Cybercrime Market Shifts to Subscription-Based DDoS Services

Cybercriminals have transitioned from selling cheap, one-off DDoS attacks to operating sophisticated subscription-based platforms with tiered pricing and support ^[1].

This shift lowers the barrier for entry for attackers while dramatically increasing the scale of potential damage to global infrastructure. By treating cyberattacks as a service, botnet operators can scale their operations and monetize infected devices more efficiently.

These platforms leverage massive botnets to launch multi-terabit per second attacks. Recent reports indicate a significant increase in scale, with one tracked botnet growing from 1.33 million to 13.5 million infected devices ^[3]. This growth has enabled sustained attacks of two Tbps for 40 minutes, with spikes exceeding one Tbps ^[3]. In another instance, U.S. authorities disrupted the Aisuru botnet, which was responsible for record-breaking attacks reaching 30 Tbps ^[4].

The infrastructure behind these services often involves diverse sets of compromised hardware. An Iran-linked botnet utilized more than 30,000 hacked security cameras and network video recorders ^[2]. Other operations have reached even larger scales, such as a proxy botnet tied to a Russian service that Dutch authorities took down after it reached 17 million devices ^[3].

Operators are increasingly using AI, blockchain-based command systems, and large-scale IoT botnets to maintain these services [1, 5]. This evolution allows them to offer reseller programs and professional support to their clients, mimicking legitimate software-as-a-service business models ^[1]. The targets of these services are global, frequently hitting telecom providers and gaming platforms [2, 4].

Law enforcement continues to target these networks through international cooperation. The recent takedowns in the U.S. and the Netherlands highlight the ongoing effort to disrupt the command-and-control centers that power these subscription models [3, 4].