Feds Disrupt IoT Botnets Behind Huge DDoS Attacks

A coordinated international law enforcement operation has successfully dismantled four major botnets that compromised over three million Internet of Things (IoT) devices worldwide. The U.S. Justice Department, working alongside authorities in Canada and Germany, targeted the criminal infrastructure behind the Aisuru, Kimwolf, JackSkid, and Mossad botnets, which were responsible for launching devastating distributed denial-of-service (DDoS) attacks capable of overwhelming virtually any online target.

The operation involved the execution of seizure warrants by the Department of Defense Office of Inspector General's Defense Criminal Investigative Service (DCIS), targeting multiple U.S.-registered domains, virtual servers, and other infrastructure components used in attacks against Department of Defense internet addresses.

According to federal authorities, the criminal operators behind these botnets orchestrated hundreds of thousands of DDoS attacks, frequently demanding extortion payments from their victims. The financial impact was substantial, with some victims reporting tens of thousands of dollars in losses and remediation costs.

The scale of the attacks varied significantly across the four botnets. Aisuru, the oldest and most prolific of the networks, generated over 200,000 attack commands during its operational period. JackSkid launched approximately 90,000 attacks, while Kimwolf issued more than 25,000 attack commands. The Mossad botnet, though smaller in scope, was still responsible for roughly 1,000 digital assaults.

The law enforcement action was strategically designed to prevent further infections of victim devices and to significantly reduce or eliminate the botnets' capacity to conduct future attacks. The investigation was led by DCIS with assistance from the FBI's Anchorage, Alaska field office, and the operation benefited from the cooperation of nearly two dozen technology companies.

Rebecca Day, Special Agent in Charge of the FBI Anchorage Field Office, emphasized the collaborative nature of the effort: "By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks."

The evolution of these botnets demonstrates the rapidly advancing sophistication of cybercriminal operations. Aisuru first appeared in late 2024 and quickly gained notoriety for launching record-breaking DDoS attacks while aggressively expanding its network of infected IoT devices. By mid-2025, the botnet had grown powerful enough to overwhelm major online services.

In October 2025, Aisuru's operators deployed a variant called Kimwolf, which introduced a groundbreaking propagation mechanism. This innovation allowed the botnet to penetrate and infect devices that were previously protected behind users' internal network security measures, significantly expanding the potential victim pool.

The cybersecurity landscape shifted on January 2, 2026, when security firm Synthient publicly disclosed the specific vulnerability that Kimwolf was exploiting for its rapid spread. While this disclosure helped slow Kimwolf's expansion, it also inadvertently provided a blueprint for other cybercriminal groups. Subsequently, several competing IoT botnets emerged, incorporating similar spreading techniques while vying for control of the same vulnerable device ecosystem. The JackSkid botnet was among these newer threats, adopting Kimwolf's internal network penetration capabilities.

The international scope of the operation extended beyond infrastructure seizures. The Justice Department confirmed that the dismantling of the four botnets occurred in conjunction with "law enforcement actions" conducted in Canada and Germany, targeting individuals suspected of operating these criminal networks. However, specific details about these parallel operations remain confidential.

Recent investigative reporting has shed light on the suspected operators behind these botnets. In late February, KrebsOnSecurity identified a 22-year-old Canadian individual as a central figure in the Kimwolf botnet's operation. Additionally, multiple sources familiar with the investigation have indicated that a 15-year-old resident of Germany is considered another primary suspect in the case.

This successful disruption operation represents a significant victory in the ongoing battle against cybercrime, demonstrating the effectiveness of international cooperation in combating sophisticated botnet operations that threaten global internet infrastructure and security.