Authorities in the United States, Canada, and Germany have disrupted four significant botnets – Aisuru, Kimwolf, JackSkid, and Mossad – that collectively compromised over three million Internet of Things (IoT) devices. The coordinated law enforcement action, announced Thursday by the U.S. Department of Justice, aims to dismantle the infrastructure behind these networks responsible for record-breaking distributed denial-of-service (DDoS) attacks. These attacks have the potential to overwhelm online services and knock them offline, impacting businesses and individuals alike. Understanding the scope of these IoT botnet disruptions is crucial in an increasingly connected world.
The Justice Department stated that the Defense Criminal Investigative Service (DCIS) executed seizure warrants targeting U.S.-registered domains, virtual servers, and other infrastructure used in DDoS attacks against Department of Defense internet addresses. The operators of these botnets allegedly launched hundreds of thousands of attacks, frequently demanding ransom payments from victims, with some reporting losses exceeding tens of thousands of dollars in remediation costs. The scale of these operations highlights the growing threat posed by compromised IoT devices.
Image: Shutterstock, @Elzicon.
According to the DOJ, Aisuru, the oldest of the four botnets, issued over 200,000 attack commands, while JackSkid launched at least 90,000. Kimwolf sent more than 25,000 commands, and Mossad was implicated in approximately 1,000 digital sieges. The disruption is intended to prevent further device infections and curtail the botnets’ ability to launch future attacks. The operation involved assistance from nearly two dozen technology companies, including Akamai, Amazon Web Services, and Cloudflare, demonstrating a broad collaborative effort to combat cybercrime.
The Rise of Volumetric Attacks and the Kimwolf Variant
The threat posed by these botnets came into sharp focus in late 2025, with Aisuru and its variant, Kimwolf, responsible for some of the largest DDoS attacks ever recorded. In October 2025, Aisuru unleashed a record-breaking DDoS attack, and in November, a massive 31.4 Tbps attack was attributed to the Aisuru/Kimwolf botnet, lasting just 35 seconds, according to reports. These attacks were characterized by their sheer volume, reaching speeds of up to 3 billion packets per second (Bpps) and 54 million requests per second (Mrps).
Kimwolf distinguished itself with a novel spreading mechanism, allowing it to infect devices even behind the protection of a user’s internal network. Synthient, a security firm, publicly disclosed this vulnerability on January 2, 2026, which helped slow its spread. However, several other IoT botnets have since emerged, replicating Kimwolf’s methods and competing for vulnerable devices. The JackSkid botnet also targeted systems on internal networks, mirroring Kimwolf’s tactics.
International Cooperation and Ongoing Investigations
The disruption of these botnets was a collaborative effort, with law enforcement actions also taking place in Canada and Germany targeting individuals allegedly operating the networks. While details regarding the suspects remain limited, KrebsOnSecurity identified a 22-year-old Canadian man as a core operator of the Kimwolf botnet in late February. Investigators also suspect a 15-year-old residing in Germany is involved, though no arrests have been announced as of Friday. The international scope of the investigation underscores the global nature of the threat posed by IoT botnets.
“By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office. This sentiment highlights the importance of international cooperation in combating cybercrime and protecting critical infrastructure.
What are DDoS Attacks and Why are IoT Devices Vulnerable?
DDoS attacks work by overwhelming a target server with traffic from multiple compromised computers, rendering it inaccessible to legitimate users. IoT devices, such as routers, webcams, and smart appliances, are particularly vulnerable because they often have weak default passwords and lack regular security updates. This makes them straightforward targets for hackers to compromise and add to botnets. The increasing number of connected devices expands the potential attack surface, making DDoS attacks more frequent and powerful.
The disruption of Aisuru, Kimwolf, JackSkid, and Mossad represents a significant step in combating these threats, but the underlying vulnerabilities in IoT devices remain a concern. Experts emphasize the need for stronger security measures, including robust passwords, regular software updates, and improved security protocols for IoT manufacturers. Consumers are also urged to secure their home networks and IoT devices to prevent them from being exploited in future attacks.
Authorities are continuing to investigate the individuals allegedly behind these botnets, and further details are expected to emerge as the case progresses. The Department of Justice has not provided a timeline for potential arrests or prosecutions. The ongoing efforts to dismantle these networks and hold perpetrators accountable are crucial in safeguarding the internet and protecting critical infrastructure from future attacks.
This coordinated takedown of major IoT botnets serves as a stark reminder of the evolving cyber threat landscape and the importance of proactive security measures. As the number of connected devices continues to grow, so too will the potential for large-scale DDoS attacks. Staying informed about these threats and taking steps to secure your devices is essential for protecting yourself and the broader digital ecosystem.
