Researcher stumbled across cyberzap.fun, a Dutch Police Operation PowerOFF honeypot mimicking DDoS-for-hire booter sites, and got it pulled offline while investigating.
Key Takeaways
Operation PowerOFF, coordinated by Dutch Politie with FBI/Europol/NCA, runs both overt scare pages (netcrashers.net redirects to police warnings) and covert honeypots (cyberzap.fun) to log IPs and emails of would-be DDoS buyers.
Cyberzap was detected trivially: Dutch Police consistently host infrastructure on bit.nl, and MX DNS records exposed the same provider.
The honeypot collected criminal intent evidence cheaply: fake payment flow, attack history tab, embedded request IDs, Cloudflare Turnstile captcha, and real activation emails.
Only 14 prior attack orders existed before the researcher’s, suggesting the site caught almost no real criminals before being shut down.
The strategic goal is paranoia, not arrests: making buyers distrust all booter services, not just seized ones.
Hacker News Comment Review
The “panic” narrative is disputed: the most likely explanation for the 401 Unauthorized lockdown is a WAF rule triggered by the researcher’s IP, not law enforcement staff scrambling to respond.
Commenters note that stress-testing your own infrastructure against DDoS services has legitimate use cases, complicating what counts as criminal intent captured by the honeypot.
Notable Comments
@bananamogul: “More likely someone put in a WAF rule that 401’d for his IP” – the shutdown was probably automated, not human panic.
@amarcheschi: Found a similar Italian defense ministry scare-redirect by accident; the pattern of covert gov honeypots is not unique to Dutch Police.
