Eleven11bot infects webcams and video recorders, with a large concentration in the US.

A newly discovered network botnet comprising an estimated 30,000 webcams and video recorders—with the largest concentration in the US—has been delivering what is likely to be the biggest denial-of-service attack ever seen, a security researcher inside Nokia said.

The botnet, tracked under the name Eleven11bot, first came to light in late February when researchers inside Nokia’s Deepfield Emergency Response Team observed large numbers of geographically dispersed IP addresses delivering “hyper-volumetric attacks.” Eleven11bot has been delivering large-scale attacks ever since.

Volumetric DDoSes shut down services by consuming all available bandwidth either inside the targeted network or its connection to the Internet. This approach works differently than exhaustion DDoSes, which over-exert the computing resources of a server. Hypervolumetric attacks are volumetric DDoses that deliver staggering amounts of data, typically measured in the terabits per second.

**Johnny-Come-Lately Botnet Sets a New Record**

At 30,000 devices, the Eleven11bot was already exceptionally large (although some botnets exceed well over 100,000 devices). Most of the IP addresses participating, Nokia researcher Jérôme Meyer told me, had never been seen engaging in DDoS attacks.

Besides a 30,000-node botnet seeming to appear overnight, another salient feature of Eleven11bot is the record-size volume of data it sends its targets. The largest one Nokia has seen from Eleven11bot so far occurred on February 27 and peaked at about 6.5 terabits per second. The previous record for a volumetric attack was reported in January at 5.6 Tbps.

"Eleven11bot has targeted diverse sectors, including communications service providers and gaming hosting infrastructure, leveraging a variety of attack vectors," Meyer wrote. While in some cases the attacks are based on the volume of data, others focus on flooding a connection with more data packets than a connection can handle, with numbers ranging from a "few hundred thousand to several hundred million packets per second." Service degradation caused in some attacks has lasted multiple days, with some remaining ongoing as of the time this post went live.

A breakdown showed that the largest concentration of IP addresses, at 24.4 percent, was located in the US. Taiwan was next at 17.7 percent, and the UK at 6.5 percent.

In an online interview, Meyer made the following points:

> *   This botnet is much larger than what we're used to seeing in DDoS attacks (the only precedent I have in mind is an attack from 2022 right after the Ukraine invasion, at ~60k bots, but not public).
> *   The vast majority of its IPs were not involved in DDoS attacks prior to last week.
> *   Most of the IPs are security cameras (Censys thinks Hisilicon, I saw multiple sources talk to a Hikvision NVR too so that is a possibility but not my area of expertise).
> *   Partly because the botnet is larger than average, the attack size is also larger than average.

According to a post updated on Wednesday from security firm Greynoise, Eleven11bot is most likely a variant of Mirai, a family of malware for infecting webcams and other Internet of Things devices. Mirai debuted in 2016, when tens of thousands of IoT devices infected by it delivered what at the time were record-setting DDoSes of about 1 Tbps and took down security news site KrebsOnSecurity for almost a week. Shortly after that, Mirai developers published their source code in a move that made it easy for copycats everywhere to deliver the same massive attacks. Greynoise said that the variant driving Eleven11bot is using a single new exploit to infect TVT-NVMS 9000 digital video recorders that run on HiSilicon chips.

There have been conflicting reports on the number of devices comprising Eleven11bot. Following Nokia's report last Saturday of roughly 30,000 devices, the nonprofit Shadowserver Foundation said Tuesday that the true size was more than 86,000. Then in Wednesday's update, Greynoise said that based on data from fellow security firm Censys, both numbers were inflated and the true number was likely fewer than 5,000.

The upward revision from Shadowserver was likely the result of the belief that all infected devices displayed unique device information. That suspicion now appears to be incorrect. Instead, Meyer believes the information seen on infected devices is displayed on all such hardware, whether infected or not. Researchers from Greynoise and Censys weren't immediately available to explain how they arrived at the much lower estimate of fewer than 5,000.

Meyer said that he has consistently observed as many as 20,000 to 30,000 IP addresses participating in follow-on attacks, although many attacks come from much smaller subsets. He said that he has since sent a list of all 30,000 or so IP addresses he has observed to Censys and plans to also send them to Shadowserver soon in hopes of getting consensus on the true size.

"I am still confident on the estimated count as this is what we keep seeing in attacks and after human review of the source IPs," he wrote.

Mirai-based botnets employ various methods for infecting their targets. One common method is to attempt to log in to device administrator accounts using username/password pairs commonly set as defaults by manufacturers. Mirai botnets have also been known to exploit vulnerabilities that bypass security settings.

In any case, anyone running any sort of IoT devices should position them behind a router or other form of firewall so they're not visible from outside a local network. Remote administration from outside the Internet should be enabled only when needed. Users should also ensure each device is protected by a strong unique password. Last, devices should be updated as soon as security patches become available.

_This story originally appeared on_ _Ars Technica._

A Brand-New Botnet Is Delivering Record-Size DDoS Attacks

Martin Lee dives into to the complexities of defending our customers from threat actors and covers the latest Talos research in this week's newsletter.

Thursday, March 6, 2025 14:03

Welcome to this week’s edition of the Threat Source newsletter.

At Talos we bat on behalf of our customers, protecting them against all manner of cyber threats that may affect them. The nature of the threat actor and their origin or affiliation makes no difference; if they are attacking or planning to attack a customer, we do our utmost to stop them.

In practice, identifying the origin of attacks can be surprisingly difficult, much harder than identifying the attack itself.  Attacks do not arrive wrapped in a flag with a certificate of origin. Typically, attackers seek to hide their origin so as to avoid the attention of law enforcement or the international community. However, although not an easy task, the attacker will often unwittingly leave clues to their identity.

We are all creatures of habit; we all have our preferred methods of doing things, tools that we are familiar with, or suppliers that we often choose over another. Threat actors are no different. Over time, the choices made by a threat actor in how they carry out their attacks, the methods they use, and their choice of victims builds to become a characteristic fingerprint.

