Feds Disrupt Four IoT Botnets Behind Record-Breaking DDoS Attacks
The U.S. Justice Department, with Canadian and German authorities, dismantled four IoT botnets—Aisuru, Kimwolf, JackSkid, and Mossad—that compromised over three million devices and launched hundreds of thousands of DDoS attacks.
The U.S. Justice Department, working alongside law enforcement in Canada and Germany, has dismantled the infrastructure behind four massive IoT botnets that compromised more than three million devices—primarily routers and web cameras—and launched a relentless wave of record-breaking distributed denial-of-service (DDoS) attacks. The botnets, named Aisuru, Kimwolf, JackSkid, and Mossad, were responsible for hundreds of thousands of attacks, often accompanied by extortion demands that cost victims tens of thousands of dollars in losses and remediation expenses.
The operation, led by the Department of Defense Office of Inspector General’s Defense Criminal Investigative Service (DCIS), executed seizure warrants against multiple U.S.-registered domains, virtual servers, and other infrastructure used to target Internet addresses owned by the Department of Defense. The DOJ stated that the action was designed to prevent further infections and to limit or eliminate the botnets’ ability to launch future attacks. The FBI’s Anchorage field office and nearly two dozen technology companies also assisted in the takedown.
The oldest botnet, Aisuru, emerged in late 2024 and by mid-2025 was already launching record-breaking DDoS attacks as it rapidly infected new IoT devices. It issued more than 200,000 attack commands. Aisuru later seeded a variant called Kimwolf, which introduced a novel spreading mechanism that allowed it to infect devices hidden behind internal networks. On January 2, 2026, security firm Synthient publicly disclosed the vulnerability Kimwolf was exploiting, which helped slow its spread—though copycat botnets soon emerged using similar techniques.
JackSkid, another of the disrupted botnets, also targeted internal network devices, issuing at least 90,000 attack commands. Mossad, the smallest of the four, was blamed for roughly 1,000 attacks. The DOJ noted that the disruption coincided with law enforcement actions in Canada and Germany targeting the alleged operators. In late February, KrebsOnSecurity identified a 22-year-old Canadian man as a core operator of Kimwolf, and multiple sources told the outlet that the other prime suspect is a 15-year-old living in Germany.
The takedown highlights the persistent threat posed by IoT botnets, which weaponize poorly secured consumer and enterprise devices. The DOJ’s statement credited the collaborative effort with significantly reducing the immediate DDoS threat, but warned that similar botnets continue to emerge, competing for the same pool of vulnerable devices. The case underscores the importance of timely vulnerability disclosure and international cooperation in combating large-scale cybercrime.