What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Threat-Intel

0 sources verified·12 min read

By Lyrie Threat Intelligence·5/2/2026

The Honeypot That Got Spooked: How Dutch Police Built a Slick Fake DDoS Booter, and a Single Email Burned It Down

TL;DR

A solo researcher who blogs as Lina (lina.sh) stumbled on cyberzap.fun while poking around Operation PowerOFF — the international anti-DDoS-for-hire effort coordinated heavily by the Dutch Politie. Cyberzap looked like a normal booter site: real SEO, real robots.txt, real sitemap, dashboards with fake but believable graphs, payment options for Bitcoin, Monero, PayPal, and credit card.

It was a honeypot. Every "payment attempt" failed after a few seconds, but harvested the user's IP, email, declared target, and demonstrated criminal intent. Lina caught the scent because the MX records pointed to bit.nl — a hosting provider the Dutch police use across most of their cyber operations.

He registered with the email [email protected]. The site greeted him with a real activation email. He explored. And then the Politie panicked and locked the entire site down with a 401 Unauthorized. They even pulled an unrelated test domain (bytecannon.net) at the same time. The companion deterrence site, netcrashers.net — every button on which redirects to a Dutch Police "you are committing cybercrime" warning page — stayed up.

This is a public window into how law enforcement is now playing offense: deception ops, fake commercial infrastructure, SEO and UX as weapons, and a deliberate strategy of eroding trust within the criminal market rather than just arresting individuals. The PowerOFF program has now identified 75,000+ DDoS-for-hire users, seized 53 domains, and exposed 3 million criminal accounts over the past 18 months.

For defenders, this case is instructive on three levels:

1. Operational tradecraft for honeypot hunters — how Lina spotted it from outside (MX records, registration patterns, dashboard inconsistencies)

2. What works in the offensive deception era — and what reveals it

3. The strategic shift in how nation-states fight cybercrime — not catching everyone, but making everyone untrustworthy to everyone else

What Happened — Lina's Walkthrough

Reconstructed from Lina's published writeup, corroborated by the Operation PowerOFF press cycle.

The first signal — MX records

Lina was researching Operation PowerOFF's overall methodology when he came across cyberzap.fun. The site looked like any of thousands of "skidded" booter sites — booters being the slang term for DDoS-for-hire services aimed at the low-skill ("script kiddie") market.

It wasn't visually flawless, but it had professional-grade infrastructure: real robots.txt, sitemap, SEO meta tags, polished landing page, plausible pricing tiers.

The giveaway: the domain's MX records pointed to bit.nl — a Dutch hosting provider that Lina recognizes as the Politie's go-to email infrastructure for these operations. Once you know the tell, you can't unsee it.

The registration trap

Lina decided to play along, but to make his intent unambiguous. He signed up with the email:

[email protected]

This is craft. Anyone reviewing the database later sees an explicit "I am a researcher, here is my domain, contact me" rather than yet another anonymous user.

The honeypot's reaction:

A turnstile CAPTCHA on the registration form (cosmetic — it's there to look real, not to actually filter bots)
A real activation email with a token-embedded link AND a manual activation code
A working dashboard with fake-but-plausible graphs (network speeds, bot counts) that updated in real time
An attack-ordering flow with target input, attack type selection, and four payment options: Bitcoin, Monero, PayPal, credit card

The "payment failed" pattern

Lina ordered a fake attack against a clearly-bogus target. He picked Bitcoin first. The payment processor spinner ran for ~5 seconds, then returned: "Payment Error — There was an error processing your payment. Please try again or contact support."

He tried again with each of the other payment methods. Same outcome. Every single payment "fails" by design.

The "attack history" tab logged each attempt, marking it as failed payment.

