A prominent Brazilian technology firm specializing in cybersecurity and network protection has found itself at the center of a burgeoning digital scandal. Huge Networks, a company primarily known for its distributed denial-of-service (DDoS) mitigation services, has been identified as the source of a sophisticated botnet infrastructure responsible for a series of massive cyberattacks against other network operators within Brazil. This revelation, brought to light through an investigation by KrebsOnSecurity, suggests a troubling paradox where an entity hired to defend against digital sieges may have been facilitating them, either through negligence or direct involvement.
The investigation began following the discovery of an exposed file archive in an open directory online. The contents of this archive, shared by an anonymous source, contained a collection of malicious Python-based programs and internal configuration files. Most significantly, the archive held private Secure Shell (SSH) authentication keys belonging to Erick Nascimento, the Chief Executive Officer of Huge Networks. These keys are the digital equivalent of master passes, providing administrative access to sensitive server environments.
The Mechanics of the Massive Brazilian Botnet
The exposed data provides a rare window into the operational methods of a modern DDoS campaign. For several years, Brazilian internet service providers (ISPs) have been plagued by large-scale attacks that seemed specifically designed to cripple regional infrastructure. The archive reveals that the threat actor behind these attacks maintained root access to Huge Networks’ infrastructure to coordinate the botnet’s growth and execution.
The botnet’s primary recruitment strategy involved mass-scanning the internet for vulnerable consumer hardware. Specifically, the scripts were programmed to seek out the TP-Link Archer AX21 router. These devices are susceptible to CVE-2023-1389, an unauthenticated command injection vulnerability in the router’s web management interface. Although TP-Link released a patch for this vulnerability in April 2023, the botnet has successfully exploited the millions of devices that remain unpatched by their owners.
Once a router is compromised, it is enlisted into a network of "bots" capable of launching DNS reflection and amplification attacks. This technique is particularly devastating because it leverages the fundamental architecture of the internet to multiply the volume of traffic sent to a target.
DNS Reflection and Amplification Explained
Domain Name System (DNS) servers are the "phonebooks" of the internet, translating human-readable domain names into IP addresses. In a reflection attack, the botmaster sends a deluge of DNS queries to open resolvers—servers misconfigured to accept requests from any source. These queries are "spoofed," meaning the return address is forged to be the IP address of the intended victim.
The amplification factor occurs when the attacker requests large amounts of data, such as DNSSEC records. A small request of roughly 100 bytes can trigger a response 60 to 70 times larger. When tens of thousands of compromised TP-Link routers execute these requests simultaneously, the resulting traffic can reach several terabits per second, easily overwhelming the defenses of even well-prepared regional ISPs.
A History of Industry Irony: The Mirai Connection
The malicious scripts found in the Huge Networks-linked archive are built upon the source code of Mirai. This malware strain gained notoriety in 2016 after launching then-unprecedented attacks against the KrebsOnSecurity website and the DNS provider Dyn. The history of Mirai is deeply intertwined with the DDoS mitigation industry; its original authors were eventually revealed to be the owners of a protection firm who used the botnet to sabotage competitors and coerce targets into purchasing their services.
This "protection racket" model has seen a resurgence in recent years. In May 2025, a record-breaking 6.3 Tbps DDoS attack was mitigated by Google, with investigations later pointing toward a Brazilian individual who operated both a mitigation service and several DDoS-for-hire platforms. The discovery of Huge Networks’ infrastructure being used in a similar fashion has reignited concerns about the ethics and oversight within the cybersecurity sector.
The Python scripts analyzed in the leaked archive show a highly targeted approach. The attacks were strictly limited to Brazilian IP address ranges, specifically focusing on small regional providers. The scripts executed attacks in short, intense bursts—lasting between 10 and 60 seconds—using four parallel processes per host before rotating to a new target. This "hit-and-run" tactic is often used to degrade service quality and frustrate network engineers without triggering the automated long-term mitigation strategies of larger Tier 1 providers.
Chronology of the Breach and Discovery
The timeline of events, as reconstructed from server logs and official statements, suggests a long-term compromise that may have gone undetected for months.
- April 2023: TP-Link patches CVE-2023-1389. The botnet begins targeting unpatched Archer AX21 routers shortly thereafter.
