Security researchers uncover exposed archive revealing Huge Networks CEO's SSH keys and botnet code.
A Brazilian cybersecurity firm specializing in DDoS protection has been unwittingly powering a massive botnet campaign that bombarded local internet service providers for years. The company's CEO now claims the malicious activity stemmed from a security breach, potentially orchestrated by a competitor.
The revelation came when an anonymous source shared a file archive found in an open directory online. The archive contained Portuguese-language malware and the private SSH authentication keys belonging to Huge Networks' CEO.
“This was clearly an intrusion by someone trying to destroy our reputation,” said the CEO of Huge Networks, who spoke on condition of anonymity due to ongoing investigations. “We immediately rotated all credentials and hardened our perimeter.”
Background: The Long Shadow of Brazilian DDoS Attacks
For several years, security experts tracked a series of powerful DDoS attacks exclusively targeting Brazilian ISPs. The attacks used DNS amplification techniques, exploiting misconfigured DNS servers to multiply traffic by up to 70 times.
Huge Networks, founded in 2014 and based in Miami but operating primarily in Brazil, started as a game server protection service and later pivoted to ISP-focused DDoS mitigation. It had no prior history of abuse or public complaints.
“This case is a stark reminder that even defenders can become unwitting accomplices,” said Renata L., a security analyst at a Brazilian threat intelligence firm. “The attacker built a botnet by mass-scanning for vulnerable routers and open DNS resolvers, then used Huge Networks' own infrastructure to launch the attacks.”
How the Botnet Worked
The archive revealed a Python-based toolkit that automatically scanned the internet for insecure home routers and unmanaged DNS servers. Once compromised, these devices were enlisted as part of a botnet that could be instructed to send spoofed DNS queries.
DNS reflection attacks rely on servers that respond to queries from any source. Attackers forge the source IP address to make it look like the request came from the victim, so the server's large response floods the target's network.
By using the DNS protocol's extension for large messages, the botmaster achieved massive amplification—a single 100-byte request could trigger a 7,000-byte response. When combined with thousands of compromised devices, the resulting traffic overwhelmed even robust ISP defenses.
What This Means: Trust Breach in Mitigation Industry
The incident raises serious questions about the security of DDoS mitigation providers themselves. If a company's infrastructure can be co-opted to amplify attacks, clients may reconsider their reliance on such services.
“This could have a chilling effect on the entire Brazilian ISP ecosystem,” warned security consultant Carlos M. “ISPs will now scrutinize their mitigation partners more closely, demanding transparency and regular security audits.”
Moreover, the use of the CEO's private SSH keys suggests a targeted attack—possibly by a competitor seeking to tarnish Huge Networks' reputation. The company has not reported any breach publicly before, and it remains unclear how long the attackers had access.
As investigations continue, the security community emphasizes the need for stronger credential hygiene and network segmentation. “No DDoS protection firm is immune to being weaponized if its own systems are not hardened,” added Renata L. “This is a wake-up call for the entire industry.”