The US Department of Justice (DoJ) has led a large‑scale operation to disrupt the command‑and‑control (C2) infrastructure of several major Internet of Things (IoT) botnets — AISURU, Kimwolf, JackSkid and Mossad. These Mirai‑based networks hijacked millions of vulnerable devices worldwide and were responsible for some of the most powerful distributed denial‑of‑service (DDoS) attacks ever observed.
Global operation against AISURU, Kimwolf, JackSkid and Mossad IoT botnets
According to the DoJ, the takedown was executed under federal court orders and relied on close cooperation with law enforcement agencies in Canada and Germany. In parallel, suspected operators of the botnets became subjects of criminal investigations in those jurisdictions.
The operation depended heavily on data and expertise from major internet and cloud providers, including Akamai, Amazon Web Services (AWS), Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Team Cymru, QiAnXin XLab and others. Network telemetry from these companies helped investigators trace malicious traffic, identify C2 servers and sinkhole or disable the infrastructure coordinating the botnets.
Focusing first on technical neutralization — seizing domains, disabling C2 servers and disrupting traffic routes — follows an established pattern in botnet operations. Historically, taking down infrastructure can be achieved much faster than positively identifying and prosecuting all individuals involved.
Record IoT DDoS attacks up to 31.4 Tbps and billions of packets per second
The four botnets collectively targeted organizations around the world with DDoS attacks whose bandwidth frequently exceeded 30 Tbps, a level that would have been considered theoretical only a few years ago. For comparison, the original Mirai attacks in 2016 that crippled DNS provider Dyn operated in the hundreds of Gbps range, not tens of Tbps.
Cloudflare reported that the AISURU/Kimwolf botnet launched a peak attack of 31.4 Tbps in November 2025. Although the burst lasted only about 35 seconds, its intensity posed a serious threat even to large mitigation platforms.
In late 2025, providers observed so‑called hyper‑volumetric DDoS campaigns originating from these botnets: traffic rates up to 3 billion packets per second (Bpps), roughly 4 Tbps by volume and around 54 million HTTP requests per second (Mrps).
Akamai’s telemetry indicates that, in aggregate, AISURU, Kimwolf, JackSkid and Mossad generated attacks exceeding 30 Tbps, peaking at 14 Bpps and more than 300 million requests per second. In several incidents, attackers combined DDoS with extortion, demanding payment in exchange for stopping or not escalating the attacks — a pattern increasingly seen in “DDoS‑for‑ransom” campaigns.
Mirai variants targeting 3+ million IoT devices worldwide
All four botnets are assessed as variants of the Mirai malware family, which has been targeting IoT devices such as IP cameras, digital video recorders (DVRs) and routers since 2016. In this case, at least 3 million devices across the globe were compromised, including hundreds of thousands located in the United States.
While traditional Mirai‑like botnets primarily scan the public internet for devices with weak passwords or unpatched vulnerabilities, Kimwolf adopted a more advanced approach by abusing residential proxy networks. These services route traffic through consumer and office devices, making malicious connections appear as if they originate from ordinary home users.
Residential proxies, Android TV boxes and “botnet‑as‑a‑service”
As analyzed by AWS Distinguished Engineer Tom Scholl, Kimwolf was able to pivot inside home networks through already compromised IoT hardware, such as streaming TV boxes and other smart devices. This allowed attackers to reach segments that are normally shielded by NAT and the firewall capabilities of home routers, and therefore invisible to direct external scans.
One associated botnet reportedly controlled more than 2 million Android devices, primarily low‑cost or unbranded Android TV set‑top boxes shipping with outdated or insecure firmware. Additional nodes included DVRs, IP cameras and Wi‑Fi routers.
Operators of Kimwolf and JackSkid specifically sought out devices typically assumed to be “safe” behind firewalls. Once compromised, these devices became part of a commercial “cybercrime‑as‑a‑service” ecosystem, where access to the botnet was sold to other threat actors to launch their own DDoS campaigns on demand.
Attribution efforts and legal considerations
Cybersecurity journalist Brian Krebs has linked the administration of Kimwolf to a 23‑year‑old resident of Ottawa, Canada, though the individual denies involvement and claims that a previously controlled account may have been hijacked to impersonate him. A 15‑year‑old in Germany has also been mentioned as a potential participant. Authorities have not publicly disclosed formal arrests at the time of reporting.
From a legal perspective, the current operation underscores how difficult full attribution can be in complex, multi‑national cybercrime schemes. Disrupting infrastructure is often the most immediate way to reduce harm, while in‑depth investigation, evidence collection and cross‑border coordination for prosecution may take significantly longer.
Impact on organizations and home users — and how to respond
DDoS attacks reaching tens of terabits per second are capable of overwhelming core internet infrastructure, degrading connectivity for entire regions and straining even well‑provisioned cloud scrubbing centers. For enterprises, this translates into service outages, lost revenue, breach of SLAs and reputational damage.
For home users, the primary risk is silent enrollment of smart devices into IoT botnets. Smart TVs, Android TV boxes, IP cameras and routers with default passwords, unpatched firmware or pirated software can be turned into attack nodes without the owner’s knowledge, consuming bandwidth and expanding the attack surface of the home network.
Reducing these risks requires a combination of hygiene and architecture. Users should change factory credentials, apply firmware updates, disable unnecessary remote access features, separate home and guest Wi‑Fi networks and favor vendors with a proven security update policy. Organizations need layered DDoS protection, continuous monitoring for anomalous traffic patterns and strong partnerships with ISPs and cloud providers capable of absorbing terabit‑scale attacks. Taking these steps now is critical to staying ahead of the next generation of hyper‑volumetric IoT botnets.
