Global Authorities Disrupt Massive IoT Botnets Behind Record-Breaking DDoS Attacks

International law enforcement agencies have dismantled the infrastructure supporting four significant botnets – Aisuru, Kimwolf, JackSkid, and Mossad – responsible for some of the largest distributed denial-of-service (DDoS) attacks on record. The coordinated effort, involving the U.S. Justice Department, Canadian authorities, and German officials, targeted over three million Internet of Things (IoT) devices, including routers and web cameras, compromised by these malicious networks.

DDoS Attacks and the Targeted Botnets

The Justice Department stated that the Department of Defense Office of Inspector General’s (DoDIG) Defense Criminal Investigative Service (DCIS) executed seizure warrants against U.S.-registered domains, virtual servers, and other infrastructure utilized in DDoS attacks against Department of Defense internet addresses. These botnets have been implicated in hundreds of thousands of attacks, often accompanied by extortion demands, resulting in substantial financial losses and remediation costs for victims – some reporting losses exceeding tens of thousands of dollars.

Here’s a breakdown of the botnet activity, according to the DOJ:

• Aisuru: Issued over 200,000 attack commands.
• JackSkid: Launched at least 90,000 attacks.
• Kimwolf: Issued more than 25,000 attack commands.
• Mossad: Responsible for approximately 1,000 digital sieges.

Evolution and Spread of the Botnets

Aisuru, the oldest of the group, began its activity in late 2024 and rapidly gained notoriety for its record-breaking DDoS attacks by mid-2025. It later spawned Kimwolf in October 2025, a variant introducing a novel spreading mechanism that allowed it to infect devices even behind user’s internal network protections.

Security firm Synthient publicly disclosed the vulnerability exploited by Kimwolf on January 2, 2026, which helped to slow its spread. However, several other IoT botnets quickly emerged, replicating Kimwolf’s methods and competing for the same vulnerable devices. The JackSkid botnet similarly targeted systems on internal networks, mirroring Kimwolf’s tactics.

International Cooperation and Ongoing Investigation

The disruption of these botnets was coordinated with law enforcement actions in Canada and Germany, targeting individuals believed to be operating the networks. While details regarding the suspected operators remain limited, KrebsOnSecurity identified a 22-year-traditional Canadian man as a key figure in the Kimwolf botnet in late February, and multiple sources suggest a 15-year-old in Germany is another prime suspect.

“By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office.

Implications and Future Outlook

This joint operation aims to prevent further device infections and curtail the botnets’ ability to launch future attacks. The involvement of nearly two dozen technology companies in assisting the operation highlights the collaborative effort required to combat the growing threat of IoT-based DDoS attacks. As IoT devices continue to proliferate, securing these devices and mitigating vulnerabilities will remain a critical challenge for cybersecurity professionals and law enforcement agencies worldwide.