How I stumbled across a fake booter site run by international police, and how they panicked when I started digging

What is Operation PowerOFF?

Before we get into the funny part, you need a quick summary. Operation PowerOFF is a massive international effort to stop DDoS for hire services. While it includes agencies like the FBI, the UK National Crime Agency, and Europol, the whole thing seems to be heavily coordinated by the Dutch Politie.¹

The Dutch police appear to run the actual infrastructure for these operations. They have been active for quite some time now, and over the years, they have managed to seize a maybe around one hundred domains² and make a few arrests here and there³.

Digging into "Cyberzap"

I have been looking around Operation PowerOFF for a bit, and whilst digging around, I stumbled across a website called https://cyberzap.fun/.

It did not look flawlessly professional, but it definitely looked legit enough. It perfectly mirrored the thousands of skidded booter sites floating around the internet. It was not perfect, but there was absolutely a solid effort put into it. They even set up robots.txt files, sitemaps, SEO friendly meta tags, and everything else a real website needs to rank on search engines.

However, there was a massive giveaway if you even slightly started looking. The Dutch police absolutely love using bit.nl as their server host. And when you check the MX DNS records, Cyberzap used bit.nl for their mail servers.

I decided to sign up to see how deep this went. I just wanted to let them know that I'm just researching, and not an active cyberterrorist™. So I registered with the email conducting-research-hello-operation-poweroff@lina.sh.

Surprisingly, they even sent a real activation email! With an activation link that had a token embedded, and manual code you could enter.

The dashboard looked maybe a little empty, but still believable. It had fake network speed graphs that updated on the current time, and a fake counter of connected bots.

I wanted to see what happened if I "ordered an attack". Again, I didn't want them to think I am an evil hacker, so I entered a silly domain.

You could choose Bitcoin, Monero, PayPal, or Credit Card.

But no matter what you picked, it would just load around for a few seconds, and then present you with the message Payment Error - There was an error processing your payment. Please try again or contact support.

You can view your past "attacks" in a history tab, where it will just show that the payment failed. They really just let you prove your criminal intent, grab your IP address and email, and they probably plan to use that as "evidence" if it ever comes to it.

Scare tactics: Netcrashers

Cyberzap is meant to be a "secret" trap. But they also run another type of site. I found https://netcrashers.net/ around the same time.

This site looks a lot faker, it gives us the promise to "crash all nets". But the moment you click any button on the website, you immediately get redirected to a "scary" police warning page. That page literally says the domain is created and owned by the Dutch Police.

This is clearly designed for kids. A teenager looks up a DDoS site, clicks a button, and gets a huge jump scare with police badges. They get scared and close the tab.

Oops, they shut the whole thing down because of me >w<

While I was digging around Cyberzap, testing shit, and taking screenshots, something quite funny happened: The feds literally pulled the plug on the site.

I tried to load the page again, and I got hit with a 401 Unauthorized prompt. The website was locked down.

I guess they saw my email address that greeted them. They probably received logs of someone "falling for it", and saw someone was poking around their secret website, and knew who was behind it. They completely panicked. They even shut down a completely unused domain called bytecannon.net with the exact same authorization message.

It's important to mention that the scary netcrashers.net site stayed online. But that one was meant to be associated with them.

I did manage to archive the main-homepage of cyberzap.fun in time though: https://archive.ph/IS0k6. This blog post is quite "image heavy", so I am quite sorry about the bad resolution of some images, but it's just screenshots I took to send to friends. I sadly wasn't able to archive high-quality stuff of everything.

What is the actual goal here?

This brings up a really good question. What is the point of all this?

The banner on netcrashers.net mentions "Law enforcement combats cybercrime both overtly and covertly". We essentially found both of those methods. Netcrashers is the overt one, and Cyberzap is the covert one.

When I looked at my attack order on Cyberzap, I noticed an ID in the URL that was given to me. My request was number 15. That means there were only 14 other "attacks" ever ordered on that site. And honestly, most of those were probably the feds testing their own code. Because honestly, who the fuck would still fall for this website? Despite all the "work" they put in, how much money was blown on building this fake dashboard?

Catching people probably isn't the only goal. By running these honeypots, the police create suspicion and paranoia in the community. If you want to buy a DDoS attack, you now have to wonder if the website is real or just a police honeypot logging your IP. They want people to stop trusting these services entirely.