The intent was now clear: the honeypot doesn't actually take any money or launch any attacks. It collects:

Email address (often tied to other accounts/identities elsewhere)
IP address (registered, attempted-payment, dashboard-access — multiple IPs from the same user)
Declared target domain (proof of intent)
Payment-method choice (which crypto wallets, which credit card billing addresses, which PayPal accounts the actor was willing to use)
Behavioral profile (how the attacker explored the dashboard, what they tried, how long they stayed)

Each user generates an evidentiary file. If the same person ever surfaces in another investigation, the Politie has years of pattern data — "yes, this person attempted to pay for DDoS attacks against these targets at these times from these IPs."

The 401

Lina was poking around when his email — [email protected] — apparently triggered an internal alarm. The site blinked. The next page-load returned HTTP 401 Unauthorized. The dashboard, the homepage, everything — all locked down.

The Politie even pulled a related domain (bytecannon.net) that had been quietly sitting unused, just in case it was part of the same operational footprint. They burned the entire infrastructure rather than risk Lina publicly mapping it.

The companion site, netcrashers.net — designed for a different audience — stayed up.

Netcrashers — the scare-tactic variant

netcrashers.net is the overt deterrence operation. It doesn't pretend to be a real booter. The landing page promises to "crash all nets," but every button click immediately redirects to:

"The Dutch Police has strong indications that you were looking for a DDoS-for-hire service. DDoS attacks are illegal and have serious consequences. You always leave traces online when committing cybercrime."

This is targeted at teenagers — the median DDoS-as-a-service customer per Europol's own data is under 18. A kid Googles "free DDoS" or "minecraft server boot," lands on netcrashers, clicks a button, gets a jump-scare with police badges, closes the tab. Maybe never tries again.

It's not designed to catch anyone. It's designed to cost the attempt nothing for law enforcement and everything in nerve for the kid.

The Bigger Picture — Operation PowerOFF as a Strategic Doctrine

Cyberzap and Netcrashers aren't isolated experiments. They're part of Operation PowerOFF, an ongoing international crackdown coordinated through Europol with the FBI, UK National Crime Agency, Dutch Politie, and 27+ partner agencies. The publicly-acknowledged outcomes since 2024:

75,000+ DDoS-for-hire users identified and warned (often with letters or in-person visits, particularly to the parents of underage users)
53 domains seized in the latest sprint
3 million criminal accounts exposed across the seized booter databases
~100 domains seized cumulatively over the program's history
Multiple arrests, mostly of operators rather than customers

The strategic philosophy is clear and (per Lina's analysis) is the most important thing for defenders to understand:

"Catching people probably isn't the only goal. By running these honeypots, the police create suspicion and paranoia in the community. If you want to buy a DDoS attack, you now have to wonder if the website is real or just a police honeypot logging your IP. They want people to stop trusting these services entirely."

This is deception-at-scale as policy. The doctrine isn't "arrest every customer" — that's never going to scale against millions of would-be attackers. The doctrine is make every booter site possibly-a-honeypot, so that the act of even searching for one becomes a paranoia tax that suppresses demand.

It works the same way the FBI's Operation Trojan Shield / ANOM worked against organized crime, just at the lower tier of the cyber threat landscape. Run a fake encrypted-phone network for criminals, harvest their messages for years, then publicly announce it — and watch every legitimate criminal communications platform now have to fight rumors that they are the next FBI front.

How Lina Spotted It — Tradecraft for Defenders

For threat researchers, OSINT analysts, and defenders who want to identify operations like this in their own monitoring, Lina's writeup has a clear methodology:

1. Watch the infrastructure

MX records: The Dutch Politie reuses bit.nl across most operations. Pattern recognition over hosting provider, ASN, and DNS reuse is high-signal.
Domain registration patterns: cyberzap.fun was registered April 3, 2025, but the Internet Archive shows the site was empty in July 2025. Late content population is a red flag.
Wallet addresses for crypto-payment options: A site that's been "live" for 6+ months with zero on-chain activity at its declared addresses is suspicious.

