US and international law enforcement agencies have disrupted the command-and-control infrastructure behind four of the world’s most prolific IoT botnets, which were used to launch record-breaking DDoS attacks against victims worldwide.
The operation targeted the Aisuru, KimWolf, JackSkid, and Mossad botnets, which, together, allegedly controlled more than 3 million hijacked devices as of March 2026.
According to a US Department of Justice announcement, the takedown was carried out under court authorization and coordinated with parallel law enforcement actions in Canada and Germany. The botnets powered hundreds of thousands of distributed denial-of-service attacks, including some that reached record-breaking 30 terabits per second.
Investigators seized multiple US-registered domains, virtual servers, and other infrastructure allegedly used to support the botnets’ operations. Court records allege the infrastructure was involved in cyber-enabled criminal activity, including DDoS attacks against IP addresses owned by the Department of Defense Information Network.
The four botnets primarily relied on infected internet-connected devices such as digital video recorders, web cameras, and WiFi routers. These devices, once compromised, were absorbed into large botnet fleets and then monetized through a cybercrime-as-a-service model, with operators renting out access to other threat actors. Those customers then used the botnets to overwhelm targeted systems with malicious traffic, knocking services offline and, in some cases, accompanying the attacks with extortion demands.
Investigators say the combined botnet ecosystem infected millions of devices worldwide, including hundreds of thousands in the United States. KimWolf and JackSkid targeted devices that are traditionally shielded from direct internet exposure by firewalls, suggesting techniques designed to reach systems not normally considered easily accessible from the public internet.
Aisuru issued more than 200,000 DDoS attack commands, KimWolf more than 25,000, JackSkid more than 90,000, and Mossad more than 1,000. Even the lowest figure represents a substantial operational tempo, while the higher totals point to mature and sustained abuse infrastructure.
The Justice Department said the goal of the operation was to cut off communications between the botnet controllers and infected devices, preventing further abuse and reducing the operators’ ability to launch new attacks. By targeting the command-and-control layer, authorities aim not only to blunt active attacks but also to disrupt the business model that enabled the sale of access to these compromised devices.
For the success of the operation, the DOJ also credited a long list of private-sector and nonprofit partners for supporting the investigation, including Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, The Shadowserver Foundation, Sony Interactive Entertainment, Team Cymru, and Europol’s PowerOFF team, among others.
Leave a Reply