New attacks can be analysed to identify if their characteristics overlap with those of a known threat actor. If so, we may surmise that the attack has been carried out by that threat actor. Nevertheless, uncovering and understanding the relationship between an attack and the threat actor behind the attack requires detailed research or possibly will only become apparent with the passage of time and the publication of additional information.

Even if an attack can be attributed to a known threat actor, the nature and origin of that threat actor may be obscure. Threat actors rarely admit to their actions and volunteer their identity. A detailed investigation by law enforcement or intelligence agencies may identify an attacker’s identity. Otherwise the security industry refers to known threat actors by various pseudonyms, few of which are definitively tied to one or more named individuals or an organistation. Understanding and communicating degrees of uncertainty when it comes to describing threat actors is a key skill in the threat intelligence community.

Suffice to say that we do not pick and choose the threats that we block. We block them regardless of their origin because this is who we are and what we do, and in any case, identifying the origin of a threat is not a simple matter.

**The one big thing**

Lotus Blossum is a sophisticated threat actor that we’ve uncovered conducting espionage campaigns against the government, manufacturing, telecoms, and media sectors in Vietnam, Hong Kong, Taiwan, and the Philippines. As part of this activity, the threat actor uses the Sagerunex family of backdoor malware for command and control activity. 

**Why do I care?**

Understanding how threat actors such as Lotus Blossom conduct their operations helps inform organisations about the defenses that are required to protect against this and similar threats. Even if you are not working within one of the affected industrial sector, other threat actors may be conducting information stealing campaigns against you.

**So now what?**

Use the IOCs associated with the campaign to search for evidence of incursion within your own organization. Use this exercise as a means of verifying that you have visibility of the systems on your network and that you are able to search for known malicious IOCs.

**  
Top security headlines of the week**

244 million additional compromised passwords from a data dump offered for sale by criminals have been added to the privacy breach notification service “Have I Been Pwned”. (The Register)

A massive botnet consisting of more than 86 000 compromised IoT devices is conducting DDoS attacks against telecom firms and gaming platforms. (Cybersecurity Dive)

The US agency, CISA reports that it will continue to defend against threats including those from Russia. (TheRecord)

****Can’t get enough Talos?****

In The Talos Threat Perspective episode 9, Hazel Burton speaks with Nick Biasini about changes in social engineering techniques.

**Upcoming events where you can find Talos**

RSA (April 28-May 1, 2025)  San Francisco, CA    
CTA TIPS 2025 (May 14-15, 2025) Arlington, VA   
Cisco Live U.S. (June 8 – 12, 2025) San Diego, CA   

**Most prevalent malware files from Talos telemetry over the past week**

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
MD5: 71fea034b422e4a17ebb06022532fdde   
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: VID001.exe    
Detection Name: Simple\_Custom\_Detection

SHA256: 592835f805da0d9a24a5d91a0f77ad9988853da34a97b50e75e77c72573edeac  
MD5: 6361f25ede0442f2e0ad3bcd33c331c8  
Typical Filename: KMSSS.exe  
Detection Name: PUA.Win.Dropper.Hackkms::tpd  
VirusTotal: https://www.virustotal.com/gui/file/592835f805da0d9a24a5d91a0f77ad9988853da34a97b50e75e77c72573edeac

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Typical Filename: img001.exe  
Detection Name: Win.Trojan.Miner-9835871-0  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

Who is Responsible and Does it Matter?

Removing 24 malicious apps from the Google Play store and silencing some servers has almost halved the BadBox botnet.

Removing 24 malicious apps from the Google Play store and silencing some servers almost halved a botnet known as BadBox.

The BadBox botnet focuses on Android devices, but not just phones. It also affects other devices like TV streaming boxes, tablets, and smart TVs.

The German BSI (Federal Office for Information Security) started the disruption campaign in December by blocking the malware on 30,000 devices. BadBox is referred to as a botnet, because one of its capabilities is to set up the affected device to act as a proxy, allowing other people to use the device’s internet bandwidth and hardware to route their own traffic.

This traffic can for example serve in DDoS attacks or as a platform to spread fake news and disinformation. But BadBox can also steal two-factor authentication (2FA) codes, install further malware, and perform ad fraud.

Unfortunately, the 30,000 devices cut off by the BSI were only the tip of the iceberg. Estimates say there may be as many as one million affected devices. These devices have not necessarily been infected by installing malicious apps. It’s been suggested that Chinese manufacturers hide firmware backdoors in their devices, BadBox being one of them.

The BSI said it found:

> “The BadBox malware was already installed on the respective devices when they were purchased.”

According to Satori Threat Intelligence researchers:

> “Devices connected to the BADBOX 2.0 operation included lower-price-point, “off brand”, uncertified tablets, connected TV (CTV) boxes, digital projectors, and more. The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices.”

Off brand devices are devices which do not carry any specific brand name that you might recognize. They are often cheap and made by small manufacturers.

Following the botnet’s development after the German disruption, the researchers found new Command and Control (C2) servers which hosted a list of APKs targeting Android Open Source Project devices similar to those impacted by BadBox.

As part of the disruptions, the servers that were controlling the botnet have been sinkholed, which basically means that the traffic between those servers and the botnet clients gets redirected so it will no longer arrive at the intended destination.

**How to stay safe**

This disruption will likely not be the end of the story. The botnet operators will adapt again and rebuild their infrastructure. Given their supply chain of compromised devices the botnet will resurface soon enough.

So here are a few things you can do:

*   Check you don’t have the apps ‘Earn Extra Income’ and ‘Pregnancy Ovulation Calculator’, which had over 50,000 downloads each. You can recognize the malicious apps from the publisher name Seekiny Studio. If you find them on your device, remove them immediately.
*   Protect your Android devices with an active security solution that can remove malicious apps and block malicious traffic.
*   Google Play Protect automatically warns users and blocks apps known to exhibit BadBox 2.0-associated behavior at install time on Play Protect certified Android devices with Google Play Services. If a device isn’t Play Protect certified, carefully study its origin before purchasing it.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android botnet BadBox largely disrupted 

One of the most notorious providers of abuse-friendly "bulletproof" web hosting for cybercriminals has started routing its operations through networks run by the Russian antivirus and security firm Kaspersky Lab, KrebsOnSecurity has learned.

