In early 2025, a single cyberattack slammed into a target with 31.4 terabits per second of junk traffic, enough raw bandwidth to stream roughly six million HD movies simultaneously. Cloudflare, the network security firm that absorbed the blow, called it the largest distributed denial-of-service attack ever recorded. It was not an isolated event. Across 2025, Cloudflare counted 47.1 million DDoS attacks on its network alone, a sharp jump that security researchers attribute in part to a new breed of AI-assisted attack tools now circulating on dark-web marketplaces.
Those tools, known as booter or stresser services, let virtually anyone rent overwhelming firepower for as little as the equivalent of $10 or EUR 10. Buyers pick a target, choose a duration, and click a button. The service handles the rest. Law enforcement agencies in the U.S. and Europe have seized dozens of these platforms and arrested their operators, yet replacements keep surfacing, often within weeks, under fresh domain names and new branding.
A record-breaking year for attacks
The numbers from Cloudflare’s threat reports paint a stark picture. Beyond the 31.4 Tbps record, the company documented a hyper-volumetric HTTP flood that exceeded 20 million requests per second and an 18-day multi-vector campaign so relentless it required fully automated defenses to contain. These were not isolated spikes. The overall trend line shows attacks growing more frequent, faster to ramp up, and harder to absorb with manual intervention.
“What we’re seeing is a fundamental shift in the speed of these campaigns,” said John Graham-Cumming, Cloudflare’s chief technology officer, in the company’s Q4 2025 report. Attacks that once gave defenders minutes to react now peak in seconds, leaving organizations that rely on human-driven response scrambling.
The enforcement crackdown, and its limits
Governments have not been idle. Europol coordinated the shutdown of 27 booter services ahead of the 2024 holiday season as part of Operation PowerOFF, a long-running international framework targeting the commercial infrastructure behind on-demand floods. In a separate action, prosecutors in the Central District of California charged two alleged administrators of booter platforms and obtained court-authorized seizure of 27 domains tied to leading stresser services, according to the U.S. Department of Justice. Those platforms had been used to launch what prosecutors described as millions of attacks.
In a parallel operation, Polish authorities arrested four administrators of a separate DDoS-for-hire network while U.S. agencies seized nine additional domains, per Europol. Defunct brands named in that wave include Cfxapi, Cfxsecurity, neostress, jetstress, quickdown, and zapcut.
The problem is durability. A longitudinal study published through arXiv found that booter services historically reappear under new domains after takedowns, a pattern researchers sometimes call the “hydra effect.” That study examined earlier generations of services, but the pattern has held through the most recent enforcement waves. As of mid-2026, security analysts tracking dark-web forums report that successor platforms continue to emerge, though precise pricing and feature sets for the newest services remain difficult to verify independently.
Where AI fits into the picture
The role of artificial intelligence in supercharging these attacks is real but still coming into focus. Cloudflare’s Q2 2024 threat report found that generative-AI and autopilot tooling had placed randomized, sophisticated attack capabilities in the hands of ordinary cybercriminals. During that period, ransom-DDoS incidents, where attackers demand payment to stop a flood, reached 16 percent of targeted customers in a single month.
Akamai’s 2025 State of the Internet security report separately tracked AI shifting attack surfaces toward applications and APIs, confirming that the trend extends beyond brute-force volumetric floods into more surgical Layer 7 strikes that mimic legitimate user traffic. Together, these findings suggest automation now influences how attackers select targets, rotate techniques, and adjust payloads mid-assault.
What remains less clear is exactly how AI is embedded inside specific booter panels. Security vendors observe shifts in attack speed, diversity, and persistence consistent with automated tooling, but they rarely have direct visibility into the private dashboards or codebases of booter operators. It is plausible that operators use large language models to generate phishing lures, obfuscate scripts, or optimize attack timing, but those use cases are largely inferred from behavioral patterns rather than confirmed through leaked source code or direct inspection. Claims that individual booter brands now feature built-in “AI attack assistants” should be treated with caution until stronger evidence surfaces.
The botnet supply chain behind the panels
Booter services do not generate attack traffic on their own. They rely on botnets, networks of compromised devices, to supply the raw bandwidth they sell. Nokia’s Deepfield Emergency Response Team has linked the Aisuru and Kimwolf botnet families to active DDoS campaigns, showing how thousands of small device contributions, from routers, cameras, and IoT gadgets, aggregate into overwhelming floods.
Investigative reporting by KrebsOnSecurity detailed how the Kimwolf botnet targets local networks through device infections and noted that Google filed a John Doe lawsuit against operators of the related BadBox 2.0 Android botnet ecosystem. The structure is layered: one group builds and rents out the botnet, another wraps it in a user-friendly stresser panel, and paying customers simply pick a target and a duration. That division of labor makes the ecosystem resilient. Taking down one layer does not necessarily disrupt the others.
What businesses should do now
Even the most conservative reading of the available evidence points in a troubling direction. Attack volumes are climbing, campaigns are lasting longer, and adversaries can rebrand and redeploy faster than courts can issue new seizure orders. For organizations that depend on internet-facing services, the practical implications are straightforward.
First, manual response is no longer viable as a primary defense. The speed of modern DDoS attacks, peaking in seconds rather than minutes, demands automated detection and mitigation, whether through a dedicated provider like Cloudflare, Akamai, or AWS Shield, or through on-premises systems capable of real-time traffic analysis.
Second, organizations need pre-established relationships with upstream providers who can absorb volumetric floods before they reach the network edge. Negotiating those agreements during an active attack is too late.
Third, incident playbooks should treat DDoS not as a rare event but as a recurring operational risk. The commoditization of attack tools means that any company with an online presence, not just banks and gaming platforms, is a plausible target.
The court records and network data now available do not answer every question about AI’s precise role or the exact size of the underground market. But they leave little doubt that the threat is real, accelerating, and structurally difficult to stamp out. The defenders who fare best will be the ones who stopped waiting for certainty and started building resilience while the evidence was still catching up.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
