Anti-DDoS Company Linked to Major Attacks on Brazilian ISPs

A Brazilian cybersecurity provider that markets itself as a defender against distributed denial‑of‑service (DDoS) attacks has been tied to a botnet responsible for a long‑running wave of assaults on local Internet service providers. The company’s CEO insists the activity stems from a breach and claims a rival is attempting to sabotage his firm’s reputation.

A Break in a Years‑Long Mystery

For years, researchers have observed unusually large DDoS attacks originating from within Brazil and targeting only Brazilian ISPs. The source remained unclear until a recently discovered open directory exposed a trove of files: Python‑based malware, Portuguese‑language scripts, and private SSH keys belonging to the CEO of Huge Networks, a Brazil‑focused DDoS mitigation company founded in Miami in 2014.

Huge Networks originally specialized in protecting gaming servers before expanding into ISP‑level mitigation. The company has no known ties to DDoS‑for‑hire operations and has not appeared in public abuse reports. But the leaked files suggest someone with root‑level access to its infrastructure was using it to build and operate a large botnet.

How the Botnet Worked

The attacker systematically scanned the Internet for vulnerable TP‑Link Archer AX21 routers still exposed to CVE‑2023‑1389, a command‑injection flaw patched in April 2023. Compromised routers were then used to launch DNS reflection and amplification attacks — a technique that turns misconfigured DNS servers into unwitting amplifiers, multiplying the size of traffic directed at a target.

The scripts also referenced domains previously linked to Mirai‑based IoT botnets, and logs showed the botnet was controlled from a DigitalOcean server repeatedly flagged for abuse. The attacks were highly targeted: each Brazilian IP range was hit for 10–60 seconds before the botnet moved on.

CEO’s Keys, CEO’s Denial

The most striking detail in the archive was the presence of private SSH keys belonging to Huge Networks CEO Erick Nascimento. When contacted, Nascimento said he had no knowledge of the attack scripts and only realized the scale of the DDoS activity after being shown the leaked files.

He said the company suffered a breach in January 2026 that compromised two development servers and his personal SSH keys. According to him, the affected systems were wiped and keys rotated immediately, and there is no evidence the stolen keys were used after that date.

Nascimento believes the incident began with a compromise of a shared jump server and that the attacker gained access to an old personal DigitalOcean droplet not tied to Huge Networks’ production systems. The company has since hired a third‑party forensics team to investigate.

A Familiar Pattern in the DDoS World

The botnet code is based on Mirai, the malware that famously took down KrebsOnSecurity in 2016 and has since powered countless attacks. In multiple past cases, Mirai operators have turned out to be individuals running DDoS mitigation companies — using attacks to generate demand for their own services.

Nascimento, however, strongly denies any involvement in such schemes. He says the targeted ISPs are not Huge Networks customers and not even prospects, something he says can be verified through public routing data.

Pointing to a Competitor

The CEO claims he has “strong evidence stored on the blockchain” that a competitor orchestrated the attacks to damage his company’s reputation. He declined to name the competitor, saying revealing the information now would undermine a planned “surprise” at an upcoming industry event — one the competitor is attending for the first time.