One of the most notorious providers of abuse-friendly “bulletproof” web hosting for cybercriminals has started routing its operations through networks run by the Russian antivirus and security firm **Kaspersky Lab**, KrebsOnSecurity has learned.

Security experts say the Russia-based service provider **Prospero OOO** (the triple O is the Russian version of “LLC”) has long been a persistent source of malicious software, botnet controllers, and a torrent of phishing websites. Last year, the French security firm **Intrinsec** detailed Prospero’s connections to bulletproof services advertised on Russian cybercrime forums under the names **Securehost** and **BEARHOST**.

The bulletproof hosting provider BEARHOST. This screenshot has been machine-translated from Russian. Image: Ke-la.com.

Bulletproof hosts are so named when they earn or cultivate a reputation for ignoring legal demands and abuse complaints. And BEARHOST has been cultivating its reputation since at least 2019.

“If you need a server for a botnet, for malware, brute, scan, phishing, fakes and any other tasks, please contact us,” BEARHOST’s ad on one forum advises. “We completely ignore all abuses without exception, including SPAMHAUS and other organizations.”

Intrinsec found Prospero has courted some of Russia’s nastiest cybercrime groups, hosting control servers for multiple ransomware gangs over the past two years. Intrinsec said its analysis showed Prospero frequently hosts malware operations such as SocGholish and GootLoader, which are spread primarily via fake browser updates on hacked websites and often lay the groundwork for more serious cyber intrusions — including ransomware.

A fake browser update page pushing mobile malware. Image: Intrinsec.

BEARHOST prides itself on the ability to evade blocking by Spamhaus, an organization that many Internet service providers around the world rely on to help identify and block sources of malware and spam. Earlier this week, Spamhaus said it noticed that Prospero was suddenly connecting to the Internet by routing through networks operated by Kaspersky Lab in Moscow.

Kaspersky did not respond to repeated requests for comment.

Kaspersky began selling antivirus and security software in the United States in 2005, and the company’s malware researchers have earned accolades from the security community for many important discoveries over the years. But in September 2017, the Department of Homeland Security (DHS) barred U.S. federal agencies from using Kaspersky software, mandating its removal within 90 days.

Cybersecurity reporter **Kim Zetter** notes that DHS didn’t cite any specific justification for its ban in 2017, but media reports quoting anonymous government officials referenced two incidents. Zetter wrote:

> According to one story, an NSA contractor developing offensive hacking tools for the spy agency had Kaspersky software installed on his home computer where he was developing the tools, and the software detected the source code as malicious code and extracted it from his computer, as antivirus software is designed to do. A second story claimed that Israeli spies caught Russian government hackers using Kaspersky software to search customer systems for files containing U.S. secrets.
> 
> Kaspersky denied that anyone used its software to search for secret information on customer machines and said that the tools on the NSA worker’s machine were detected in the same way that all antivirus software detects files it deems suspicious and then quarantines or extracts them for analysis. Once Kaspersky discovered that the code its antivirus software detected on the NSA worker’s machine were not malicious programs but source code in development by the U.S. government for its hacking operations, CEO Eugene Kaspersky says he ordered workers to delete the code.

Last year, the U.S. Commerce Department banned the sale of Kaspersky software in the U.S. effective July 20, 2024. U.S. officials argued the ban was needed because Russian law requires domestic companies to cooperate in all official investigations, and thus the Russian government could force Kaspersky to secretly gather intelligence on its behalf.

Phishing data gathered last year by the **Interisle Consulting Group** ranked hosting networks by their size and concentration of spambot hosts, and found Prospero had a higher spam score than any other provider by far.

AS209030, owned by Kaspersky Lab, is providing connectivity to the bulletproof host Prospero (AS200593). Image: cidr-report.org.

It remains unclear why Kaspersky is providing transit to Prospero. **Doug Madory**, director of Internet analysis at **Kentik**, said routing records show the relationship between Prospero and Kaspersky started at the beginning of December 2024.

Madory said Kaspersky’s network appears to be hosting several financial institutions, including Russia’s largest — **Alfa-Bank**. Kaspersky sells services to help protect customers from distributed denial-of-service (DDoS) attacks, and Madory said it could be that Prospero is simply purchasing that protection from Kaspersky.

But if that is the case, it doesn’t make the situation any better, said **Zach Edwards**, a senior threat researcher at the security firm **Silent Push**.

“In some ways, providing DDoS protection to a well-known bulletproof hosting provider may be even worse than just allowing them to connect to the rest of the Internet over your infrastructure,” Edwards said.

Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab

One month into his second term, President Trump's actions to shrink the government through mass layoffs, firings and withholding funds allocated by Congress have thrown federal cybersecurity and consumer protection programs into disarray. At the same time, agencies are battling an ongoing effort by the world's richest man to wrest control over their networks and data.

Trump 2.0 Brings Cuts to Cyber, Consumer Protections

Massive 1.17 TB data leak exposes billions of records from a Chinese IoT grow light company. Wi-Fi passwords,…

Massive 1.17 TB data leak exposes billions of records from a Chinese IoT grow light company. Wi-Fi passwords, IP addresses, and device IDs are among the exposed data. Learn more.

A large, unprotected database belonging to Mars Hydro, a company specializing in IoT grow lights (Internet of Things Grow Lights) and agricultural software, was discovered by cybersecurity researcher Jeremiah Fowler.

The database, containing a whopping 2.7 billion records totalling 1.17 terabytes, exposed a treasure trove of sensitive information, including Wi-Fi network names (SSIDs), passwords, IP addresses, device IDs, email addresses, and more.  

According to Fowler’s blog post for vpnMentor which the company shared with Hackread.com ahead of publishing on Wednesday 12th February 2025, within the database, folders labelled for logging, monitoring, and error records of IoT devices worldwide were found. 

Sample analysis revealed over 100 million records across 13 folders, containing not only Wi-Fi network names but also their corresponding passwords, along with IP addresses and unique device identifiers.  Interestingly, the data also seemed to link to the control devices, such as smartphones, used to manage these IoT products, revealing information about operating systems (e.g. iOS and Android).

