Law enforcement agencies in the United States, Germany and Canada have carried out a coordinated operation against four of the most powerful IoT botnets seen in recent years — Aisuru, Kimwolf, JackSkid and Mossad. Their command infrastructure, responsible for massive globally distributed DDoS attacks including strikes on parts of the US Department of Defense Information Network (DoDIN), has been taken offline.
International operation against large-scale IoT DDoS infrastructure
The operation was led by the US Department of Justice (DoJ) with support from German and Canadian authorities and extensive assistance from the private sector. Experts from Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud and other major internet infrastructure providers contributed technical intelligence and mitigation capabilities.
According to the DoJ, the four botnets collectively compromised more than 3 million IoT and related devices worldwide — from IP cameras and DVRs to consumer Wi‑Fi routers. Hundreds of thousands of infected nodes were located inside networks in the United States, significantly increasing the threat to local service providers, enterprises and government systems.
In security terms, an IoT botnet is a network of internet-connected devices hijacked by malware and remotely controlled to perform coordinated actions, most commonly distributed denial-of-service (DDoS) attacks. These attacks flood targets with malicious traffic, attempting to make websites, APIs or entire networks unavailable.
Command-and-control takedown and record-breaking DDoS firepower
During the operation, investigators seized virtual servers, domain names and other infrastructure used as command-and-control (C2) servers. C2 systems are the “brain” of a botnet: they send instructions to infected devices, update malware and orchestrate attack campaigns.
Court documents show the scale of activity. The Aisuru botnet alone issued more than 200,000 DDoS commands; JackSkid launched over 90,000, Kimwolf more than 25,000, and Mossad over 1,000. In December 2025, Aisuru carried out a DDoS attack peaking at approximately 31.4 Tbps and 200 million requests per second against telecommunications targets — a new publicly reported benchmark for DDoS capacity. The previous record of 29.7 Tbps was also attributed to Aisuru.
For comparison, early IoT botnets such as Mirai, which caused significant outages in 2016, operated at a fraction of this traffic volume. The figures associated with Aisuru underscore how quickly DDoS capabilities have escalated as more bandwidth-rich consumer devices join the internet.
Kimwolf: Android-based successor and new IoT botnet tactics
The Kimwolf botnet, detailed by XLab researchers in December 2025, represents a notable evolution. It infected millions of Android-based devices, primarily low-cost smart TVs and TV set‑top boxes, effectively becoming an Android variant of Aisuru. According to AWS vice president Tom Scholl, Kimwolf significantly changed how modern botnets scale.
Abuse of residential proxies and home networks
Instead of scanning the entire internet for random vulnerable systems — a classic tactic pioneered by Mirai — Kimwolf heavily abused residential proxy networks. By pivoting through already compromised IoT devices, it infiltrated internal home networks and then spread to Android equipment behind consumer routers.
This approach made infections harder to detect and block. DDoS traffic originated from what looked like normal home-user IP addresses rather than from obvious data centers or bulletproof hosting. For defenders, distinguishing malicious requests from legitimate household traffic became significantly more challenging.
Null-routing C2 servers and exploitation of open ADB services
Researchers at Lumen Black Lotus Labs report that nearly 1,000 C2 servers associated with Aisuru and Kimwolf were taken offline using null-routing. Null-routing (or “blackholing”) directs all traffic to a specific IP address into a virtual “black hole,” effectively cutting the system off from the internet without harming other services. It is a proven technique for quickly neutralizing malicious infrastructure at the network level.
Telemetry collected in early March 2026 showed aggressive spread by the remaining botnets. JackSkid was infecting on average more than 150,000 devices per day, while Mossad compromised over 100,000 devices daily. Both botnets, like Kimwolf, exploited weaknesses in residential proxy providers and devices exposing the Android Debug Bridge (ADB) to the internet.
ADB is a developer tool intended for debugging Android devices. When it is left enabled and reachable from the public internet, attackers can often gain nearly full remote control, including the ability to install malware, join the device to a botnet and intercept traffic. The use of open ADB ports on consumer electronics highlights persistent security gaps in IoT product design and default configurations.
Cybercrime-as-a-service: DDoS-for-hire and ongoing investigation
The operators of Aisuru, Kimwolf, JackSkid and Mossad monetized their infrastructure via a cybercrime-as-a-service model. They offered DDoS-for-hire and related services to other criminal groups, either on a subscription basis or per attack. In some cases, these services were used for extortion, threatening victims with prolonged or repeated outages unless a ransom was paid.
Such “attack-on-demand” platforms dramatically lower the entry barrier for cybercrime: even low-skilled actors can initiate highly disruptive operations by renting pre-built botnets, similar to how legitimate users rent cloud infrastructure.
Earlier, independent cybersecurity journalist Brian Krebs reported that one possible administrator of Kimwolf could be Jacob Butler, a 23‑year‑old resident of Ottawa known online as “Dort,” and that a 15‑year‑old from Germany might also be involved. Butler has denied any role in current activities linked to the Dort alias, claiming his former account was compromised. At the time of writing, law enforcement has not announced any arrests, and these identities remain unverified allegations from journalistic investigations.
Impact on critical infrastructure and key cybersecurity lessons
Analysis from Akamai and other providers indicates that DDoS campaigns of this magnitude can severely disrupt core internet infrastructure, degrade service quality for ISPs, and strain even specialized cloud-based DDoS protection platforms. Each unprotected camera, router or smart TV effectively becomes a micro-node in a global weapon that can be directed against businesses and government agencies.
Disabling the infrastructure of Aisuru, Kimwolf, JackSkid and Mossad is a major step in reducing current botnet capacity, but it does not eliminate the underlying problem. IoT manufacturers need to minimize the use of insecure services such as exposed ADB by default, implement automatic updates and ship devices with hardened, security-focused configurations.
For organizations, priority measures include multi-layered DDoS protection (network‑level filtering, application‑layer defenses and upstream scrubbing centers), network segmentation to limit blast radius, continuous traffic anomaly monitoring, and close cooperation with ISPs and specialized security providers. Regular testing of incident response plans for large DDoS scenarios is equally important.
Individual users and small businesses can significantly reduce risk by changing default passwords on routers and cameras, keeping firmware up to date, disabling remote access and debugging interfaces when not needed, and avoiding untrusted “smart” devices with poor update policies. The scale of these botnets demonstrates that every poorly secured IoT device can become part of a global attack. Systematic cybersecurity hygiene at home and in small offices makes it far harder for attackers to assemble the next generation of rekord‑breaking IoT DDoS botnets.
