In December 2022, we first blogged about a law enforcement takedown of DDoS-for-hire services (often known as “booters”), sharing details about their changing landscape shortly after the initial seizures. Now that we have more data covering a longer period post-takedown, we can form a clearer picture of the impact.

Booters have been around for years, offering anyone with a few dollars the ability to take offline websites that lack protection from protection services. They are often marketed as harmless “stress-testing” tools, but in practice, they are mostly used for malicious purposes. They’re easy to access, cheap to use, and difficult to stop.

Law enforcement had made several attempts to take them down in the past—for example, in 2018—but the effects were short-lived. This time, multiple law enforcement agencies launched what was likely their largest coordinated campaign to date. There were two waves of takedowns, in December 2022 and May 2023, resulting in about 60 domains being seized in total. In addition to seizing websites, authorities also set up deceptive sites and ran influence campaigns on forums and chat channels to deter potential customers.

We measured the impact of this campaign by incorporating a diverse mix of data. Whenever a booter was seized, visitors were redirected to a “splash page” explaining the takedown and the legal risks involved. This page was hosted on our infrastructure, and over time, we logged more than 20 million visits. To gain a clearer picture of access to these booters, we also collected Similarweb traffic analytics for all seized and resurrected domains. On the attack side, we drew from four separate DDoS attack datasets from both academia and industry—Hopscotch, AmpPot, Netscout, and a collection of self-reported statistics from over 200 booters spanning two years—which together contained more than 47 million DDoS attack records. We also collected thousands of forum posts and chats from booters’ Telegram channels to see how operators and customers reacted to the campaign.

One of the first things we noticed was how quickly booters tried to bounce back. In the December 2022 wave, over half of them returned, with a median resurrection time of just around 20 hours. In many cases, the new sites looked nearly identical to the old ones, differing only in the domain name used. In the second wave, in May 2023, all seized booters were back online, with a median resurrection time of just 40 hours. Yet speed did not translate into success. Even though the sites appeared familiar, traffic collapsed. We observed an 80–90% reduction in both visits and visitors compared to pre-seizure levels, and by the end of September 2023, the combined traffic to all resurrected domains had dropped to only trivial daily visits.

Traffic patterns to the splash pages revealed more of the story. Visitors mostly came from the US, followed by China, Germany, the UK, and Russia, with smaller numbers from France, the Netherlands, Turkey, Poland, and Singapore. Most users accessed the sites via PCs rather than phones, consistent with the culture around online gaming. Surprisingly, very few visitors attempted to hide behind proxies or VPNs, and we observed almost no Tor traffic. This supports the idea that typical booter customers are not seasoned criminals but rather young, relatively inexperienced users with little awareness of operational security. We also observed that some large booters resell their capacity to second-tier booters via API calls. However, some of these operators did not notice the takedown and continued sending many API requests months afterward.

The interventions did not just involve taking sites offline. Law enforcement also launched deceptive booter services that appeared legitimate but were designed to trick users into registering before confronting them with warnings. These fake sites briefly attracted measurable traffic, sometimes rivalling the resurrected domains, but interest waned within a few days. Still, the existence of these sites served a larger purpose: undermining trust in the market. If users begin to worry that the next booter they sign up for might actually be run by law enforcement, it becomes a powerful deterrent.

Looking at DDoS attack data, the December 2022 wave did make a dent. Across multiple datasets, we observed a 20–40% drop in global DDoS volumes, particularly in UDP-based attacks, which are typically associated with booters. However, the effect was temporary—about six weeks later, attack volumes had not only recovered but, in some cases, surpassed previous levels, much like what we saw in 2018. The May 2023 takedown had almost no measurable effect. From another perspective, the self-reported statistics indicated that the two major booters survived both takedowns and remained steady. Unlike earlier interventions, we did not see major booters suddenly capturing massive market share. Instead, the recovery came from a scattering of smaller services.

The forums and chat channels gave us insight into how this all felt on the ground. Right after the first wave, there was a flurry of discussion about the FBI and the NCA. Some operators were persistent in trying to recover their services, while others gave up, advertised source codes for sale, and looked for alternative sources of income, such as freelancing. A few expressed outright fear that they might get caught. For a market that depends on being seen as low-risk, those ripples of doubt mattered.

So, what did we learn? The interventions clearly work in the short term. They reduce attacks, cut traffic, and undermine cybercriminals’ confidence. But the market is resilient: domains are replaced within hours, operators adapt quickly, and attack volumes rebound in weeks. Still, even short-lived disruptions have value, especially during periods of higher attack activity, such as school holidays and Christmas. They force operators to waste time and resources, confuse users, and make the entire ecosystem feel less safe.

One of the major takeaways is that this is not a battle with a single victory point. We probably cannot eliminate booters once and for all; instead, we can keep pushing them back, wave after wave. If booters shift from being easy, casual tools for teenagers and gamers to niche services for more committed criminals, that alone would be a win. The fight against DDoS-for-hire is less about landing a knockout punch and more about ensuring the market never feels stable again.

Our findings were published at the USENIX Security Symposium 2025 [1]. It received an Honourable Mention Award—the top 25 of 407 accepted papers out of approximately 2400 submissions this year. Some of the datasets are available to academic researchers through the Cambridge Cybercrime Center’s data-sharing agreements.

[1] Anh V. Vu, Ben Collier, Daniel R. Thomas, John Kristoff, Richard Clayton, and Alice Hutchings. Assessing the Aftermath: the Effects of a Global Takedown against DDoS-for-hire Services. In Proceedings of the USENIX Security Symposium 2025. USENIX Association.