Further investigation linked the database to LG-LED SOLUTIONS LIMITED, a California-registered company.  API details and URLs associated with LG-LED SOLUTIONS, Mars Hydro, and Spider Farmer- all involved in the manufacturing and sale of agricultural grow lights, fans, and cooling systems- were also present in the exposed data.  Numerous records were specifically labelled as “Mars-pro-iot-error” or “SF-iot-error,” suggesting a connection to these specific product lines.  

Fowler also found error logs containing potentially sensitive information, including tokens, application versions, device types, and IP addresses, in addition to the Wi-Fi credentials. 

Following the discovery, Fowler promptly notified LG-LED SOLUTIONS and Mars Hydro, leading to the database being secured within hours. Mars Hydro, identified as a Shenzhen, China-based LED grow light manufacturer with warehouses in the UK, US, and Australia, confirmed to Fowler that the Mars Pro app is their official product. 

Nevertheless, questions remain regarding the database’s ownership, management, and the duration of its exposure. It is unclear if the database was managed directly by LG-LED SOLUTIONS or a third-party contractor. A thorough forensic audit would be required to determine the extent of any unauthorized access, Fowler noted in the blog post.

The Mars Pro app and connected devices have been exposing vast amounts of information. Such lapses can lead to misuse, like surveillance, man-in-the-middle attacks, and manipulation. The recently reported Matrix hacker group is a prime example of the ongoing exploitation of exposed IoT devices for DDoS botnets.

Additionally, studies indicate that a significant percentage of IoT devices (57%) are highly vulnerable, with a majority of transmitted data (983%) being unencrypted. To mitigate these risks, IoT device makers and app developers must prioritize data protection, avoid plain text logging, use encryption, secure internal cloud storage, and conduct regular security audits and penetration testing.

.

Massive 1.17TB Data Leak Exposes Billions of IoT Grow Light Records

Gcore’s latest DDoS Radar report analyzes attack data from Q3–Q4 2024, revealing a 56% YoY rise in the total number of DDoS attacks with the largest attack peaking at a record 2 Tbps. The financial services sector saw the most dramatic increase, with a 117% rise in attacks, while gaming remained the most-targeted industry. This period’s findings emphasize the need for robust, adaptive DDoS

Gcore DDoS Radar Reveals 56% YoY Increase in DDoS Attacks

Luxembourg, Luxembourg, 11th February 2025, CyberNewsWire

**Luxembourg, Luxembourg, February 11th, 2025, CyberNewsWire**

Gcore, the global edge AI, cloud, network, and security solutions provider, today announced the findings of its Q3-Q4 2024 Radar report into DDoS attack trends. DDoS attacks have reached unprecedented scale and disruption in 2024, and businesses need to act fast to protect themselves from this evolving threat. The report reveals a significant escalation in the total number of DDoS attacks and their magnitude, measured in terabits per second (Tbps).

**Key highlights from Q3-Q4 2024**

●    Compared to Q3–Q4 2023, the number of DDoS attacks have risen by 56%, which highlights a steep long-term growth trend.

●    The gaming industry continues to be the most targeted by DDoS attacks, accounting for 34% of all attacks.

●    In Q3-Q4 2024, the financial services sector experienced a significant increase, accounting for 26% of all DDoS attacks, up from 12% in the previous period.

●    There was a 17% increase in the total number of attacks compared with Q1-Q2 2024.

●    The largest attack peaked at 2Tbps in Q3-Q4 2024, which is an 18% increase from Q1-Q2 2024.

●    DDoS attacks are becoming shorter in duration but more powerful.

**Attackers are shifting their focus**

The sectors that were targeted in Q3-Q4 2024 reflect a changing focus among DDoS attackers. The technology industry has seen a steady increase in its share of DDoS attacks, increasing from 7% to 19% since Q3-Q4 2023. This is because DDoS attackers recognise the wide-reaching disruption potential of attacking technology services. A single successful attack can take out a service that countless organizations depend on – causing significant harm to people and businesses. Another reason that technology platforms have seen an increase in DDoS attacks is due to their vast computational power, which malicious actors can exploit to intensify their attacks.

The gaming industry continues to be the most-attacked industry, although there were 31% fewer attacks compared with Q1-Q2 2024. The decline in attacks may be attributed to several factors. For instance, gaming companies are strengthening their DDoS defenses in response to ongoing attacks, which may result in fewer successful attacks. Another explanation is that attackers may be shifting their focus towards other high-value sectors, such as financial services, which saw a 117% increase in the number of attacks. The sector’s critical online services and susceptibility to ransom-based attacks make it a prime target.

Andrey Slastenov, Head of Security at Gcore, commented: “The latest Gcore Radar should be a wake-up call to businesses across all industries. Not only is the number and intensity of attacks increasing, but attackers are expanding the scope of their attacks to reach an increasingly wide range of sectors. Businesses must invest in robust DDoS detection, mitigation, and protection to prevent the financial and reputational impact of an attack.

**The geographical distribution of DDoS attacks**

With a presence that spans six continents, Gcore can accurately track the geographical sources of DDoS attacks. Gcore derives these insights from the attackers’ IP addresses and the geographic locations of the data centers where malicious traffic is targeted. 

Gcore’s findings have highlighted the Netherlands as a key source of attacks; leading application-layer attacks with 21% and ranking second for network-layer attacks at 18%. The U.S. ranked highly across both layers, reflecting its vast internet infrastructure for hackers to exploit.

Brazil featured prominently in network-layer attacks at 14%. Brazil’s growing digital economy and connectivity make it an emerging source of attacks. China and Indonesia also featured prominently, with Indonesia showing a growth in application-layer attacks at 8%, which reflects a broader trend of increased attack activity in Southeast Asia.

**Short but potent attacks continue to take hold**

DDoS attacks are becoming shorter in duration, but no less disruptive. The longest DDoS attack duration during Q3-Q4 2024 was five hours, which is a significant decrease from 16 hours in the first half of the year. This is reflective of an increasing trend towards shorter but more intense attacks. These ‘burst attacks’ can be more difficult to detect as they may blend in with normal traffic spikes. The delay in detection gives attackers a window of opportunity to disrupt services before cyber defenses can kick in.

