When the FBI announced the takedown of 13 cyberattack-for-hire services yesterday, it may have seemed like just another day in law enforcement’s cat-and-mouse game with a criminal industry that has long plagued the internet’s infrastructure, bombarding victims with relentless waves of junk internet traffic to knock them offline. In fact, it was the latest win for a discreet group of detectives that has quietly worked behind the scenes for nearly a decade with the goal of ending that plague for good.

Yesterday’s operation was just the most recent of three major cybercriminal takedowns in the past five years that all began inside an informal working group that calls itself Big Pipes. The team’s roughly 30 members, who communicate mostly through Slack and weekly video calls, include staffers from several of the internet’s biggest cloud service providers and online gaming companies—though members from those companies spoke to WIRED on the condition that their employers not be named—as well as security researchers, academics, and a small number of FBI agents and federal prosecutors.

Big Pipes’ detectives have for years methodically tracked, measured, and ranked the output of “booter” or “stresser” services that sell distributed denial-of-service (DDOS) attacks that allow their customers to barrage enemies’ servers with disruptive floods of data. They’ve hunted the operators of those services, with private-sector members of the group often digging up leads that they hand to the group’s law enforcement agents and prosecutors. Together, they worked to initiate a takedown operation in December 2018 that led to the arrest of three hackers and knocked a dozen booter services offline. Last December, their work laid the foundation for Operation Power Off, which led to six arrests and the takedown of no fewer than 49 DDOS-for-hire sites, the biggest bust of its kind.

Yesterday’s takedowns, just four months after Operation Power Off, suggest the operations resulting from the group’s work may be accelerating. And Big Pipes is still tracking and hunting the booters that remain online, warns Richard Clayton, who leads a security research team at Cambridge University and has served as one of the group’s longest-running members. “We’re hoping that some of the people who were not taken down in this round get the message that perhaps it’s time they retired,” says Clayton. “If you weren’t seized this time, you might conclude you’ve pushed up your chance of being investigated. You might not want to wait and see what happens.”

Big Pipes Start Fights

The idea for Big Pipes was sparked at the Slam Spam conference in Pittsburgh in 2014, when Allison Nixon, a security researcher then at Deloitte, met with Elliot Peterson, an FBI agent who’d recently worked on the takedown of the notorious Game Over Zeus botnet. Nixon suggested to Peterson that they collaborate to take on the growing problem of booter services: At the time—and still today—hackers were wreaking havoc by launching ever-growing DDOS attacks across the internet for nihilistic fun, petty revenge, and profit, increasingly selling their attacks as a service.

In some cases, attackers would use botnets of thousands of computers infected with malware. In others, they’d use “reflection” or “amplification” attacks, exploiting servers run by legitimate online services that could be tricked into sending large amounts of traffic to an IP address of the hackers’ choosing. In many instances, gamers would pay a fee to one of a growing number of booter services—often just around $20 dollars for a subscription offering multiple attacks—to hit their rivals’ home connections. Those DDOS techniques frequently caused serious collateral damage for the internet service providers dealing with those indiscriminate floods of traffic. In some cases, DDOS attacks aimed at a single target could take down entire neighborhoods’ internet connections; disrupt emergency services; or, in one particularly gruesome case, break automated systems at a chicken farm, killing thousands of birds.

Big Pipes soon began to recruit staff from major internet services who had firsthand knowledge of booters based on their experiences as both victims and defenders in their attacks. (The group got its name from the phrase “big pipes start fights,” a joke about its members bragging about who among them had the biggest bandwidth on the internet.) Nixon and Clayton, for their part, contributed data from sensor networks they’d created—honeypots designed to join hackers’ botnets or act as their reflection servers and thus allow the researchers to see what attack commands the hackers were sending.