So yeah, those honeypots are real and out there, so the message clearly is: "you can't trust DDoS services". It should obviously go without saying: you just shouldn't use booter services in the first place.

"Operation PowerOFF" also recently uploaded an AI-slop "propaganda" video⁶:

It showed them knocking on the door of a 16 year old kid who hit Minecraft servers offline. They made this kid look like a final boss, and showed themselves as how incredibly tuff they are for raiding a teenager.
Is it a real story? Probably not. I suppose it is meant to scare children, like netcrashers.net. But it really just feels more like feds jerking themselves off on how cool they are. In a Reddit AMA that they did just a week ago, they described this monstrosity as a "cool video" on their "branding page".

Does this video and the honeypot have any real impact? Let's be honest: probably not. It feels like they are just redistributing wealth from the average taxpayer to AI video slop corporations.

We do know that Operation PowerOFF did this exact same thing in the past. The NCA actually wrote an article⁴ in March 2023 about how they infiltrated the cyber crime market with disguised DDoS sites.

We likely just stumbled across their new project. Checking the domain registration, you can see that it was created on April 3, 2025. I also checked the internet archive. The site was captured in July 2025, and it was still empty back then⁵, so it is questionable when they actually launched it.

It is honestly just funny. They spend all this money on propaganda to scare children and complex honeypots that are still super easy to detect. And the moment someone starts digging, they panic and shut the whole thing down.

Sorry glowies, you'll have to try again.

How Germany's ISPs cooperate with corporations to secretly block websites

Hey! We (Elias/Northernside and me!) will hold a talk at the 39c3! The talk will be streamed and available to be watched later in archives. Check it out here in the hub or fahrplan.

The talk itself is in German, but it will be translated (I guess?)

The talk will be about the CUII (which we already covered here multiple times: 1, 2 and 3)
There is some new information though in this talk and some new stuff that came up! So definitely come check it out if you're interested c:

A group of major corporations blocked domains in Germany without courts. That ends now.

Our internet is a little freer now, with less censorship by private companies.

What was the CUII?

The Clearingstelle Urheberrecht im Internet (CUII) is a private group formed by ISPs and copyright holders. They decided what websites to block, and ISPs followed, without any court ruling. No judge was involved, no legal process.

The members: The four largest ISPs in Germany and a bunch of copyright holders (the Motion Picture Association, Sky, ...). If they decided that a site should be blocked, the ISPs just blocked the domains from being resolved. This ran completely outside the courts, a private system made by corporations for censorship. Blocked sites included streaming services, but also sites like Sci-Hub or game piracy sites.

What we did

In a previous blog post, I went into detail on how we trolled them:
- We leaked their secret blocklists (the list of domains was kept secret!)
- We exposed dozens of wrongful and outdated blocks.
- We made them unblock a lot of domains, including some that were blocked for years.
- ... and so much more. We just made a lot of bad press for them.

What changed

The CUII now only coordinates blocks between ISPs after a court order. That's it. No more secret votes. No more corporate censorship. The new version of their website says: "The CUII coordinates the conduct of judicial blocking proceedings and the implementation of judicial blocking orders."

It's a massive shift. Until now, corporations acted like they were above the law with the CUII, deciding on their own what content to block across the entire German internet, based purely on their financial interests. That's over. From now on, the new "Code of Conduct" requires actual legal review for new blocks to be implemented. The old process, where rights holders submitted requests and the CUII panel approved them privately, is gone.
Instead, they now say: "Under the current Code of Conduct, judicial review of blocking claims replaces these procedural steps (the CUII's old internal decision-making process). The CUII no longer reviews blocking claims, but instead coordinates only the initiation and conduct of proceedings, the implementation of judicial blocking decisions, and the unblocking of domains that are no longer infringing."

In practice, this means the CUII no longer decides anything. It just forwards court decisions and tells ISPs what to do. The version of the CUII that privately censored the internet is dead. It's now rather just coordinating everything so stuff goes smoothly. That's not because they wanted to change. It's because they had to. Even the Bundesnetzagentur (Germany's Federal Network Agency) told them to back off and leave the decisions to actual courts (I reported a lot of the CUII's wrongful blocks to them). It's a step back toward net neutrality and due process. Censorship decisions should never be made by a few companies behind closed doors.

