IoT) botnet powered by a Mirai malware variant.

The leaked archive shows the botmaster coordinated scanning from a Digital Ocean server, which has been flagged for abusive activity hundreds of times in the past year. The Python scripts invoked multiple internet addresses assigned to Huge Networks to identify targets and execute DDoS campaigns. These attacks were strictly limited to Brazilian IP address ranges. Scripts show each selected IP address prefix was attacked for 10-60 seconds with four parallel processes per host before moving to the next target.

The archive also shows these malicious Python scripts relied on private SSH keys belonging to Nascimento. Nascimento stated he did not write the attack programs and was unaware of the extent of the DDoS campaigns until contacted. "We received and notified many Tier 1 upstreams regarding very very large DDoS attacks against small ISPs," Nascimento said. "We didn't dig deep enough at the time, and what you sent makes that clear."

Nascimento believes the unauthorized activity is linked to a digital intrusion detected in January 2026. This intrusion compromised two of the company's development servers and his personal SSH keys. He claims there is no evidence those keys were used after January. "We notified the team in writing the same day, wiped the boxes, and rotated keys," Nascimento said, sharing a screenshot of a January 11 notification from Digital Ocean. "All documented internally." Huge Networks has since engaged a third-party network forensics firm to investigate.

"Our working assessment so far is that this all started with a single internal compromise — one pivot point that gave the attacker downstream access to some resources, including a legacy personal droplet of mine," he wrote. "The compromise happened through a bastion/jump server that several people had access to," Nascimento continued. "Digital Ocean flagged the droplet on January 11 — compromised due to a leaked SSH key, in their wording — I was traveling at the time and addressed it on return. That droplet was deprecated and destroyed, and it was never part of Huge Networks infrastructure."