A coordinated international law enforcement effort has successfully dismantled the infrastructure of four major botnets that had infected over three million Internet of Things (IoT) devices worldwide. The operation, led by the U.S. Justice Department with support from Canadian and German authorities, targeted the networks known as Aisuru, Kimwolf, JackSkid, and Mossad, which were responsible for some of the largest distributed denial-of-service (DDoS) attacks ever recorded.
Overview of the Botnet Takedown
The Justice Department announced that the Defense Criminal Investigative Service (DCIS) of the Department of Defense Office of Inspector General executed seizure warrants against multiple U.S.-registered domains, virtual servers, and other technical assets linked to the botnets. These systems were used to launch DDoS attacks against Internet addresses belonging to the Department of Defense, among other targets. The unnamed individuals controlling the botnets allegedly used them to extort victims, demanding payments after launching hundreds of thousands of attacks. Some victims reported losses and remediation costs totaling tens of thousands of dollars.
The Four Botnets at a Glance
Each botnet had its own characteristics, but all shared a common goal: compromising vulnerable IoT devices such as routers and web cameras to build massive networks capable of overwhelming targets with traffic. Below is a closer look at each.
Aisuru: The Pioneer
Aisuru emerged in late 2024 and quickly became the most active of the four. According to government records, it issued more than 200,000 attack commands. By mid-2025, it was setting new records for DDoS attack size as it aggressively infected new devices. Its success paved the way for later variants.
Kimwolf: The Spreader
In October 2025, Aisuru was used to seed Kimwolf, a variant that introduced a novel propagation method. Unlike earlier botnets, Kimwolf could infect devices hidden behind internal networks, bypassing typical perimeter defenses. It issued over 25,000 attack commands. On January 2, 2026, security firm Synthient publicly disclosed the vulnerability used by Kimwolf to spread, which slowed its growth but did not stop copycat botnets from emerging.
JackSkid: The Copycat
JackSkid adopted Kimwolf's internal network scanning technique and launched at least 90,000 attacks. It competed for the same pool of vulnerable devices, demonstrating how one successful method can be replicated quickly by other criminal groups.
Mossad: The Smaller Player
Mossad was the least active of the four, with roughly 1,000 digital attacks attributed to it. Despite its smaller scale, it contributed to the overall threat landscape and was included in the takedown operations.
How the Botnets Operated
All four botnets exploited common security weaknesses in IoT devices—such as default passwords, unpatched firmware, and open ports—to recruit them into their networks. Once infected, these devices would await commands from a central control server. The operators then used the combined bandwidth of thousands of devices to launch DDoS attacks, overwhelming targets with traffic and knocking them offline. Extortion demands often followed, with victims paying to stop the assault.
The DOJ stated that the disruption was designed to prevent further infections and to limit or eliminate the botnets' ability to launch future attacks. The investigation involved the FBI’s Anchorage field office and cooperation from nearly two dozen technology companies. Rebecca Day, Special Agent in Charge of the FBI Anchorage Field Office, emphasized the collaborative effort: “By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks.”
Impact and Ongoing Threats
While the takedown has neutralized these specific botnets, the DOJ warned that similar botnets continue to emerge, often copying Kimwolf's spreading methods. The same pool of vulnerable IoT devices remains a target, and device owners are urged to update firmware, change default passwords, and follow security best practices to reduce risk. The operation also coincided with law enforcement actions in Canada, though specific details from that side were not immediately disclosed.
Security Best Practices for IoT Device Owners
- Change default usernames and passwords immediately after setup.
- Regularly update device firmware to patch known vulnerabilities.
- Disable unnecessary remote access features.
- Use network segmentation to isolate IoT devices from critical systems.
This international crackdown marks a significant step in combating the growing threat of IoT botnets, but the fight continues as cybercriminals adapt their tactics. Law enforcement agencies remain vigilant, and further actions are likely in the future.