The trend of shorter DDoS attack durations can in part be attributed to improvements in cybersecurity. As security tightens, attackers have learned to adapt with short burst attacks designed to bypass defenses. A short DDoS attack can also double as a smokescreen to conceal a secondary attack, such as ransomware deployment.

The full report is available at https://gcore.com/library/gcore-radar-ddos-attack-trends-q3-q4-2024

**About Gcore**  

Gcore is a global edge AI, cloud, network, and security solutions provider. Headquartered in Luxembourg, with a team of 600 operating from ten offices worldwide, Gcore provides solutions to global leaders in numerous industries. Gcore manages its global IT infrastructure across six continents, with one of the best network performances in Europe, Africa, and LATAM due to the average response time of 30 ms worldwide. Gcore’s network consists of 180 points of presence worldwide in reliable Tier IV and Tier III data centers, with a total network capacity exceeding 200 Tbps.

Users can learn more at gcore.com or follow them on LinkedIn, Twitter, and Facebook.

**Contact**

**Gcore press contact**  
**\[email protected\]**

Gcore Radar report reveals 56% year-on-year increase in DDoS attacks

Wired reported this week that a 19-year-old working for Elon Musk's so-called Department of Government Efficiency (DOGE) was given access to sensitive US government systems even though his past association with cybercrime communities should have precluded him from gaining the necessary security clearances to do so. As today's story explores, the DOGE teen is a former denizen of 'The Com,' an archipelago of Discord and Telegram chat channels that function as a kind of distributed cybercriminal social network for facilitating instant collaboration.

_Wired_ reported this week that a 19-year-old working for **Elon Musk**‘s so-called **Department of Government Efficiency** (DOGE) was given access to sensitive US government systems even though his past association with cybercrime communities should have precluded him from gaining the necessary security clearances to do so. As today’s story explores, the DOGE teen is a former denizen of ‘**The Com**,’ an archipelago of Discord and Telegram chat channels that function as a kind of distributed cybercriminal social network for facilitating instant collaboration.

Since President Trump’s second inauguration, Musk’s DOGE team has gained access to a truly staggering amount of personal and sensitive data on American citizens, moving quickly to seize control over databases at the **U.S. Treasury**, the **Office of Personnel Management**, the **Department of Education**, and the **Department of Health and Human Resources**, among others.

_Wired_ first reported on Feb. 2 that one of the technologists on Musk’s crew is a 19-year-old high school graduate named **Edward Coristine**, who reportedly goes by the nickname “Big Balls” online. One of the companies Coristine founded, **Tesla.Sexy LLC**, was set up in 2021, when he would have been around 16 years old.

“Tesla.Sexy LLC controls dozens of web domains, including at least two Russian-registered domains,” _Wired_ reported. “One of those domains, which is still active, offers a service called Helfie, which is an AI bot for Discord servers targeting the Russian market. While the operation of a Russian website would not violate US sanctions preventing Americans doing business with Russian companies, it could potentially be a factor in a security clearance review.”

Mr. Coristine has not responded to requests for comment. In a follow-up story this week, _Wired_ found that someone using a Telegram handle tied to Coristine solicited a DDoS-for-hire service in 2022, and that he worked for a short time at a company that specializes in protecting customers from DDoS attacks.

A profile photo from Coristine’s WhatsApp account.

Internet routing records show that Coristine runs an Internet service provider called **Packetware** (AS400495). Also known as “**DiamondCDN**,” Packetware currently hosts tesla\[.\]sexy and diamondcdn\[.\]com, among other domains.

DiamondCDN was advertised and claimed by someone who used the nickname “**Rivage**” on several Com-based Discord channels over the years. A review of chat logs from some of those channels show other members frequently referred to Rivage as “Edward.”

From late 2020 to late 2024, Rivage’s conversations would show up in multiple Com chat servers that are closely monitored by security companies. In November 2022, Rivage could be seen requesting recommendations for a reliable and powerful DDoS-for-hire service.

Rivage made that request in the cybercrime channel “**Dstat**,” a core Com hub where users could buy and sell attack services. Dstat’s website dstat\[.\]cc was seized in 2024 as part of “Operation PowerOFF,” an international law enforcement action against DDoS services.

Coristine’s LinkedIn profile said that in 2022 he worked at an anti-DDoS company called **Path Networks**, which _Wired_ generously described as a “network monitoring firm known for hiring reformed blackhat hackers.” _Wired_ wrote:

“At Path Network, Coristine worked as a systems engineer from April to June of 2022, according to his now-deleted LinkedIn résumé. Path has at times listed as employees **Eric Taylor**, also known as Cosmo the God, a well-known former cybercriminal and member of the hacker group UGNazis, as well as Matthew Flannery, an Australian convicted hacker whom police allege was a member of the hacker group LulzSec. It’s unclear whether Coristine worked at Path concurrently with those hackers, and WIRED found no evidence that either Coristine or other Path employees engaged in illegal activity while at the company.”

The founder of Path is a young man named **Marshal Webb**. I wrote about Webb back in 2016, in a story about a DDoS defense company he co-founded called **BackConnect Security LLC**. On September 20, 2016, KrebsOnSecurity published data showing that the company had a history of hijacking Internet address space that belonged to others.

Less than 24 hours after that story ran, KrebsOnSecurity.com was hit with the biggest DDoS attack the Internet had ever seen at the time. That sustained attack kept this site offline for nearly 4 days.

The other founder of BackConnect Security LLC was **Tucker Preston**, a Georgia man who pleaded guilty in 2020 to paying a DDoS-for-hire service to launch attacks against others.

The aforementioned Path employee Eric Taylor pleaded guilty in 2017 to charges including an attack on our home in 2013. Taylor was among several men involved in making a false report to my local police department about a supposed hostage situation at our residence in Virginia. In response, a heavily-armed police force surrounded my home and put me in handcuffs at gunpoint before the police realized it was all a dangerous hoax known as “swatting.”

CosmoTheGod rocketed to Internet infamy in 2013 when he and a number of other hackers set up the Web site exposed\[dot\]su, which “doxed” dozens of public officials and celebrities by publishing the address, Social Security numbers and other personal information on the former First Lady Michelle Obama, the then-director of the FBI and the U.S. attorney general, among others. The group also swatted many of the people they doxed.

