In the high-stakes world of cybersecurity, the line between the defender and the aggressor is often defined by intent. However, a startling discovery has blurred that boundary for a prominent Brazilian technology firm. KrebsOnSecurity has uncovered evidence that Huge Networks—a company specializing in protecting internet infrastructure from distributed denial-of-service (DDoS) attacks—has been inadvertently, or perhaps maliciously, serving as a command-and-control hub for a massive botnet that has been systematically targeting Brazilian internet service providers (ISPs).
The revelation centers on an exposed file archive discovered online, which contains not only the tools required to launch devastating digital sieges but also the private SSH authentication keys belonging to the firm’s own CEO, Erick Nascimento. While Nascimento vehemently denies any personal or corporate involvement, attributing the activity to a sophisticated security breach by a rival, the evidence paints a troubling picture of a firm whose digital footprint was used to fuel the very chaos it claims to mitigate.
The Anatomy of an Exposed Archive
For years, security researchers have observed a pattern of aggressive DDoS campaigns concentrated within Brazil, with small-to-medium regional ISPs bearing the brunt of the traffic. These attacks, characterized by their high volume and persistence, remained shrouded in mystery until the recent discovery of an unprotected online directory.
The archive, which has since been analyzed by experts, contains a collection of Python-based malicious scripts designed for large-scale network disruption. More damning, however, was the inclusion of private SSH keys linked directly to Huge Networks’ leadership. These keys provided the "skeleton key" access necessary to navigate the firm’s internal infrastructure.
The scripts within the archive reveal a calculated strategy: the systematic scanning of the internet to identify vulnerable hardware. Specifically, the botnet was configured to target TP-Link Archer AX21 routers that had not been patched against CVE-2023-1389, a critical command injection vulnerability. Once compromised, these routers were conscripted into a "reflection and amplification" botnet, a technique that leverages the Domain Name System (DNS) to exponentially increase the volume of traffic directed at a target.
Technical Mechanics: The Amplification Strategy
To understand the severity of these attacks, one must look at the mechanics of DNS reflection. In a standard setup, DNS servers are intended to resolve queries for authorized clients. However, misconfigured servers across the web—often referred to as "open resolvers"—will respond to queries from any source.
By spoofing the source IP address of a target, attackers send a barrage of small, seemingly innocuous DNS requests to thousands of open resolvers simultaneously. These servers, tricked into believing the target requested the data, respond with significantly larger packets. Because the attackers utilize the DNS protocol’s ability to handle large messages, they can achieve amplification factors of 60 to 70 times the size of the initial request. When this is executed across a botnet of tens of thousands of hijacked TP-Link routers, the resulting flood of traffic is more than enough to overwhelm even the most robust ISP infrastructure.
Chronology of the Compromise
The timeline of this incident suggests a long-term infiltration that went largely unnoticed by those responsible for the infrastructure.
- January 2026: Digital Ocean flags a "droplet" (virtual server) associated with Huge Networks for suspicious activity. The alert specifically notes that a leaked SSH key has been used to access the server.
- January 11, 2026: CEO Erick Nascimento receives the notification while traveling. Upon his return, he reportedly orders the destruction of the compromised droplet and the rotation of all internal keys.
- Late 2026 – Early 2027: Despite the internal cleanup, evidence suggests that the attackers maintained a foothold, utilizing the firm’s network prefixes to coordinate and execute subsequent DDoS campaigns.
- Present Day: Following an inquiry by security researchers, Huge Networks admits that its systems were the staging ground for the attacks, though they maintain that the breach was an external act of sabotage.
The "Mirai" Connection and Institutional Denial
The software identified in the leaked archive bears a striking resemblance to Mirai, the notorious malware that effectively "weaponized" the Internet of Things (IoT) in 2016. Mirai’s legacy is one of record-breaking traffic spikes, and it has become the gold standard for botnet operators. The scripts found in the Huge Networks archive linked to domains such as hikylover.st and c.loyaltyservices.lol—entities previously identified as command-and-control servers for Mirai-variant botnets.
When confronted with this evidence, Erick Nascimento expressed shock. "We received and notified many Tier 1 upstreams regarding very large DDoS attacks against small ISPs," Nascimento stated in an interview. "We didn’t dig deep enough at the time, and what you sent makes that clear."
Nascimento maintains that the firm is the victim of a sophisticated smear campaign. He argues that a competitor, seeking to undermine Huge Networks’ reputation ahead of a major industry event, successfully pivoted through a legacy bastion server to plant evidence and launch the attacks using his credentials.
"Our working assessment so far is that this all started with a single internal compromise—one pivot point that gave the attacker downstream access to some resources," Nascimento explained. He further asserted that he possesses "strong evidence stored on the blockchain" that will eventually clear his company’s name, though he refused to disclose the details, claiming that doing so would ruin the "surprise factor" against his rival.
Implications for the Cybersecurity Industry
The situation involving Huge Networks highlights a growing trend in the cybersecurity landscape: the "weaponization of the defender." In an industry where trust is the primary currency, the ability of an attacker to pivot from a minor misconfiguration—like a single leaked SSH key—to the total control of a security firm’s infrastructure is a chilling reminder of the fragility of network defenses.
The Problem of "DDoS-for-Hire"
The professionalization of DDoS attacks has reached a point where the tools required to dismantle an ISP are readily available to anyone with a basic understanding of Python and a list of unpatched IoT devices. When a company that provides mitigation services is used to launch these attacks, it complicates the efforts of law enforcement to distinguish between legitimate security research, incident response, and outright cybercrime.
The Burden of Responsibility
For ISPs, the incident serves as a wake-up call regarding the security of their upstream providers. If a vendor tasked with protection can be turned into a vector of attack, the vetting process for security partners must become significantly more rigorous.
Furthermore, the incident underscores the persistent danger of unmanaged IoT devices. Millions of routers, cameras, and smart appliances remain connected to the internet with known, unpatched vulnerabilities. As long as these devices are left in the wild, they will continue to provide the raw material for botnets, regardless of whether the "botmaster" is a criminal syndicate, a rogue actor, or a compromised security firm.
Conclusion: A Question of Credibility
Whether Huge Networks is truly a victim of a targeted, malicious framing campaign or a negligent provider that allowed its tools to be co-opted remains a point of contention. The evidence, however, is clear: the infrastructure of a company meant to serve as a shield was instead used as a sword.
As the investigation continues, the industry will be watching to see if Nascimento’s "blockchain-backed evidence" ever surfaces. Until then, the case stands as a cautionary tale: in the digital age, your greatest vulnerability is often the infrastructure you trust to keep you safe. The shadow cast by these events will likely persist, reminding both providers and clients that in the business of cybersecurity, the only thing more dangerous than a direct attack is a breach that happens from within.