In the world of cybersecurity, there is perhaps no greater irony than the “protection racket”—a scenario where the very firm hired to shield a network from attack is the one orchestrating the siege. For several years, internet service providers (ISPs) across Brazil have been the targets of massive, coordinated distributed denial-of-service (DDoS) attacks. The source of these digital onslaughts remained a mystery until a leaked archive of files pointed to an unlikely culprit: Huge Networks, a firm specializing in DDoS mitigation.
The revelation, first detailed by KrebsOnSecurity, suggests that the infrastructure of the security firm was used to enable a powerful botnet. The evidence is stark: an exposed online directory containing Portuguese-language Python scripts designed for malicious activity, alongside the private SSH authentication keys belonging to Huge Networks’ CEO, Erick Nascimento. For a former software engineer, these keys are the “skeleton keys” of the digital world; their presence in an attack archive is a devastating piece of forensic evidence.
Founded in Miami in 2014 but primarily operating within Brazil, Huge Networks evolved from protecting gaming servers to offering high-level DDoS protection for ISPs. On the surface, the company maintained a clean record, devoid of public abuse complaints. However, the leaked data paints a picture of a sophisticated operation that scanned the internet for vulnerable hardware to build a private army of compromised devices, which were then turned against other Brazilian network operators.
The Anatomy of a Digital Siege
The attacks weren’t just brute-force floods of data; they utilized a sophisticated technique known as DNS reflection and amplification. To understand this, one must look at the Domain Name System (DNS), the internet’s phonebook that translates human-readable URLs into IP addresses. Under normal circumstances, a DNS server provides a brief answer to a specific query. However, when servers are misconfigured, they can be tricked into “reflecting” a request.
An attacker sends a spoofed request to a DNS server, making it appear as though the request came from the victim’s IP address. The server then sends the response to the victim. By using specific protocol extensions, attackers can craft a tiny request that triggers a massive response—sometimes 60 to 70 times the original size. When tens of thousands of compromised devices do this simultaneously, the resulting tidal wave of data can crash even the most robust ISP infrastructure.
The botnet powering these attacks specifically targeted the TP-Link Archer AX21 router. The attackers exploited CVE-2023-1389, an unauthenticated command injection vulnerability. Although TP-Link released a patch in April 2023, the botnet scoured the web for devices where users had neglected to update their firmware, effectively turning household routers into weapons.
| Technical Element | Detail |
|---|---|
| Primary Target | TP-Link Archer AX21 Routers |
| Exploited Vulnerability | CVE-2023-1389 (Command Injection) |
| Attack Vector | DNS Reflection and Amplification |
| Malware Base | Mirai Variant |
| Geographic Focus | Brazilian IP Address Ranges |
A Security Breach or a Business Strategy?
When confronted with the evidence, CEO Erick Nascimento denied any intentional involvement in the attacks. He claims the malicious activity was the result of a security breach, specifically citing a digital intrusion that he asserts occurred in January 2026 (a date that raises questions about the timeline of the reported events) which compromised two development servers and his personal SSH keys.
Nascimento describes the incident as a “pivot point” where an attacker gained access via a bastion server—a gateway used by multiple employees—and eventually reached a legacy “droplet” (a virtual private server) on Digital Ocean. He maintains that the compromised server was deprecated and not a formal part of the Huge Networks infrastructure.
However, the pattern described here is hauntingly familiar to cybersecurity historians. The botnet in question is based on Mirai, a notorious malware strain that first made headlines in 2016. In a mirror image of the current allegations, the original authors of Mirai were found to be co-owners of a DDoS mitigation firm. They weren’t just stopping attacks; they were creating the demand for their services by attacking gaming servers to scare potential clients into buying protection.
Nascimento flatly denies this “protection racket” model, arguing that Huge Networks’ sales are driven by inbound leads and partners rather than “active prospecting based on market incidents.” He further contends that the targets of the attacks were small regional providers who were not even in the company’s commercial pipeline.
The “Blockchain” Defense and the Competitor Theory
In a final, dramatic turn, Nascimento claims he possesses “strong evidence stored on the blockchain” proving that a competitor framed him. While he refused to name the competitor to maintain a “surprise factor” ahead of an upcoming industry event, the claim adds a layer of corporate espionage to an already complex story.
From a technical perspective, claiming evidence is “on the blockchain” is often used as a way to assert that a piece of data is timestamped and immutable, but it does not inherently prove the content of that data is true. Until this evidence is produced and verified by an independent third party, it remains a speculative defense against the hard evidence of the Python scripts and SSH keys.
The impact of these attacks extends beyond mere downtime. For small regional ISPs in Brazil, a massive DDoS attack can lead to significant revenue loss, customer churn, and hardware degradation. When the entity purportedly fighting these threats is implicated in their creation, it erodes trust across the entire regional cybersecurity ecosystem.
Huge Networks has reportedly engaged a third-party network forensics firm to conduct a deeper investigation into the breach and the subsequent use of the company’s infrastructure. The findings of this audit will likely be the deciding factor in whether this was a case of catastrophic security negligence or a calculated corporate crime.
The next critical checkpoint will be the release of the third-party forensics report, which is expected to clarify the timeline of the SSH key compromise and determine if the “blockchain evidence” cited by Nascimento holds any technical weight.
Do you think the “protection racket” model is becoming more common in the cybersecurity industry? Share your thoughts in the comments below or share this story with your network.
