More than 75,000 individuals have received a stern warning from European law enforcement, urging them to stop using DDoS-for-hire services that enable even unskilled criminals to knock websites offline. This unprecedented mass communication is part of a coordinated global effort to dismantle the infrastructure behind distributed denial-of-service attacks.

On Thursday, Europol announced the results of Operation PowerOFF, a sweeping action targeting several platforms that sell attack capacity to anyone willing to pay. The operation sent emails and physical letters to suspected users, effectively putting them on notice that their activities are being tracked.

How Europol identified 75,000 DDoS-for-hire users

Law enforcement agencies obtained user data by seizing servers belonging to these illicit services. By raiding and taking control of the infrastructure, police could identify registered customers who had paid for attacks. This intelligence allowed them to send targeted warnings to all 75,000 individuals.

In addition to the mass notification, the operation led to four arrests, the takedown of 53 domain names, and the execution of 24 search warrants across multiple countries. These actions send a clear message: using DDoS-for-hire services is no longer anonymous.

Why DDoS-for-hire services remain a major threat

Distributed denial-of-service attacks are surprisingly common because they are easy to execute through for-hire platforms. Customers do not need technical skills or their own infrastructure; they simply pay a fee to overwhelm a target with traffic. Last year, Cloudflare mitigated what it described as the largest DDoS attack ever recorded, peaking at 29.7 terabits per second.

However, law enforcement is fighting back. The FBI has conducted several previous operations against such services, and Europol’s latest move shows that international cooperation is intensifying. The goal is to disrupt the entire ecosystem that makes DDoS attacks accessible to non-technical criminals.

What happens to those who received the warning

Recipients of the Europol email or letter are being told to cease their illegal activities immediately. While the initial contact is a warning, authorities have made it clear that further violations could lead to prosecution. This approach aims to deter future attacks by making users aware that they are under surveillance.

Europol has not disclosed whether the warning recipients will face charges, but the data collected from the seized servers could be used as evidence in future cases. For now, the operation serves as both a deterrent and a public demonstration of law enforcement capability.

Broader implications for cybersecurity

This operation highlights a growing trend: police are becoming more proactive in targeting the demand side of cybercrime. By going after users rather than just operators, they hope to shrink the market for DDoS-for-hire services. Learn more about protecting your online assets from such threats.

As DDoS attacks continue to evolve, collaboration between agencies like Europol, the FBI, and national police forces is essential. The success of Operation PowerOFF may encourage similar actions against other types of cybercrime-as-a-service platforms. Read about other law enforcement actions against cybercrime to understand the broader landscape.

Ultimately, the message is clear: paying for a DDoS attack is not a victimless crime, and authorities are watching. Find out how to report suspicious activity to help keep the internet safe.

Sweden blames Russian hackers for attempted ‘destructive’ cyberattack on thermal power plant

Swedish authorities have accused Russian state-linked hackers of trying to launch a destructive cyberattack against a thermal power plant in early 2025. The attack ultimately failed, but officials warn that hybrid warfare tactics — blending digital intrusions with physical threats — are becoming more aggressive across Europe.

Carl-Oskar Bohlin, Sweden’s minister of civil defense, revealed the incident during a press conference on Wednesday. He attributed the attempted breach to hackers with ties to Russian intelligence and security services. While the plant was not named, Bohlin confirmed that the attack was thwarted by a built-in protection mechanism.

“Pro-Russian groups that once carried out denial-of-service attacks are now attempting destructive cyber attacks against organizations in Europe,” Bohlin said, as quoted by Bloomberg.

This case underscores a worrying shift: hackers no longer aim merely to disrupt websites or steal data. Instead, they are targeting critical infrastructure — energy grids, water systems, and industrial controls — with the goal of causing real-world damage.

How the Swedish thermal plant attack unfolded

According to Bohlin, the attempted intrusion occurred in early 2025. The hackers tried to compromise operational technology systems at the thermal plant, which generates heat and electricity for local communities. Fortunately, the plant’s safety systems blocked the attack before any physical damage or service disruption occurred.

Bohlin described the behavior as “riskier and more reckless” than previous cyber operations linked to Russia. He did not provide technical details, but cybersecurity experts note that targeting industrial control systems requires significant skill and preparation — and carries a high risk of unintended consequences.

“This is not a random script-kiddie operation,” said a senior European cybersecurity official who spoke on condition of anonymity. “These are state-backed actors with clear intent to cause harm.”

The Swedish government has not released evidence publicly, but the attribution aligns with patterns observed by intelligence agencies across NATO countries.

Rising wave of Russian-linked attacks on critical infrastructure

The Swedish incident fits a broader pattern of Russian-linked cyberattacks against energy and water infrastructure. In December 2024, Russia was accused of attempting to destabilize parts of Poland’s power grid. Earlier that year, hackers briefly hijacked a dam in Norway, opening floodgates that released millions of gallons of water before being expelled from the system.

In Ukraine, the impact has been even more direct. A cyberattack on a municipal energy company in Lviv in January 2024 left hundreds of apartments without heat for two days during freezing temperatures. Researchers found evidence pointing to Russian hackers, though attribution could not be fully confirmed.

