“We received and notified many Tier 1 upstreams regarding very very large DDoS attacks against small ISPs,” Erick Nascimento told KrebsOnSecurity — an admission that, according to the evidence in an exposed archive, preceded a far more troubling discovery.
Erick Nascimento and Huge Networks’ account of a January 2026 intrusion
Huge Networks, founded in Miami, Fla. in 2014 and now centered on operations in Brazil, is an ISP-focused DDoS mitigation provider. Its CEO, Erick Nascimento, told KrebsOnSecurity he did not write the attack programs and that he first learned the full extent of the DDoS campaigns only after being contacted by the reporter. He said an intrusion detected in January 2026 compromised two of the company’s development servers and his personal SSH keys, and that Digital Ocean flagged a legacy personal droplet on January 11.
Nascimento said the company “wiped the boxes, and rotated keys,” engaged a third‑party network forensics firm, and that there is no evidence the stolen keys were used after January. He flatly denied that Huge Networks ran DDoS attacks against Brazilian operators to sell protection, and told KrebsOnSecurity he has “strong evidence stored on the blockchain” that a competitor carried out the malicious activity — though he would not name that competitor.
What the exposed archive shows
A trusted, anonymous source shared an open-directory file archive with KrebsOnSecurity. The archive contained Portuguese‑language Python attack programs, a command-line history, and the private SSH authentication keys belonging to Nascimento. The files show a threat actor maintained root access to parts of Huge Networks’ infrastructure and used that access while building a powerful botnet.
The Python scripts reference multiple Internet addresses assigned to Huge Networks that were used to identify targets and to execute DDoS campaigns. The attacker coordinated scanning from a Digital Ocean server that has been flagged for abusive activity hundreds of times in the past year, the archive indicates.
CVE-2023-1389, TP-Link Archer AX21 devices, and Mirai code
The command-history in the archive documents routine mass-scanning for TP‑Link Archer AX21 routers vulnerable to CVE-2023-1389, an unauthenticated command injection flaw that was patched in April 2023. The malicious software that powered the botnet is based on Mirai, a family of IoT malware noted repeatedly in the archive and in prior high-profile incidents cited by KrebsOnSecurity.
Malicious domains embedded in the scripts included hikylover[.]st and c.loyaltyservices[.]lol, both of which have been flagged in the past year as control servers for an IoT botnet running a Mirai variant. The archive traces active use of those control points alongside the TP‑Link exploitation code.
DNS amplification, Brazilian-only targets, and attack pattern
The files show the attacker mass-scanned the Internet for insecure routers and unmanaged DNS servers that could be abused for DNS reflection amplification. The attack scripts were intentionally constrained to Brazilian IP address ranges; each selected IP prefix was attacked for 10–60 seconds with four parallel processes per host before the botnet moved on to the next target.
By invoking many DNS servers with spoofed queries and leveraging DNS response amplification, the botnet could dramatically magnify traffic directed at chosen Brazilian network operators. KrebsOnSecurity reports the targets were small regional providers, and that Huge Networks’ IP addresses appeared in scripts used to identify and execute the campaigns.
What this means for Brazilian ISPs, security teams, and rival providers
- Brazilian ISPs: Small regional providers were the stated targets of the campaigns; Huge Networks had reported “very very large DDoS attacks” against such ISPs to Tier 1 upstreams, and those operators remain the immediate victims of the reflected and amplified traffic documented in the archive.
- Security and incident‑response teams: The archive demonstrates the operational risk posed by leaked private SSH keys and legacy, internet‑reachable droplets. Nascimento says the company wiped compromised boxes, rotated keys, and hired external forensics — steps teams cited in the report that other operators will likely mirror when keys or development hosts are exposed.
- Competitors and legal actors: Nascimento alleges a competitor orchestrated the activity to harm Huge Networks’ reputation and says he holds “strong evidence stored on the blockchain,” but he declined to identify the rival. Whether the forensics engagement will substantiate that claim remains to be seen.
The archive KrebsOnSecurity reviewed ties a Mirai-derived botnet, exploitation of TP‑Link AX21 devices vulnerable to CVE-2023-1389, and DNS amplification to a campaign that hit only Brazilian IP space — and it also links those operations to infrastructure and credentials associated with Huge Networks. The company says it was itself the victim of a compromise in January 2026, has engaged outside investigators, and disputes any suggestion it ran the attacks to generate business. The public record now rests on forensic follow-up: will investigators corroborate the CEO’s account and blockchain claim, or will they attribute the campaigns to actors who wielded stolen access to make the attacks appear to originate from a defender?
https://krebsonsecurity.com/2026/04/anti-ddos-firm-heaped-attacks-on-brazilian-isps/
