DDoS Protection Firm Huge Networks Used as Launchpad for Attacks on Brazilian ISPs

A Brazilian cybersecurity firm that markets itself as a bulwark against distributed denial-of-service (DDoS) attacks has been implicated in a years-long campaign of massive DDoS assaults targeting other network operators in Brazil, according to documents obtained by this publication.

The company, Huge Networks, which specializes in DDoS mitigation for ISPs, saw its own infrastructure hijacked to power a botnet that pummeled Brazilian networks with traffic, the firm's CEO acknowledged in an interview. The executive blamed the incident on a security breach, suggesting a rival may have orchestrated the attacks to smear the company's reputation.

Breach Exposes CEO's Private Keys

On July 12, 2025, a confidential source shared a file archive that had been left exposed in an open directory online. The archive contained Python-based malware written in Portuguese, along with private SSH authentication keys belonging to Huge Networks CEO, Ronaldo Soares.

Soares confirmed to this reporter that the keys were genuine and had been used to access company servers. “Someone broke into our systems and used our resources to launch these attacks. We believe a competitor is behind this to damage our brand,” he said.

The archive also included logs showing that a threat actor known as "Orbit" had maintained root access to Huge Networks' infrastructure for months. The actor repeatedly scanned the internet for misconfigured routers and open DNS resolvers, building a powerful botnet capable of launching amplified DDoS attacks.

Background: DNS Amplification Attacks

DDoS attacks overwhelm a target's network with junk traffic, making services unavailable. One common method is DNS amplification, where attackers send spoofed queries to open DNS resolvers that respond with large amounts of data directed at the victim.

By exploiting the DNS protocol's extension mechanisms, an attacker can send a small query—say, 60 bytes—and trigger a response 70 times larger. When thousands of vulnerable DNS servers are used simultaneously, the combined traffic can exceed 100 Gbps, enough to knock most ISPs offline.

Brazil has been a hotspot for such attacks, with security firms tracking a series of sieges on local ISPs since 2022. Until now, the source remained unclear.

What This Means

The revelation that a DDoS mitigation provider was itself compromised undermines trust in an industry built on protecting networks. If attackers can weaponize a security firm's own infrastructure, the line between protector and attacker blurs.

For Brazilian ISPs, this means continued vulnerability. Even companies paying for protection may become unwitting collateral. Soares insists the breach has been closed, but the fact that a rival could so easily turn a defense system into an offensive one is a stark warning.

Cybersecurity experts urge organizations to verify that their DDoS mitigation partners follow strict access controls and audit logs. “This case shows that even the defenders need defending,” said independent security researcher Carlos Menezes.

The public archive has been taken down, but the investigation continues. Whether the attacker is a competitor or a state-sponsored actor remains unknown. One thing is clear: Huge Networks' reputation has taken a severe hit, and the full impact on its clients is yet to be assessed.