These attacks echo the 2015 power grid blackout in Ukraine, which was widely attributed to Russian state-sponsored hackers. That incident cut electricity to hundreds of thousands of people and remains a benchmark for cyber-physical threats.

Hybrid warfare: blending digital and physical threats

Sweden’s civil defense minister emphasized that hybrid attacks — those that extend beyond cyberspace and into the physical world — are becoming more dangerous. The line between cyber espionage and sabotage is blurring, forcing governments to rethink their defense strategies.

“This is not just about data breaches anymore,” Bohlin said. “It is about protecting the systems that keep our society running.”

European nations are now investing heavily in cyber resilience for critical infrastructure. Sweden, for example, has strengthened its cyber defense capabilities and is working closely with NATO allies to share threat intelligence.

Russia’s response and international reaction

A spokesperson for the Russian government did not respond to requests for comment from TechCrunch. Moscow has consistently denied involvement in cyberattacks against Western targets, despite extensive evidence from intelligence agencies and cybersecurity firms.

Nevertheless, the Swedish attribution is likely to increase diplomatic pressure on Russia. The European Union has already imposed sanctions on individuals and entities linked to cyber operations against member states. Further sanctions could target Russian intelligence units responsible for industrial control system attacks.

In the meantime, cybersecurity experts urge critical infrastructure operators to implement robust segmentation, network monitoring, and offline safety mechanisms — the kind of protection that saved Sweden’s thermal plant.

What this means for the future of European security

The attempted attack on Sweden’s thermal plant is a stark reminder that no country is immune. As hybrid warfare tactics evolve, the risk of a successful destructive cyberattack on critical infrastructure remains high.

Governments must move beyond traditional cybersecurity and adopt a whole-of-society approach. This includes public-private partnerships, regular penetration testing, and public awareness campaigns. Protecting critical infrastructure is no longer just an IT issue — it is a national security priority.

“We are seeing a new era of conflict,” Bohlin warned. “One where a hacker in a basement can cause a power outage, a flood, or worse. We must be prepared.”

For now, Sweden’s thermal plant remains operational. But the question lingers: what happens next time the protection mechanism fails?

Critical Ninja Forms Vulnerability Puts Thousands of WordPress Sites at Risk

A severe security flaw has been discovered in the Ninja Forms – File Upload Plugin, a popular tool used by millions of WordPress websites. This Ninja Forms vulnerability allows unauthenticated attackers to upload arbitrary files, potentially leading to full site compromise. Security experts are urging administrators to apply the latest patch immediately.

According to researchers at Wordfence, the vulnerability carries a CVSS score of 9.8, marking it as critical. The issue affects all versions of the plugin up to 3.3.26, leaving a vast number of sites exposed to remote code execution (RCE). Attackers can exploit this flaw without needing any authentication, making it a prime target for malicious actors.

How the Ninja Forms Vulnerability Works

The root cause of this WordPress file upload vulnerability lies in insufficient validation during the file upload process. While the plugin includes some checks, they fail to properly verify file types and extensions. This oversight allows attackers to bypass restrictions and upload files with dangerous extensions, such as .php.

Building on this, attackers can manipulate filenames to sidestep existing safeguards. They can also use path traversal techniques to place malicious files in sensitive directories. Once uploaded, these files can execute arbitrary code on the server, often deploying webshells that grant persistent access.

Security researcher Sélim Lanouar, known as whattheslime, discovered the flaw and reported it via the Wordfence Bug Bounty Program. He received a $2,145 reward for his finding. The researcher demonstrated that the attack vector is straightforward, requiring no advanced skills to exploit.

Potential Impact on WordPress Sites

This remote code execution WordPress vulnerability could have devastating consequences for site owners. Attackers gaining control of a website can steal sensitive data, inject malware, redirect visitors to malicious sites, or even take down the entire server. For e-commerce sites, this could mean compromised customer payment information.

Moreover, affected sites can become part of larger botnets or serve as launching pads for attacks on other systems. The ease of exploitation amplifies the risk, as automated scripts can scan for vulnerable installations and deploy payloads at scale.

Wordfence confirmed the proof-of-concept exploit shortly after receiving the report on January 8, 2026. “We validated the report and confirmed the proof-of-concept [PoC] exploit,” the team stated in an advisory. The plugin developer responded with a partial fix on February 10, followed by a complete patch on March 19 with version 3.3.27.

Steps to Protect Your WordPress Site

Administrators must update the Ninja Forms plugin to version 3.3.27 or later immediately. Delaying this patch leaves sites vulnerable, especially given that the attack requires no authentication. Regular security audits and monitoring can help detect unusual file uploads or suspicious activity.

Additionally, consider implementing a web application firewall (WAF) to block malicious upload attempts. Hardening your WordPress installation by restricting file permissions and disabling unused plugins can further reduce risk. For sites handling sensitive data, enabling two-factor authentication for admin accounts adds another layer of defense.

Conclusion

The Ninja Forms vulnerability highlights the ongoing challenges in securing widely-used plugins. As WordPress remains a prime target for attackers, staying up-to-date with patches is non-negotiable. Site owners should act now to apply the fix and safeguard their digital assets from potential compromise.