Sadly, there's a small catch: the old blocks stay. The current blocklist still includes every site they decided to censor before now, without court orders. But at least, this mess won't grow anymore. We exposed them, we pushed back against their private censorship, and it seems like we won.

The core problem with the CUII was always that that it was a private organization, bypassing courts, letting powerful corporations decide what Germans are allowed to access online. This power finally no longer belongs to them, but now rightfully belongs in court, which is a long overdue step. They are not above the law, and they never should have been.

You can read an article in German about this: https://netzpolitik.org/2025/die-cuii-gibt-auf-fuer-netzsperren-braucht-es-jetzt-einen-gerichtsentscheid/

After years of nothing, Telekom has just blocked Pornhub's new German domain.

What happened before?

Back in March 2023, German ISPs were forced by the KJM (Commission for the Protection of Minors in the Media), a subgroup of the state media authorities, to block xHamster¹. Probably around November, they also mandated the blocking of Pornhub for 'not protecting children well enough.'
But unlike with xHamster, no one even really noticed the block. There was almost zero media coverage about Pornhub being blocked. (Or at least I can't find any, that's why it's so hard to date the blocking. There is one article by Netzpolitik talking about the possibility of them being blocked²). The reason why there was almost no media coverage: the block likely didn't even last a day. Shortly after, pornhub.com stopped redirecting German users to de.pornhub.com and instead redirected to de.pornhub.org - which wasn't blocked. And that's kinda how things stayed... until now.

Someone on my website just reported that Telekom has started blocking de.pornhub.org. And again, no one is talking about it.

Is this just going to keep going forever?

Are regulators just gonna keep chasing one domain after the other? Blocking more and more and more? There's no transparency, no "public list" of blocked pages - and journalists can't even check what's on a site because, well, it's blocked.

I actually heard someone say: "Well, journalists should just use a VPN or a different DNS, it's easy to bypass"

But if that's the answer, then shouldn't everyone be able to do that? Just to check why the government is blocking something? And if everyone bypasses it, then what's the point of the block in the first place?

At the end of the day, these blocks aren't about protecting anyone: any kid can just type "porn" into Google's search bar - typing out the full domain is a lot more challenging. In the end, this just limits regular people and opens the door for more and more censorship.

This was my entire issue with the CUII - Germany's internet censorship is very shady. Read more about our secret censorship-organization here.

I apologize for any errors, this was yet another quickly typed post about a new situation.

Update: 2025-04-29

I sent out multiple emails to different KJM members, which were all ignored. I therefore sent out a FOIA request asking for a list of blocked domains. They have confirmed the blocking of de.pornhub.org³, and are currently trying to force Vodafone to block the new domain as well⁴.

One of Germany's biggest ISPs changed how their DNS works, right after I exposed an organization that they’re part of.

My website: Publishing Germany's secret internet blocklist

In Germany, we have the Clearingstelle Urheberrecht im Internet (CUII) - literally 'Copyright Clearinghouse for the Internet', a private organization that decides what websites to block, corporate interests rewriting our free internet. No judges, no transparency, just a bunch of ISPs and major copyright holders deciding what your eyes can see.
I decided to create a website, cuiiliste.de, to find blocked domains, as the CUII refuses to publish such a list. To read more about the CUII, check out one of my previous blog posts. Germany's four biggest ISPs (Telekom, Vodafone, 1&1 and Telefonica (o2)) are all part of the CUII.

Yet another slip-up by the CUII

This week, Netzpolitik.org published an article about the CUII's latest blunder¹, based on information I gathered. They managed to block domains that no longer even existed: websites that had already been seized and taken offline when they were blocked. It's not the first time the CUII has tripped over its own feet, and this mistake likely didn’t sit well with them. In the past, it was really easy to find out if a domain was blocked by the CUII. If you asked an ISP's DNS server (basically the internet's phone book) for a site and got a CNAME to notice.cuii.info, you knew it was blocked.
What this basically means in case you're not a tech nerd:
You can check the phone book of an ISP (the "DNS server") where to find a website, and you'd receive a note saying "This site is blocked by the CUII" if the page is blocked. Automating this was simple, I could basically just ask "Hey, where can I find this site?" and immediately knew if it was blocked. The CUII apparently did not like the fact that it was so easy for me to check if a domain was blocked. They want to keep their list secret.
ISPs like Telekom, 1&1 and Vodafone actually all stopped using this response a few months ago, after older articles about the CUII's past failures were published. Instead, they started pretending that blocked sites didn't exist at all. Straight up erasing entries from the phone book. You could not tell if a site was blocked or just didn't exist. Telefonica (the parent company of for example o2, Germany's fourth-biggest ISP²), apparently didn't get this memo, and they still used notice.cuii.info in their DNS responses.

