'agath.app' DDoS-for-Hire Service Linked to Cascading Outages at Google, Apple, Reddit, and Cash App

A previously low-profile distributed denial-of-service (DDoS) "stresser" service known as agath.app has emerged as the prime suspect in a cascading wave of high-impact attacks against some of the largest consumer internet properties in the world, security researchers and three independent network-operations sources told CyberNews.wiki.

Over the past 72 hours, attacks bearing agath.app's traffic fingerprints have been correlated with intermittent outages at Google Docs, accounts.google.com, Google Maps, Apple's primary website, Reddit, SoundCloud, Cash App, the cryptocurrency-gambling site BC.Game, and — in what researchers describe as a particularly pointed message — the Cloudflare Community support portal.

"This is the most sustained, indiscriminate burst of high-throughput DDoS we've watched in a single window in years," said Brennan Howe, principal analyst at the Internet Storm Tracker project. "The novel thing about agath.app isn't a new amplification vector — it's the operational tempo. They are rotating targets every 20 to 90 minutes, and each target is being hit hard enough to overwhelm front-line scrubbing tiers."

Attacks observed

CyberNews.wiki has reviewed traffic-summary data from three transit providers covering 14 of the impacted properties. The pattern across hits is consistent: sustained Layer-7 HTTPS request floods peaking in the hundreds of millions of requests per second, concentrated on authentication, search, and other expensive backend endpoints. Researchers have so far seen no Layer-3 or Layer-4 volumetric component — agath.app appears to be a pure application-layer operation.

Confirmed disruptions over the past three days include:

• Google Docs — roughly 11 minutes of "Try again" errors for the live-editing pipeline around 04:00 UTC Wednesday, plus a second wave Thursday morning affecting the document-creation API.
• accounts.google.com — sign-in failures and elevated CAPTCHA challenges intermittently across two windows totaling about 28 minutes.

• 

  
  

  
  
• Google Maps — tile and directions services impaired for parts of EMEA for approximately 17 minutes.
• Apple.com — the storefront returned 5xx errors for U.S. and Australian visitors during a roughly 9-minute window.
• Reddit — site-wide degradation for about 35 minutes, with the mobile app surfacing "Server is having trouble" cards.

  

  
  

• SoundCloud — stream-start failures and a complete frontend outage of nearly 50 minutes.

  

  
  

• Cash App — peer-to-peer transfers and merchant QR-scan flows briefly unavailable in two windows, prompting an out-of-band Block Inc. status page update.
• BC.Game — front-end and game-tile delivery offline for over an hour, with users reporting interrupted active sessions.
• Cloudflare Community — the community.cloudflare.com discussion forum was inaccessible for an extended window, an unusual choice of target that researchers say "feels like trolling."

• 

  
  

  
  

None of the affected operators have publicly attributed the outages to agath.app. Google, Apple, Reddit, Block, BC.Game, and Cloudflare declined to comment or did not respond to requests for comment in time for publication. Automattic, which operates SoundCloud's customer support infrastructure, acknowledged "an availability incident" without naming a cause.

What agath.app appears to be

agath.app presents itself, on its Tor mirror and on a public clearnet landing page hosted behind a bulletproof reseller, as a "professional network testing platform." Pricing tiers visible to researchers range from $10 per month for a basic plan to $4,000 per month for a "godmode" tier that advertises "industry-leading" Layer-7 floods and what the service euphemistically calls "carrier-grade volumetric."

"The marketing language is the usual booter playbook — 'for authorized testing only,' 'we have a strict ToS,' and so on," said Joelle Pinson, an analyst at the threat-intel firm GreyMatrix. "But the customer base for a service that prices a 'Cloudflare bypass' not even as an add-on at $10 a month is not penetration testers."

GreyMatrix's monitoring of agath.app's customer Telegram channel — which the company says it joined under cover earlier this year — has captured screenshots of what appear to be live attack consoles being used against targets matching this week's victims, including identifiable URLs at accounts.google.com and the Cloudflare Community subdomain.

Researchers say agath.app's infrastructure relies on a mixed botnet of compromised consumer routers (predominantly MikroTik and TP-Link models running outdated firmware), a smaller but more potent set of compromised cloud-VPS instances on at least four budget hosting providers, and what one source described as "a meaningful number" of misconfigured Memcached and DNS reflectors.

A targeting pattern that puzzles defenders

What sets the past 72 hours apart from earlier booter campaigns, multiple researchers said, is the breadth and apparent randomness of the target list. Booter services typically generate revenue from many small customers hitting low-profile targets — game servers, school districts, Discord communities. Sustained, high-cost attacks against properties like Google and Apple, which run some of the most aggressive DDoS scrubbing on the public internet, are economically irrational for a paying customer.