2. Watch the failure mode

Every payment fails consistently and identically — not "card declined" once and "insufficient funds" another time, but the same generic error every time. Real payment processors fail in varied, specific ways.
No follow-up support contact succeeds. Real criminals running a real booter need to keep paying customers happy. Honeypots don't have to.

3. Watch the dashboards

Real-time graphs that look real but track suspiciously round patterns — bot counts that update on a clock rather than reflecting actual operations
Order IDs that increment too slowly (Lina's order was #15 — meaning fewer than 15 actual users had ever ordered an "attack")
No actual attack telemetry surfacing back to the user — a real booter, however shady, would show something indicating an attack happened

4. Watch what the operation does NOT do

Real booters aggressively recruit affiliates and offer revenue-share deals — honeypots don't bother because they're not building a real business
Real booters have active Telegram/Discord communities run by the operators — honeypots either skip this or run anemic versions
Real booters get DDoSed by competitors — honeypots are mysteriously left alone

Lyrie Assessment

The Cyberzap incident is a marker for two strategic shifts in cybersecurity that defenders need to internalize:

Shift 1: Deception is now mainstream defensive doctrine

For 30 years, deception (honeypots, honeynets, deception grids) has lived in the "interesting research" margin of the security industry. Vendors like Attivo, Illusive, TrapX, and CounterCraft have built real businesses on it — but at the enterprise level, deception was always optional.

That era is ending. Both nation-state offense (Operation PowerOFF, FBI's various sting platforms, GCHQ's NCSC counter-fraud ops) and increasingly commercial defense (zscaler/Crowdstrike adding deception modules) are converging on the same insight: in an asymmetric environment where attackers cost almost nothing to deploy and defenders have finite analyst time, make the attacker waste their time on fake assets so real assets get less attention.

The 2026-2028 defensive doctrine for any reasonably-funded organization will include:

Deception assets inside production networks (fake credentials in honeypot tokens, fake S3 buckets with audit-logged access, fake admin panels at predictable URLs)
Deception assets adjacent to production (fake VPN endpoints, fake remote-access portals, fake staging environments with fake "production" data)
Real-time alerting on any interaction with deception assets, with attribution feed-back to ongoing threat-hunting

Shift 2: SEO + UX have become offensive infrastructure

Cyberzap had real robots.txt, real sitemap, real meta tags, real activation emails. Whoever built this understood Google's ranking algorithm and was willing to spend the resources to compete in search.

This is not going away. Future state-run honeypots will be indistinguishable from real services not just in appearance but in technical SEO performance, in UX polish, in customer-support response time, in the supporting Reddit threads, in the YouTube tutorials posted by sock-puppet "users."

The implication for defenders: the same techniques that get you to the top of Google for "Lyrie autonomous defense" can be turned into offensive infrastructure tomorrow. A deepfake LinkedIn profile, an SEO-optimized fake vendor site, a Discord community with a year of seemingly-organic conversation history — the cost of running these dropped below $10,000/year in 2025 thanks to LLM-driven content generation.

We're entering an era where the credibility signals you teach users to trust (HTTPS lock, real-looking domain, populated SEO, customer reviews, social media history) are all attainable by attackers. Defenders need to start operating from the assumption that visual / SEO / UX trust signals are no longer sufficient on their own.

What Lyrie is building toward

Our 2026-2027 product roadmap includes:

LyrieDeception — managed deception-asset deployment for customer environments, with auto-generated fake credentials, fake APIs, fake admin panels that match the customer's real infrastructure naming
LyrieSpoofWatch — continuous monitoring for SEO-spoofed clones of customer-facing assets (fake Lyrie.ai vendor sites, fake customer-portal lookalikes)
LyrieIntentEngine — already discussed in the Bad Bot Report context, but specifically extended for adversarial-deception-aware intent classification (i.e., distinguishing humans, real bots, and deception-targeted automated probes from law enforcement / threat intel)

Cyberzap is a one-off public artifact. The doctrine behind it is the future. Defenders who build muscle around deception detection, deception deployment, and adversarial-deception-aware monitoring will dominate the 2027-2030 threat landscape. Those who don't will spend the decade chasing yesterday's signatures.