On cuiiliste.de, anyone can enter a domain, and see if it is blocked by the CUII, and which ISPs block it specifically.

I get a new visitor

Telefonica modified their DNS servers, specifically saying that blau-sicherheit.info was blocked by the CUII. At 11:06 AM last Friday, someone from Telefonica's network checked if blau-sicherheit.info was blocked on my site. The twist? Telefonica seems to own this domain. Blau is one of their brands³, and blau-sicherheit.info wasn’t some piracy hub - it appears to be a test domain of theirs. My tool flagged it as blocked because Telefonica's DNS servers said so. Why would they block their own domain?

To recap:

• Telefonica blocks their own domain
• Someone from Telefonica visits my website to check if I detect this
• I do in fact detect this

Telefonica modifies how their blocking works... to mess specifically with my website

Two hours after this suspicious query, I was bombarded with Notifications. My program thought that the CUII had suddenly unblocked hundreds of domains.
The reason: Telefonica had altered their DNS servers to stop redirecting blocked domains to notice.cuii.info. Now they pretend that the domain doesn't exist at all, after they specifically blocked their own domain, likely to find out how my website works.
I had to spend my entire Friday afternoon fixing this mess, and now everything is fully operational again. The fix worked, but there’s a catch: without the notice.cuii.info redirect, it's harder to confirm if a block is actually the CUII's doing. Sometimes ISPs block sites for other reasons, like terrorism content (I wrote about that too). I try to compensate this by cross-checking domains against a list of known non-CUII-blocks.

Why sabotage my website?

The timing is more than suspicious. Right after Netzpolitik’s article exposed the CUII for blocking non-existent domains, they make it harder to track their mistakes. Coincidence? Or a move to bury future slip-ups? We can only speculate. Regardless of intent, the result is the same: less transparency and harder oversight. And that benefits the CUII, not the public.

In this context, Netzpolitik.org released another article (German): Netzpolitik.org: Provider verstecken, welche Domains sie sperren

Sources

German ISPs now block websites for spreading "unconstitutional content"

This is just a quickly typed post to update on a recently changed situation.

Al-Manar TV blocked by German ISPs

Before net-neutrality was a thing, and ISPs just did whatever they wanted to do, there were a few blocks, similar to that, in the past (we are talking about the 2000s here). But now, the biggest ISPs in Germany (Telekom, Vodafone, 1&1, ...) have been forced to block websites not related to child protection or EU sanctions. The Lebanese terror group Hezbollah runs the channel "Al-Manar TV", which also has a website, where they had been spreading hate speech and terrorist propaganda.
The German government already outlawed the channel in 2008 for unconstitutional content, but it simply continued to operate online.

On December 18, 2024, the Commission for Youth Media Protection (KJM) apparently ordered ISPs to block both the Arabic and English versions of Al-Manar TV's website. We were able to find two domains affected under these blocks. The ISPs now won't resolve those domains anymore.

Until now, German internet blocks have only targeted websites violating child protection laws (like porn sites without proper age verification), or sites affected by EU sanctions against Russia. However, those previous blocks are largely ineffective, with operators quickly bypassing them using new domains¹.

Opinion

While blocking terrorist propaganda like Al-Manar may seem like a good step to keep harmful content off the internet, I'm concerned about where this might lead. We can all agree this content is harmful, but this can lead to drastic consequences. Blocking "unconstitutional" content could lead to more censorship in the future, possibly affecting other types of speech that just don't match what the government or most people think. What starts with blocking terrorism could end up limiting free speech more than what's actually needed to keep people safe.

Sources

A private organization controlling what websites to block in Germany-without courts, without transparency.

What is the CUII?