_Wired_ noted that Coristine only worked at Path for a few months in 2022, but the story didn’t mention why his tenure was so short. A screenshot shared on the website pathtruths.com includes a snippet of conversations in June 2022 between Path employees discussing Coristine’s firing.

According to that record, Path founder Marshal Webb dismissed Coristine for leaking internal documents to a competitor. Not long after Coristine’s termination, someone leaked an abundance of internal Path documents and conversations. Among other things, those chats revealed that one of Path’s technicians was a Canadian man named **Curtis Gervais** who was convicted in 2017 of perpetrating dozens of swatting attacks and fake bomb threats — including at least two attempts against our home in 2014.

A snippet of text from an internal Path chat room, wherein members discuss the reason for Coristine’s termination: Allegedly, leaking internal company information. Source: Pathtruths.com.

On May 11, 2024, Rivage posted on a Discord channel for a DDoS protection service that is chiefly marketed to members of The Com. Rivage expressed frustration with his time spent on Com-based communities, suggesting that its profitability had been oversold.

“I don’t think there’s a lot of money to be made in the com,” Rivage lamented. “I’m not buying Heztner \[servers\] to set up some com VPN.”

Rivage largely stopped posting messages on Com channels after that. _Wired_ reports that Coristine subsequently spent three months last summer working at **Neuralink**, Elon Musk’s brain implant startup.

The trouble with all this is that even if someone sincerely intends to exit The Com after years of consorting with cybercriminals, they are often still subject to personal attacks, harassment and hacking long after they have left the scene.

That’s because a huge part of Com culture involves harassing, swatting and hacking other members of the community. These internecine attacks are often for financial gain, but just as frequently they are perpetrated by cybercrime groups to exact retribution from or assert dominance over rival gangs.

Experts say it is extremely difficult for former members of violent street gangs to gain a security clearance needed to view sensitive or classified information held by the U.S. government. That’s because ex-gang members are highly susceptible to extortion and coercion from current members of the same gang, and that alone presents an unacceptable security risk for intelligence agencies.

And make no mistake: The Com is the English-language cybercriminal hacking equivalent of a violent street gang. KrebsOnSecurity has published numerous stories detailing how feuds within the community periodically spill over into real-world violence.

When Coristine’s name surfaced in _Wired_‘s report this week, members of The Com immediately took notice. In the following segment from a February 5, 2025 chat in a Com-affiliated hosting provider, members criticized Rivage’s skills, and discussed harassing his family and notifying authorities about incriminating accusations that may or may not be true.

> 2025-02-05 16:29:44 UTC vperked#0 they got this nigga on indiatimes man  
> 2025-02-05 16:29:46 UTC alexaloo#0 Their cropping is worse than AI could have done  
> 2025-02-05 16:29:48 UTC hebeatsme#0 bro who is that  
> 2025-02-05 16:29:53 UTC hebeatsme#0 yalla re talking about  
> 2025-02-05 16:29:56 UTC xewdy#0 edward  
> 2025-02-05 16:29:56 UTC .yarrb#0 rivagew  
> 2025-02-05 16:29:57 UTC vperked#0 Rivarge  
> 2025-02-05 16:29:57 UTC xewdy#0 diamondcdm  
> 2025-02-05 16:29:59 UTC vperked#0 i cant spell it  
> 2025-02-05 16:30:00 UTC hebeatsme#0 rivage  
> 2025-02-05 16:30:08 UTC .yarrb#0 yes  
> 2025-02-05 16:30:14 UTC hebeatsme#0 i have him added  
> 2025-02-05 16:30:20 UTC hebeatsme#0 hes on discord still  
> 2025-02-05 16:30:47 UTC .yarrb#0 hes focused on stroking zaddy elon  
> 2025-02-05 16:30:47 UTC vperked#0 https://en.wikipedia.org/wiki/Edward\_Coristine  
> 2025-02-05 16:30:50 UTC vperked#0 no fucking way  
> 2025-02-05 16:30:53 UTC vperked#0 they even made a wiki for him  
> 2025-02-05 16:30:55 UTC vperked#0 LOOOL  
> 2025-02-05 16:31:05 UTC hebeatsme#0 no way  
> 2025-02-05 16:31:08 UTC hebeatsme#0 hes not a good dev either  
> 2025-02-05 16:31:14 UTC hebeatsme#0 like????  
> 2025-02-05 16:31:22 UTC hebeatsme#0 has to be fake  
> 2025-02-05 16:31:24 UTC xewdy#0 and theyre saying ts  
> 2025-02-05 16:31:29 UTC xewdy#0 like ok bro  
> 2025-02-05 16:31:51 UTC .yarrb#0 now i wanna know what all the other devs are like…  
> 2025-02-05 16:32:00 UTC vperked#0 “\`Coristine used the moniker “bigballs” on LinkedIn and @Edwardbigballer on Twitter, according to The Daily Dot.\[“\`  
> 2025-02-05 16:32:05 UTC vperked#0 LOL  
> 2025-02-05 16:32:06 UTC hebeatsme#0 lmfaooo  
> 2025-02-05 16:32:07 UTC vperked#0 bro  
> 2025-02-05 16:32:10 UTC hebeatsme#0 bro  
> 2025-02-05 16:32:17 UTC hebeatsme#0 has to be fake right  
> 2025-02-05 16:32:22 UTC .yarrb#0 does it mention Rivage?  
> 2025-02-05 16:32:23 UTC xewdy#0 He previously worked for NeuraLink, a brain computer interface company led by Elon Musk  
> 2025-02-05 16:32:26 UTC xewdy#0 bro what  
> 2025-02-05 16:32:27 UTC alexaloo#0 I think your current occupation gives you a good insight of what probably goes on  
> 2025-02-05 16:32:29 UTC hebeatsme#0 bullshit man  
> 2025-02-05 16:32:33 UTC xewdy#0 this nigga got hella secrets  
> 2025-02-05 16:32:37 UTC hebeatsme#0 rivage couldnt print hello world  
> 2025-02-05 16:32:42 UTC hebeatsme#0 if his life was on the line  
> 2025-02-05 16:32:50 UTC xewdy#0 nigga worked for neuralink  
> 2025-02-05 16:32:54 UTC hebeatsme#0 bullshit  
> 2025-02-05 16:33:06 UTC Nashville Dispatch ##0000 ||@PD Ping||  
> 2025-02-05 16:33:07 UTC hebeatsme#0 must have killed all those test pigs with some bugs  
> 2025-02-05 16:33:24 UTC hebeatsme#0 ur telling me the rivage who failed to start a company  
> 2025-02-05 16:33:28 UTC hebeatsme#0 https://cdn.camp  
> 2025-02-05 16:33:32 UTC hebeatsme#0 who didnt pay for servers  
> 2025-02-05 16:33:34 UTC hebeatsme#0 ?  
> 2025-02-05 16:33:42 UTC hebeatsme#0 was too cheap  
> 2025-02-05 16:33:44 UTC vperked#0 yes  
> 2025-02-05 16:33:50 UTC hebeatsme#0 like??  
> 2025-02-05 16:33:53 UTC hebeatsme#0 it aint adding up  
> 2025-02-05 16:33:56 UTC alexaloo#0 He just needed to find his calling idiot.  
> 2025-02-05 16:33:58 UTC alexaloo#0 He found it.  
> 2025-02-05 16:33:59 UTC hebeatsme#0 bro  
> 2025-02-05 16:34:01 UTC alexaloo#0 Cope in a river dude  
> 2025-02-05 16:34:04 UTC hebeatsme#0 he cant make good money right  
> 2025-02-05 16:34:08 UTC hebeatsme#0 doge is about efficiency  
> 2025-02-05 16:34:11 UTC hebeatsme#0 he should make $1/he  
> 2025-02-05 16:34:15 UTC hebeatsme#0 $1/hr  
> 2025-02-05 16:34:25 UTC hebeatsme#0 and be whipped for better code  
> 2025-02-05 16:34:26 UTC vperked#0 prolly makes more than us  
> 2025-02-05 16:34:35 UTC vperked#0 with his dad too  
> 2025-02-05 16:34:52 UTC hebeatsme#0 time to report him for fraud  
> 2025-02-05 16:34:54 UTC hebeatsme#0 to donald trump  
> 2025-02-05 16:35:04 UTC hebeatsme#0 rivage participated in sim swap hacks in 2018  
> 2025-02-05 16:35:08 UTC hebeatsme#0 put that on his wiki  
> 2025-02-05 16:35:10 UTC hebeatsme#0 thanks  
> 2025-02-05 16:35:15 UTC hebeatsme#0 and in 2021  
> 2025-02-05 16:35:17 UTC hebeatsme#0 thanks  
> 2025-02-05 16:35:19 UTC chainofcommand#0 i dont think they’ll care tbh