Recommended Actions

For threat researchers and CTI teams

1. Build a list of known law-enforcement infrastructure tells. bit.nl MX records (Dutch Politie), specific ASNs commonly used by NCSC and FBI, registrar patterns for seized domains. Maintain it. Share it within trusted ISACs.

2. Watch the booter / stresser / fraud / drug / weapon-marketplace ecosystem for similar honeypot patterns. PowerOFF is one of dozens of similar operations across different criminal verticals.

3. Subscribe to seized.fyi to track law-enforcement seizure banners — useful both for tracking which operations are active and for spotting domains that are about to be seized.

For defensive teams

4. Deploy your own deception assets. Honeytokens (fake AWS keys, fake API tokens) in monitored locations cost nothing and catch real intrusions reliably. Thinkst Canary and CanaryTokens are free starting points.

5. Audit your own attack surface for adversarial SEO. Search for typos of your domain, lookalike domains, fake LinkedIn profiles claiming to be your employees. The Cyberzap-style infrastructure is now also being used against legitimate vendors.

6. Train teams to be skeptical of new vendor sites in cyber-adjacent verticals. A polished, SEO-ranked site for an offensive-security tool, a "leaked database" marketplace, or a "private vulnerability research community" should be presumed potentially-a-honeypot until proven otherwise.

For founders and CTOs

7. Don't visit booter / leaked-data / fraud-vendor sites from corporate or work-personal infrastructure. The Cyberzap honeypot logged IPs, but plenty of real booter sites (and the deception sites watching them) are also harvesting visitor IPs that get sold downstream. Use Tor or research-isolated VMs.

8. Have a plan for the day a deception-clone of your own product ships. Someone WILL eventually build a fake "Lyrie.ai security audit tool" or fake customer portal designed to harvest your customers' credentials. Decide now: how do you detect it, who do you contact (registrar abuse, hosting provider, search engine, law enforcement), how do you notify your customers without panicking them.

Sources

1. Lina. "I accidentally made law enforcement shut down their stresser honeypot." https://lina.sh/blog/ddos-honeypot

2. The Hacker News. "Operation PowerOFF Seizes 53 DDoS Domains, Exposes 3 Million Criminal Accounts." https://thehackernews.com/2026/04/operation-poweroff-seizes-53-ddos.html

3. Bleeping Computer. "Operation PowerOFF identifies 75k DDoS users, takes down 53 domains." https://www.bleepingcomputer.com/news/security/operation-poweroff-identifies-75k-ddos-users-takes-down-53-domains/

4. Hackread. "Operation PowerOFF: 75K Users of DDoS-for-Hire Services Identified and Warned." https://hackread.com/operation-poweroff-ddos-for-hire-services-identified/

5. CyberScoop. "Officials seize 53 DDoS-for-hire domains in ongoing crackdown." https://cyberscoop.com/ddos-for-hire-takedowns-operation-poweroff/

6. Europol. "Europol-supported global operation targets over 75,000 users engaged in DDoS attacks." https://www.europol.europa.eu/media-press/newsroom/news/europol-supported-global-operation-targets-over-75-000-users-engaged-in-ddos-attacks

7. Wikipedia. "Operation PowerOFF." https://en.wikipedia.org/wiki/Operation_PowerOFF

8. seized.fyi. https://seized.fyi/operation-poweroff

9. Lefaroll Telegram channel coverage (Hebrew). https://t.me/Lefaroll

10. Archived snapshot of cyberzap.fun. https://archive.ph/IS0k6

Lyrie.ai Cyber Research Division

Lyrie Verdict

Lyrie's autonomous defense layer flags this class of exposure the moment it surfaces — no signature update required.

originals

Pattern alert: 17 recent advisories converge on misp-project-misp

1 min read · 5 sources