The Clearingstelle Urheberrecht im Internet (CUII) is a private organization established in Germany in 2021. Its members include ISPs like Deutsche Telekom, Vodafone, 1&1, and Telefónica (O2), alongside major copyright holders¹. These ISPs alone control over 85% of the German market².

The CUII's role is to block websites allegedly commiting copyright infringement. However, unlike traditional legal processes, the CUII bypasses courts entirely. Its members find websites they want blocked, the CUII "evaluates" this and then decide which ones to block without requiring judicial approval.

One would assume that such a powerful entity operates transparently and adheres to strict monitoring practices, as outlined in their own Code of Conduct (Section 8)³. Unfortunately, that's far from the case.

How it began: cuiiliste.de

Although the CUII decides what websites to block, it does not publicly disclose the blocked domains. Even Germany's Federal Network Agency (BNetzA) is not informed about mirror domains (Section 9 of the Code of Conduct)³.

To counter this secrecy, the website cuiiliste.de was created in 2021. It aimed to crowdsource a list of blocked domains⁴. Sadly, cuiiliste.de shut down in 2023⁵.

When I discovered this, I decided to revive the concept. I acquired the domain and automated the process of checking and monitoring blocked websites. This included monitoring when which ISP blocked or unblocked which domain. This is because of the CUII's refusal to publish a domain list, as described in their Code of Conduct (Appendix 1, Section 4, Paragraph 4, Letter l)³.

While I worked on this, my friend Northernside GOT HIS HANDS ON THE ACTUAL CUII DOMAIN LIST!?
We won't disclose how, but this was groundbreaking.

Publishing the list

The leaked list revealed 284 blocked domains and subdomains. There are no wildcard blocks, all subdomains were individually listed.

Once the list was added to the database, news outlets picked up the story. Articles appeared on platforms like Netzpolitik.org⁶, Heise⁸, TorrentFreak⁹, and others. This made the project gained widespread attention, making the CUII’s lack of transparency more widely known.

You can still view and contribute to the updated list at cuiiliste.de.

The monitoring failure

The CUII's members are required to monitor blocked websites regularly to ensure they still meet the criteria for blocking (Section 8 of the Code of Conduct)³. This requirement is also enforced by the Federal Network Agency (BNetzA)¹⁰.

Yet domains remained wrongfully blocked for years. For example, serien.sx redirected to non-infringing content (serien.domains) as early as April 2022 (over 2 and a half year!). Despite this, it remained blocked until I raised the issue with the CUII. While they never responded, the domain was quietly unblocked soon after.

This was not an isolated case. Upon reviewing the blocked domains, I found that 41 out of 122 were wrongfully blocked-over one-third!
News outlets like Netzpolitik.org reported on this¹¹, forcing the CUII to lift many wrongful blocks¹².

Conclusion

The CUII operates with little oversight, significant power, and a questionable track record. Its members fail to perform required monitoring, leading to numerous wrongful blocks. Transparency, the foundation of accountability, still remains absent.

But how is such an organization even possible in Germany? Net neutrality should, in theory, protect the openness of the internet, yet the existence of the CUII seems to circumvent this principle. The pressure comes from legal and financial risks ISPs face if they do not block websites accused of copyright infringement. Although the law does not mandate these blocks, the fear of potential lawsuits motivates ISPs to align with copyright holders and form private and secretive organizations like the CUII.

This raises fundamental questions about the balance of power. How can private companies decide what is accessible on the internet? How does a system allow ISPs to bypass judicial oversight and enforce these measures themselves? And, most troubling, how did this lead to the creation of a secretive and unaccountable organization with such authority in a country that values freedom and transparency?

Do we really want a future where private and secretive organizations decide what we can access online, based on the whims of multi-billion-dollar companies?
The CUII shows how power, even in a free country, can grow under the disguise of enforcing outdated and overly broad copyright laws. Laws that increasingly prioritize corporate interests over individual freedoms, destroying the openness, innovation, and equality that the internet was meant to protect.

Visit cuiiliste.de to see the updated list and help push for more transparency in digital censorship (German only).

Sources

How I managed to keep my website JavaScript-free while still showing my current Spotify status in real-time.