Given the speed with which Musk’s DOGE team was allowed access to such critical government databases, it strains credulity that Coristine could have been properly cleared beforehand. After all, he’d recently been dismissed from a job _for allegedly leaking internal company information to outsiders_.

According to the national security adjudication guidelines (PDF) released by the **Director of National Intelligence** (DNI), eligibility determinations take into account a person’s stability, trustworthiness, reliability, discretion, character, honesty, judgement, and ability to protect classified information.

The DNI policy further states that “eligibility for covered individuals shall be granted only when facts and circumstances indicate that eligibility is clearly consistent with the national security interests of the United States, and any doubt shall be resolved in favor of national security.”

On Thursday, 25-year-old DOGE staff member **Marko Elez** resigned after being linked to a deleted social media account that advocated racism and eugenics. Elez resigned after _The Wall Street Journal_ asked the White House about his connection to the account.

“Just for the record, I was racist before it was cool,” the account posted in July. “You could not pay me to marry outside of my ethnicity,” the account wrote on X in September. “Normalize Indian hate,” the account wrote the same month, in reference to a post noting the prevalence of people from India in Silicon Valley.

Elez’s resignation came a day after the Department of Justice agreed to limit the number of DOGE employees who have access to federal payment systems. The DOJ said access would be limited to two people, Elez and **Tom Krause**, the CEO of a company called Cloud Software Group.

Earlier today, Musk said he planned to rehire Elez after **President Trump** and **Vice President JD Vance** reportedly endorsed the idea. Speaking at The White House today, Trump said he wasn’t concerned about the security of personal information and other data accessed by DOGE, adding that he was “very proud of the job that this group of young people” are doing.

A White House official told _Reuters_ on Wednesday that Musk and his engineers have appropriate security clearances and are operating in “full compliance with federal law, appropriate security clearances, and as employees of the relevant agencies, not as outside advisors or entities.”

_NPR_ reports Trump added that his administration’s cost-cutting efforts would soon turn to the Education Department and the Pentagon, “where he suggested without evidence that there could be ‘trillions’ of dollars in wasted spending within the $6.75 trillion the federal government spent in fiscal year 2024.”

GOP leaders in the Republican-controlled House and Senate have largely shrugged about Musk’s ongoing efforts to seize control over federal databases, dismantle agencies mandated by Congress, freeze federal spending on a range of already-appropriated government programs, and threaten workers with layoffs.

Meanwhile, multiple parties have sued to stop DOGE’s activities. ABC News says a federal judge was to rule today on whether DOGE should be blocked from accessing Department of Labor records, following a lawsuit alleging Musk’s team sought to illegally access highly sensitive data, including medical information, from the federal government.

At least 13 state attorney general say they plan to file a lawsuit to stop DOGE from accessing federal payment systems containing Americans’ sensitive personal information, reports _The Associated Press_.

Reuters reported Thursday that the U.S. Treasury Department had agreed not to give Musk’s team access to its payment systems while a judge is hearing arguments in a lawsuit by employee unions and retirees alleging Musk illegally searched those records.

_Ars Technica_ writes that The Department of Education (DoE) was sued Friday by a California student association demanding an “immediate stop” to DOGE’s “unlawfully” digging through student loan data to potentially dismantle the DoE.

