Each new evidence only adds questions to the version of the manual.
A security company from Brazil was at the center of history, which looks especially ironic: the company selling protection against DDoS attacks itself was associated with the infrastructure of the botnet that hit local Internet providers. The head of the Huge Networks denies involvement in the attacks and claims that the company was framed after the hack, but experts are already less believed in this story.
According to KrebsOnSecurity, for several years, experts monitored large DDoS attacks that came from Brazil and were directed only against Brazilian telecom operators. New details came after an anonymous source handed over an archive found in an online catalog.
The archive contained malicious Python scripts in Portuguese, the history of the command line and the closed SSH keys belonging to the CEO of Hugge Networks Eric Nasiment. Hugge Networks was founded in Miami in 2014, but operates mainly in the Brazilian market. The company started with the protection of game servers, and then began to offer DDoS protection for providers.
The content of the archive shows that the attacker with root level access to the infrastructure of the Huge Networks collected a botnet through mass scanning of the Internet. Scripts were looking for vulnerable routers TP-Linker AX21, on which the CVE-2023-1389 vulnerability remained open. The manufacturer closed the gap in April 2023, but part of the devices, apparently, did not receive a correction.
Botnet also used open DNS servers for reflection attacks with reinforcement (DNS Amplification and Reflection Attack). With such a scheme, the request is counterfeited as if it comes from the victim, and the response from many DNS servers already goes to her address. Due to large DNS responses, the load on the target is growing sharply.
Malicious domains from scripts have previously been associated with an IoT botnet based on Mirai. The teams launched through the Digital Ocean server, which over the past year has appeared in complaints of abuse. The scripts also found the Huge Networks IP addresses, through which targets were chosen and attacks were launched. The campaigns were beaten only through the Brazilian ranges, and each prefix was attacked from 10 to 60 seconds in several parallel streams.
Eric Nasimentu told KrebsOnsecurity that he did not write malware and did not know the scale of the campaign before the journalists’ appeal. According to him, the traces lead to the incident of January 2026, when two development servers and personal SSH keys were compromised. After warning from Digital Ocean, the company, according to the head, cleaned the systems and changed its keys.
If the Hugge Networks was still involved in the campaign, the attacks could be used not only to directly disrupt the work of competing providers, but also to undermine trust in their networks. Also, such a scenario could theoretically increase the interest of the market in the protection services against DDoS, but the published data do not prove this directly.
Nasimento himself, in turn, claims the opposite - that behind the attack could be a competitor who wanted to hit the reputation of the Huge Networks. He did not disclose the name of the alleged competitor, citing plans to use the collected evidence later. Hugge Networks has also attracted a third-party company for network forensics.
A security company from Brazil was at the center of history, which looks especially ironic: the company selling protection against DDoS attacks itself was associated with the infrastructure of the botnet that hit local Internet providers. The head of the Huge Networks denies involvement in the attacks and claims that the company was framed after the hack, but experts are already less believed in this story.
According to KrebsOnSecurity, for several years, experts monitored large DDoS attacks that came from Brazil and were directed only against Brazilian telecom operators. New details came after an anonymous source handed over an archive found in an online catalog.
The archive contained malicious Python scripts in Portuguese, the history of the command line and the closed SSH keys belonging to the CEO of Hugge Networks Eric Nasiment. Hugge Networks was founded in Miami in 2014, but operates mainly in the Brazilian market. The company started with the protection of game servers, and then began to offer DDoS protection for providers.
The content of the archive shows that the attacker with root level access to the infrastructure of the Huge Networks collected a botnet through mass scanning of the Internet. Scripts were looking for vulnerable routers TP-Linker AX21, on which the CVE-2023-1389 vulnerability remained open. The manufacturer closed the gap in April 2023, but part of the devices, apparently, did not receive a correction.
Botnet also used open DNS servers for reflection attacks with reinforcement (DNS Amplification and Reflection Attack). With such a scheme, the request is counterfeited as if it comes from the victim, and the response from many DNS servers already goes to her address. Due to large DNS responses, the load on the target is growing sharply.
Malicious domains from scripts have previously been associated with an IoT botnet based on Mirai. The teams launched through the Digital Ocean server, which over the past year has appeared in complaints of abuse. The scripts also found the Huge Networks IP addresses, through which targets were chosen and attacks were launched. The campaigns were beaten only through the Brazilian ranges, and each prefix was attacked from 10 to 60 seconds in several parallel streams.
Eric Nasimentu told KrebsOnsecurity that he did not write malware and did not know the scale of the campaign before the journalists’ appeal. According to him, the traces lead to the incident of January 2026, when two development servers and personal SSH keys were compromised. After warning from Digital Ocean, the company, according to the head, cleaned the systems and changed its keys.
If the Hugge Networks was still involved in the campaign, the attacks could be used not only to directly disrupt the work of competing providers, but also to undermine trust in their networks. Also, such a scenario could theoretically increase the interest of the market in the protection services against DDoS, but the published data do not prove this directly.
Nasimento himself, in turn, claims the opposite - that behind the attack could be a competitor who wanted to hit the reputation of the Huge Networks. He did not disclose the name of the alleged competitor, citing plans to use the collected evidence later. Hugge Networks has also attracted a third-party company for network forensics.