The challenge: A real-time status using CSS only

Typically, when you want real-time updates on a website, like displaying the song you're currently listening to on Spotify, you use JavaScript. It's just what you use for fetching data and manipulating the page dynamically. You would never do some cursed CSS-only solution, right? How would you even fetch data without JavaScript?

Well, my website was built to be completely JavaScript-free, and I didn't want to "throw that away" for a single feature. So my goal was: Building a fully automatic and dynamically updating Spotify status without writing a single line of client-side JavaScript?
It turns out this is possible. The trick involves server-side streaming and a rather silly, but effective, use of CSS.

The solution: Streaming CSS updates

The core idea is surprisingly simple: instead of fetching a complete HTML file and closing the connection, the server just never closed the connection; it keeps the connection to the browser open. This allows the server to continuously "append" new data to the page, after the browser already loaded it.

Instead of changing the page content with JavaScript, I just send new <style> tags. Every time my Spotify status changes, the server injects a new block of CSS that overwrites the previous styles. All the dynamic elements you see (the song title, artist, album art, and the progress bar) are controlled entirely by these streamed CSS rules.

My friend yui (https://yui.dev/), whose website is genuinely amazing, was the one who suggested this clever approach to me. Please check out their work!

Here’s a simplified example of what the server sends when a new song starts playing:

<style>
    .song-title::before {
        content: "New Song Title";
    }
</style>

This new rule is added to the bottom of the document. Thanks to the "cascading" part of Cascading Style Sheets (CSS), the last rule defined for an element wins. The new content simply overwrites the old one, and the song title on the page changes instantly.

The backend

So, how does the server know when to send an update? I use a simple Python with Flask. The server permanently checks the Spotify API for my latest status (song title, artist, playback position).

When it detects a change, it generates the new CSS and sends it down all open connections. In Flask, this is easy to do with a python generator that yields the CSS updates as events happen.

A grossly oversimplified version of the code looks like this:

while True:
    # This line waits for a new event (e.g., song change) to come in
    event = event_queue.get()
    if event is None:
        break
    # This sends the new CSS to the browser
    yield event

I can add any update I want to the event_queue, and it gets streamed to the browser in real-time.

Keeping everything perfectly in sync

Now, a small problem with relying on CSS is that animations, like a progress bar, aren't always perfectly synced with the actual status. To solve this, my system updates the CSS in two ways:

1. Immediate Updates: If I pause, skip, or jump to a different timestamp in a song, the server detects this and sends a full CSS update immediately.
2. Periodic Resync: To correct any potential de-sync, the server also sends a complete, fresh set of CSS rules every five seconds, ensuring the progress bar and other details are always accurate.

Here's a look at it in action:

Problems... (and solutions)

This approach isn't without its issues. The most obvious issue is that with a constantly open connection, the browser's tab will show a "loading" spinner.

I solved this with a little trickery. I load the widget in an iframe, the initial HTML page loads completely and then uses a Refresh header to redirect to a second page after 5 seconds. This second page is the one that uses the "open" connection. Because the initial page finished loading, the browser considers the site "loaded", even while the Spotify element continues to receive background updates.

Another issue was adding a button to open the current song in Spotify. The solution: Overlay a new <a> element, every time the song changes, with the correct link to open the song in Spotify. This does mean that if you have my website open for hours, you will end up with hundreds of <a> elements stacked on top of each other.

Also, if you keep the page open for a very long time, the CSS will grow indefinitely. This is less of a problem than expected, as the CSS is "just text" and rather small, and browsers are quite good at optimizing it. Unless you plan on keeping the connection open for weeks, this shouldn't be an issue.

Update: Perfectly synced live lyrics!

I've since pushed this concept even further by adding live lyrics. By totally not breaking Spotify's ToS to fetch the lyric data, I can get the timestamps for every line.

The server sends all the lyrics and their timings to the browser as a single, keyframed CSS animation when the song first loads. This means the entire synchronization happens client-side within CSS, and the server only needs to send one update per song change. The result is lyrics that are almost perfectly synced to what I'm hearing.

Conclusion

This was an incredibly fun experiment, and I spent way too many hours on it. Anyone sane enough should absolutely just use JavaScript for something like this; it would have been infinitely easier.

But nevertheless, working on this was super fun, having to figure out

If you're curious to see the beautiful mess of code that makes this all work, you can find it on my GitHub: https://github.com/lina-x64/lina.sh