Brazilian DDoS protection firm's infrastructure powered attacks on rival ISPs

An exposed file archive has tied Huge Networks, a Miami-registered, Brazil-operated DDoS mitigation provider, to a long-running botnet that has battered small Brazilian ISPs for years. The archive contained Portuguese-language Python attack scripts, command histories, and the private SSH keys of CEO Erick Nascimento, alongside infrastructure used to scan the internet for TP-Link Archer AX21 routers still vulnerable to CVE-2023-1389 and for open DNS resolvers usable in reflection-amplification attacks. Targets were exclusively Brazilian IP ranges, hit in tight 10-60 second bursts before moving on.

The malware is a Mirai variant, with C2 domains previously flagged in IoT botnet activity, and scanning was coordinated from a Digital Ocean droplet repeatedly cited for abuse. Nascimento denies authoring the attacks or using them to drum up business, attributing the activity to a January 2026 intrusion that compromised two dev servers and a personal droplet via a shared bastion host. He claims keys were rotated immediately and says blockchain-stored evidence points to a competitor framing him, though he declined to name them.

The pattern echoes prior cases Krebs has documented, including the original Mirai authors and a 2025 record-breaking attack, where DDoS mitigation operators ran the very botnets they purported to defend against. Whether Huge Networks is perpetrator or victim of a frame-up, the incident underscores how trivially a single compromised SSH key on a jump host can convert defensive infrastructure into an offensive platform — and how unpatched consumer routers two years past disclosure remain the fuel.