U.S. and Allies Dismantle Massive IoT Botnets Behind Record DDoS Attacks

U.S. and International Authorities Disrupt Four Major IoT Botnets

The U.S. Justice Department, in collaboration with law enforcement agencies in Canada and Germany, has dismantled the infrastructure behind four highly disruptive Internet of Things (IoT) botnets—Aisuru, Kimwolf, JackSkid, and Mossad—which collectively compromised more than three million IoT devices, including routers and webcams.

The botnets were responsible for launching hundreds of thousands of distributed denial-of-service (DDoS) attacks, often extorting victims with demands for payment. Some victims reported losses exceeding tens of thousands of dollars in remediation costs.

Seizure of U.S.-Based Infrastructure

The Department of Defense Office of Inspector General’s (DoDIG) Defense Criminal Investigative Service (DCIS) executed seizure warrants targeting multiple U.S.-registered domains, virtual servers, and other infrastructure linked to the botnets. These systems were used in DDoS attacks against Internet addresses owned by the U.S. Department of Defense.

The law enforcement action aimed to prevent further infections and eliminate the botnets’ ability to launch future attacks. The investigation was led by the DCIS, with support from the FBI’s Anchorage Field Office and nearly two dozen technology companies.

“By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks.”

Breakdown of Botnet Activity

The four botnets were responsible for the following attack volumes:

• Aisuru: Over 200,000 attack commands
• JackSkid: At least 90,000 attack commands
• Kimwolf: More than 25,000 attack commands
• Mossad: Roughly 1,000 digital sieges

Origins and Evolution of the Botnets

Aisuru emerged in late 2024 and rapidly expanded, launching record-breaking DDoS attacks by mid-2025. In October 2025, Aisuru was used to seed Kimwolf, a variant that introduced a novel spreading mechanism, allowing it to infect devices hidden behind internal network protections.

On January 2, 2026, the cybersecurity firm Synthient publicly disclosed the vulnerability exploited by Kimwolf, which temporarily curbed its spread. However, other botnets have since adopted similar propagation methods, competing for the same pool of vulnerable devices. The JackSkid botnet also targeted systems on internal networks, mirroring Kimwolf’s approach.

International Law Enforcement Actions

The DOJ’s disruption of the four botnets coincided with law enforcement actions in Canada and Germany targeting individuals allegedly operating the botnets. While no further details were provided, KrebsOnSecurity identified a 22-year-old Canadian man as a core operator of Kimwolf in late February. Multiple sources also implicated a 15-year-old German resident as a prime suspect in the operation.

Image: Shutterstock, @Elzicon.