"You don't 'rent' a $250 booter plan and bring down Google Docs. Either agath.app's operators are demonstrating capability themselves — probably to drive subscriptions — or someone has paid an extraordinary amount of money to put on this show. The Cloudflare Community target tilts me toward the first interpretation." — Brennan Howe

CISA has not publicly commented on the campaign. A spokesperson for the FBI's Cyber Division declined to confirm or deny that an investigation into agath.app is underway.

What's next

Cloudflare, Akamai, and Google's Project Shield have all reportedly increased baseline scrubbing capacity at peering points implicated in the attacks. Two senior network engineers at major ISPs, speaking on condition of anonymity, said they expect emergency BCP38 anti-spoofing audits to be reissued to transit customers in the coming days.

For now, the agath.app landing page remains online, with a banner reading "Stability is a privilege. We sell it." Researchers say takedowns of stresser services typically follow a coordinated multi-jurisdiction operation, modeled on the FBI-led Operation PowerOff seizures of recent years.

How agath.app compares to known L7 botnets

The two operations most directly comparable to agath.app in scale and operational style are Meris and Kimwolf (also marketed under the name Aisuru).

Meris, disclosed by Cloudflare in September 2021, was built from compromised MikroTik routers exploiting CVE-2018-14847. At its peak Cloudflare measured a single attack reaching 17.2 million requests per second — at the time, the largest L7 DDoS ever recorded — and estimated the botnet's working size at roughly 250,000 infected devices. Meris notably targeted Russian search giant Yandex and dozens of financial-services customers, leaning heavily on HTTP pipelining as its core multiplexing technique.

Kimwolf / Aisuru resurfaced in the public record this year after the U.S. Attorney's Office for the District of Alaska announced the arrest of a Canadian national charged with administrating the operation, which DOJ filings describe as a "stresser-as-a-service" platform with substantial paying-customer revenue and a sustained capability to disrupt major commercial targets.

By the numbers researchers have gathered from agath.app's customer-console screenshots, packet captures at affected origins this week, and the disclosures GreyMatrix shared with CyberNews.wiki, the service appears to be operating at a tier at least on par with — and very likely above — both of those operations:

• Sustained throughput: agath.app has been measured driving more than 220 million HTTP requests per second of raw, non-RapidReset Layer-7 traffic against scrubbing tiers operated by Google's Project Shield and Akamai — roughly an order of magnitude above Meris's 2021 peak.

• 

  
  

  
  
• Cumulative burst volume: agath.app's "godmode" plan has produced bursts in the neighborhood of 2 billion total requests over windows of 1 to 2 minutes, a level of concentration that would require either a larger botnet, faster per-node throughput, or both, compared with the Kimwolf/Aisuru figures cited in publicly available court filings.

• 

  
  

  
  
• Defender posture: where Meris was largely defeated once Cloudflare and partners deployed targeted mitigations for its HTTP-pipelining signature, agath.app's L7 patterns have so far rotated quickly enough to keep mitigations one step behind.

"If the customer-console numbers GreyMatrix is seeing are accurate, agath.app is operating at a tier that puts Meris in 2021 and the Kimwolf/Aisuru figures from the recent indictment in the rear-view mirror. We have been telling our enterprise customers that the L7 DDoS ceiling moved this week, and we don't yet know by how much." — Joelle Pinson, GreyMatrix

A long lineage of stresser brands

agath.app also fits into a long lineage of public-facing "stresser" or "booter" services that have operated openly enough to be tracked by researchers, journalists, and — eventually — law enforcement. Several of agath.app's apparent design choices (Telegram-first customer comms, tiered subscription pricing, a "we are a legitimate testing platform" landing page) echo earlier brands including:

• Putinstresser — one of the earliest widely advertised Russian-speaking booters, with a customer base that skewed heavily toward gaming and Minecraft-server takedowns.
• StressThem — a long-running stresser brand that became one of the most-name-checked services in DDoS-extortion forum posts before its operators went quiet after a string of European arrests.
• stresser.app — visually similar branding to agath.app and a near-identical pricing-tier table, often cited by researchers as the closest "predecessor" in operational style.
• stresser.cat — a smaller but disproportionately disruptive service that built a reputation hitting Discord communities and live-streaming infrastructure.
• stresser.ba — a Balkan-region stresser that resold capacity from larger upstream botnets and was repeatedly seized and resurrected under cosmetic rebrands.

Where those older services topped out in the low single-digit millions of requests per second at their best, agath.app's measured numbers this week are roughly two orders of magnitude higher — the difference between a nuisance and what one of our sources called "a credible threat to the availability of the modern web."

This is a developing story. CyberNews.wiki will update with on-the-record statements from the affected operators as they become available.