- May 2025: A massive Mirai-based attack hits global targets, highlighting the continued evolution of the malware in the Brazilian tech ecosystem.
- January 11, 2026: Digital Ocean, a cloud infrastructure provider, notifies Erick Nascimento of an internal compromise. A "droplet" (virtual private server) was flagged for suspicious activity related to a leaked SSH key.
- January 2026: Huge Networks claims to have wiped the affected servers and rotated keys, though the company admits it did not realize the full extent of the botnet activity at the time.
- April 2026: An anonymous source discovers an open directory containing the attack scripts and Nascimento’s private SSH keys, leading to the public disclosure of the connection between Huge Networks and the DDoS campaigns.
Official Response from Huge Networks
Erick Nascimento, the CEO of Huge Networks, has categorically denied that his firm intentionally engaged in attacking other ISPs to drum up business. In a series of statements, Nascimento characterized the situation as the result of a sophisticated digital intrusion by a third party.
"We received and notified many Tier 1 upstreams regarding very large DDoS attacks against small ISPs," Nascimento stated. "We didn’t dig deep enough at the time, and what was discovered makes it clear that our infrastructure was being abused."
Nascimento maintains that the malicious activity originated from a "bastion" or jump server that was compromised in early 2026. He argued that the leaked SSH keys were from a legacy personal account and were not part of the core Huge Networks production infrastructure. Furthermore, he proposed a theory that a competitor is responsible for the breach and the subsequent "leak" of the files to the press.
According to Nascimento, the company has engaged a third-party forensics firm to investigate the breach. He also claimed to have "strong evidence stored on the blockchain" that points to a specific competitor who sought to tarnish Huge Networks’ reputation ahead of a major industry trade event. However, he declined to name the competitor or provide the blockchain evidence, citing the need to maintain a "surprise factor" for potential legal action.
Data Analysis and Supporting Evidence
Despite the CEO’s claims of a setup, the evidence found in the command-line history of the exposed archive paints a picture of a meticulously maintained operation. The logs show the botmaster coordinating scans from a Digital Ocean server (IP: 174.138.89.122), which has been flagged for abusive activity hundreds of times over the past year.
The Python scripts specifically invoked multiple IP addresses assigned to Huge Networks to identify targets. Analysis of the scripts also revealed connections to malicious domains such as hikylover[.]st and c.loyaltyservices[.]lol. Both domains have been previously identified by security researchers as command-and-control (C2) servers for IoT botnets.
Industry data from QRator and other network monitoring services confirm that the targets of these attacks were indeed small, regional Brazilian ISPs. This demographic is often the most vulnerable, as they lack the massive bandwidth and specialized hardware required to absorb terabit-scale traffic.
Broader Impact and Industry Implications
The situation involving Huge Networks highlights a critical vulnerability in the global cybersecurity supply chain. When a company that provides "clean pipes" and traffic scrubbing is itself compromised, the resulting damage is magnified. The "trust gap" created by such incidents can lead to increased regulatory scrutiny for all cybersecurity providers.
In Brazil, where the ISP market is highly fragmented with thousands of small operators, the impact of these attacks is felt directly by the consumer. Sustained DDoS campaigns lead to internet outages, increased operational costs for providers, and a general degradation of the country’s digital economy.
Technical and Regulatory Challenges
The continued success of the Mirai-based botnet underscores the persistent problem of "zombie" IoT devices. Even when manufacturers release patches, the lack of automated update mechanisms in consumer routers ensures that vulnerabilities remain exploitable for years. This incident may push Brazilian regulators, such as Anatel, to consider stricter security standards for hardware sold within the country.
Furthermore, the case raises questions about the responsibility of cloud service providers like Digital Ocean. While they do issue abuse notifications, the ability of threat actors to maintain C2 infrastructure on these platforms for extended periods remains a significant hurdle for global cybersecurity.
As Huge Networks continues its internal forensic audit, the broader tech community remains wary. The intersection of DDoS protection services and DDoS attack infrastructure is a dark corner of the internet that has existed since the early days of IRC-based botnets. Whether this incident was the result of a sophisticated competitor’s frame-up or a lapse in internal security, it serves as a stark reminder that in the world of cybersecurity, the line between the protector and the predator can sometimes become dangerously thin.
