Inside the Botnet: How DDoS attacks on Brazilian ISPs Were Fueled by a Supposed Anti‑DDoS Firm

DDoS attacks on Brazilian ISPs: Inside the Botnet

An investigation by KrebsOnSecurity reveals that Huge Networks, a Miami‑founded firm marketed as a DDoS‑mitigation provider, was unwittingly the backbone of a massive botnet that flooded regional Brazilian ISPs with amplified traffic. The breach, traced to a compromised SSH key belonging to CEO Erick Nascimento, allowed a threat actor to harvest vulnerable TP‑Link Archer AX21 routers exploiting CVE‑2023‑1389 and mis‑configured DNS servers for reflection attacks.

Scanning scripts, written in Python, systematically probed the public internet for open routers and DNS resolvers, then launched DNS‑amplification bursts lasting ↓ 10‑minute spikes against targets limited to Brazilian IP blocks. The malicious code referenced control domains hikylover[.]st and c.loyaltyservices[.]lol, both linked to a Mirai‑derived IoT botnet.

“We received and notified many Tier 1 upstreams regarding very very large DDoS attacks against small ISPs,” Nascimento told KrebsOnSecurity.

The actor coordinated the campaign from a DigitalOcean droplet repeatedly flagged for abuse, using the stolen private keys to route commands through Huge Networks’ infrastructure. The CEO maintains the intrusion originated from a single compromised bastion server in January 2026 and alleges a rival firm is framing his company.

Industry analysts note that the exploitation of CVE‑2023‑1389 and DNS reflection continues to pose a systemic risk for Latin American telecoms. For a broader view of the threat, see Reuters Technology and Bloomberg.

Analysis by Kaelen Frost (Lead Cybersecurity Analyst).