In May 2026, federal prosecutors in Alaska unsealed charges against an Oregon man accused of running a DDoS-for-hire botnet called “Rapper Bot” that allegedly powered more than 370,000 attacks against roughly 18,000 victims across more than 80 countries. The operation, built on a swarm of 65,000 to 95,000 hijacked devices, offered paying customers a simple web dashboard: pick a target, click a button, and watch the flood begin.
The case is one of several recent prosecutions pulling back the curtain on a booming underground market where destructive cyberattack capability costs less than a streaming subscription. And as the tools grow cheaper and faster, a new variable is entering the equation: artificial intelligence that can help attackers scale operations, evade defenses, and recruit compromised devices more efficiently than ever before.
A single operator, global damage
According to the U.S. Attorney’s Office in Alaska, the Rapper Bot service facilitated its attacks from April 2025 onward, conscripting tens of thousands of internet-connected devices, including routers, cameras, and other hardware, without their owners’ knowledge. Each device became a node in a fire hose of junk traffic aimed at overwhelming targets’ servers and knocking them offline.
The defendant allegedly ran both the attack infrastructure and the commercial storefront that marketed it. Customers did not need technical skills. They needed a web browser and a payment method.
A separate federal case in California charged two more defendants as part of the same enforcement wave, and courts authorized the seizure of 27 domains tied to DDoS-for-hire platforms. Those sites branded themselves as “stressers” or network-testing tools, but prosecutors say they existed primarily to attack third-party websites and networks without authorization.
All of these actions fall under Operation PowerOFF, a joint FBI-Europol initiative targeting the infrastructure behind paid denial-of-service attacks. The FBI’s Anchorage field office has described the effort as part of a long-running campaign to treat booter services as serious cybercrime, not teenage pranks. Europol has noted that some of these services can be rented for as little as roughly 10 euros, placing genuine destructive power within reach of disgruntled gamers, extortionists, and ideologically motivated actors alike.
The numbers behind the surge
The Rapper Bot case is alarming on its own, but it sits inside a much larger trend. Microsoft reported mitigating 1.25 million DDoS attacks in the second half of 2024 alone, a fourfold increase over the same period the prior year. The company warned that attackers are increasingly chaining multiple short bursts to probe defenses before launching a knockout blow.
Cloudflare documented an even more striking data point in its Q1 2025 DDoS threat report: a single attack that peaked at 5.8 Tbps. To put that in perspective, that volume of traffic is roughly equivalent to streaming more than a million high-definition videos simultaneously, all aimed at a single target. The attack lasted about 45 seconds. By the time a human analyst could have picked up the phone, it was already over.
On the supply side, researchers at Kaspersky have found that botnet access on dark-web forums and Telegram channels starts at around $100, with leaked source code available at even lower prices. The barrier to entry for launching a DDoS campaign has never been lower.
Where AI fits in
The role of artificial intelligence in DDoS attacks is evolving quickly, though it is important to distinguish between what is documented and what is projected.
No court filing in the Rapper Bot case or the 27-domain seizure specifically quantifies AI or machine learning use inside the seized botnets. The automation visible in these operations, such as rapid device scanning, credential brute-forcing, and coordinated attack orchestration across tens of thousands of endpoints, relies on techniques that predate generative AI.
But security researchers are tracking a clear shift. Cloudflare noted in its Q1 2025 report that AI-powered tools are being used to optimize attack patterns and rotate vectors mid-assault, making floods harder to filter. Europol’s 2024 Internet Organised Crime Threat Assessment flagged AI-assisted coding tools as a force multiplier for less-skilled attackers, enabling them to write functional exploit scripts and customize attack payloads without deep programming knowledge.
The practical concern is not that AI has invented a new kind of DDoS attack. It is that AI lowers the skill floor. A novice who once needed weeks of forum lurking and trial-and-error scripting can now use a large language model to generate working code, troubleshoot errors, and even draft convincing marketing copy for a booter storefront. The result is a market that can regenerate faster after law enforcement takedowns because the tools to rebuild are more accessible than ever.
Takedowns work, but the market bounces back
Operation PowerOFF has produced real results. Domain seizures, arrests, and public messaging campaigns have created measurable short-term drops in attack traffic after each wave of enforcement.
But academic research examining the aftermath of global DDoS-for-hire seizures, including a study published on arXiv that analyzed millions of DDoS attack records and web traffic patterns, found that the booter ecosystem tends to reconstitute. Displaced operators migrate to new domains. Customers shift to surviving services or quickly launched clones. The underlying economics have not changed: compromised devices are plentiful, hosting is cheap, and global demand for disruptive firepower remains strong.
Revenue estimates for the booter market reinforce that picture, though they come with caveats. Research published in the journal Deviant Behavior estimated pricing tiers for stresser services, often ranging from a few dollars per day to higher-priced “VIP” plans. But those figures are derived from scraped marketplace listings, not verified transaction records. Some services may be short-lived scams. Others inflate their capabilities to attract buyers. Without access to payment processor logs or large-scale cryptocurrency tracing, analysts can only estimate the market’s true size within broad ranges.
What businesses and individuals should know
For organizations wondering whether they are at risk, the short answer is yes, and the window to respond during an attack is shrinking. When peak floods last 45 seconds or less, manual intervention is not fast enough. Automated DDoS mitigation, whether through a cloud provider, a content delivery network, or a dedicated scrubbing service, is now a baseline requirement rather than a luxury.
Several practical steps can reduce exposure:
- Enable always-on DDoS protection. Services from providers like Cloudflare, Akamai, and AWS Shield can absorb volumetric floods before they reach origin servers.
- Audit internet-facing devices. IoT hardware with default credentials is the raw material botnets are built from. Change default passwords, disable unnecessary remote access, and apply firmware updates.
- Plan for multi-vector attacks. Modern DDoS campaigns often combine volumetric floods with application-layer attacks. Ensure your mitigation strategy covers both.
- Monitor for reconnaissance. Short, probing bursts often precede larger attacks. Unusual traffic spikes that resolve quickly may be an attacker testing your defenses.
For individuals, the risk is more indirect but still real. If your home router or smart device is compromised, it may be participating in attacks without any visible sign. Keeping firmware updated and replacing end-of-life hardware that no longer receives security patches are the most effective countermeasures.
A market that adapts faster than enforcement
The verified numbers from the Rapper Bot prosecution and Operation PowerOFF show that law enforcement can identify operators, trace infrastructure, and impose real consequences. The 370,000-attack tally tied to a single defendant underscores how much damage one motivated individual can enable.
But the broader picture is one of resilient criminal infrastructure. The economics of DDoS-for-hire, cheap tools, plentiful vulnerable devices, and steady demand, continue to fuel rapid regeneration after each crackdown. AI is not yet the primary engine of that resilience, but it is lowering the barriers to entry in ways that will make future enforcement even harder.
The challenge for defenders and policymakers is not just prosecuting today’s operators. It is addressing the structural conditions, from millions of insecure IoT devices to the ease of anonymous hosting, that allow the next Rapper Bot to spin up within weeks of the last one being shut down. Until those fundamentals change, the DDoS-for-hire market will keep adapting, and the arms race between attackers and defenders will continue to accelerate.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