Teen on Musk’s DOGE Team Graduated from ‘The Com’

Experts question whether Edward Coristine, a DOGE staffer who has gone by “Big Balls” online, would pass the background check typically required for access to sensitive US government systems.

A young technologist known online as “Big Balls,” who works for Elon Musk's so-called Department of Government Efficiency (DOGE), has access to sensitive US government systems. But his professional and online history call into question whether he would pass the background check typically required to obtain security clearances, security experts tell WIRED.

Edward Coristine, a 19-year-old high school graduate, established at least five different companies in the last four years, with entities registered in Connecticut, Delaware, and the United Kingdom, most of which were not listed on his now-deleted LinkedIn profile. Coristine also briefly worked in 2022 at Path Network, a network monitoring firm known for hiring reformed blackhat hackers. Someone using a Telegram handle tied to Coristine also solicited a cyberattack-for-hire service later that year.

Coristine did not respond to multiple requests for comment.

One of the companies Coristine founded, Tesla.Sexy LLC, was set up in 2021, when he would have been around 16 years old. Coristine is listed as the founder and CEO of the company, according to business records reviewed by WIRED.

Tesla.Sexy LLC controls dozens of web domains, including at least two Russian-registered domains. One of those domains, which is still active, offers a service called Helfie, which is an AI bot for Discord servers targeting the Russian market. While the operation of a Russian website would not violate US sanctions preventing Americans doing business with Russian companies, it could potentially be a factor in a security clearance review.

"Foreign connections, whether it's foreign contacts with friends or domain names registered in foreign countries, would be flagged by any agency during the security investigation process," Joseph Shelzi, a former US Army intelligence officer who held security clearance for a decade and managed the security clearance of other units under his command, tells WIRED.

A longtime former US intelligence analyst, who requested anonymity to speak on sensitive topics, agrees. “There's little chance that he could have passed a background check for privileged access to government systems,” they allege.

Another domain under Coristine’s control is faster.pw. The website is currently inactive, but an archived version from October 25, 2022 shows content in Chinese that stated the service helped provide “multiple encrypted cross-border networks.”

Prior to joining DOGE, Coristine worked for several months of 2024 at Elon Musk’s Neuralink brain implant startup, and, as WIRED previously reported, is now listed in Office of Personnel Management records as an “expert” at that agency, which oversees personnel matters for the federal government. Employees of the General Services Administration say he also joined calls where they were made to justify their jobs and to review code they’ve written.

Other elements of Coristine’s personal record reviewed by WIRED, government security experts say, would also raise questions about obtaining security clearances necessary to access privileged government data. These same experts further wonder about the vetting process for DOGE staff—and, given Coristine’s history, whether he underwent any such background check.

The White House did not immediately respond to questions about what level of clearance, if any, Corisitine has and, if so, how it was granted.

At Path Network, Coristine worked as a systems engineer from April to June of 2022, according to his now-deleted LinkedIn résumé. Path has at times listed as employees Eric Taylor, also known as Cosmo the God, a well-known former cybercriminal and member of the hacker group UGNazis, as well as Matthew Flannery, an Australian convicted hacker whom police allege was a member of the hacker group LulzSec. It’s unclear whether Coristine worked at Path concurrently with those hackers, and WIRED found no evidence that either Coristine or other Path employees engaged in illegal activity while at the company.

“If I was doing the background investigation on him, I would probably have recommended against hiring him for the work he’s doing,” says EJ Hilbert, a former FBI agent who also briefly served as the CEO of Path Network prior to Coristine’s employment there. “I’m not opposed to the idea of cleaning up the government. But I am questioning the people that are doing it.”

**Got a tip?**

_Are you a current or former US government employee? We'd like to hear from you. Using a nonwork phone or computer, contact the reporters securely on Signal at Andy.01 (Andy Greenberg), DavidGilbert.01 (David Gilbert), or +1 (347) 722-1347 (Lily Hay Newman)._

Potential concerns about Coristine extend beyond his work history. Archived Telegram messages shared with WIRED show that, in November 2022, a person using the handle “JoeyCrafter” posted to a Telegram channel focused on so-called distributed denial of service (DDoS) cyberattacks that bombard victim sites with junk traffic to knock them offline. In his messages, JoeyCrafter—which records from Discord, Telegram, and the networking protocol BGP indicate was a handle used by Coristine—writes that he’s “looking for a capable, powerful and reliable L7” that accepts bitcoin payments. That line, in the context of a DDoS-for-hire Telegram channel, suggests he was looking for someone who could carry out a layer-7 attack, a certain form of DDoS. A DDoS-for-hire service with the name Dstat.cc was seized in a multinational law enforcement operation last year.

The JoeyCrafter Telegram account had previously used the name “Rivage,” a name linked to Coristine on Discord and at Path, according to Path internal communications shared with WIRED. Both the Rivage Discord and Telegram accounts at times promoted Coristine’s DiamondCDN startup. It’s not clear whether the JoeyCrafter message was followed by an actual DDoS attack. (In the internal messages among Path staff, a question is asked about Rivage, at which point an individual clarifies they are speaking about “Edward.”)

"It does depend on which government agency is sponsoring your security clearance request, but everything that you've just mentioned would absolutely raise red flags during the investigative process," says Shelzi, the former US Army intelligence officer. He adds that a secret security clearance could be completed in as little as 50 days, while a top-secret security clearance could take anywhere from 90 days to a year to complete.

Coristine’s online history, including a LinkedIn account where he calls himself Big Balls, has disappeared recently. He also previously used an account on X with the username @edwardbigballer. The account had a bio that read: “Technology. Arsenal. Golden State Warriors. Space Travel.”

Prior to using the @edwardbigballer username, Coristine was linked to an account featuring the screen name “Steven French” featuring a picture of what appears to be Humpty Dumpty smoking a cigar. In multiple posts from 2020 and 2021, the account can be seen responding to posts from Musk. Coristine’s X account is currently set to private.

Davi Ottenheimer, a longtime security operations and compliance manager, says many factors about Coristine’s employment history and online footprint could raise questions about his ability to obtain security clearance.

“Limited real work experience is a risk,” says Ottenheimer, as an example. “Plus his handle is literally Big Balls.”

Tag

#ddos