Global Law Enforcement Shuts Down Four IoT Botnets Behind Record DDoS Attacks

By ✦ min read

<p>In a coordinated operation, the U.S. Department of Justice, alongside authorities in Canada and Germany, has dismantled the infrastructure behind four massive IoT botnets that infected over three million devices, including routers and web cameras. The botnets — named Aisuru, Kimwolf, JackSkid, and Mossad — are blamed for a series of record-shattering distributed denial-of-service (DDoS) attacks capable of knocking almost any target offline.</p> <h2>Key Facts</h2> <p>The Justice Department announced that the Department of Defense Office of Inspector General’s Defense Criminal Investigative Service (DCIS) executed seizure warrants against multiple U.S.-registered domains, virtual servers, and other infrastructure involved in attacks against Internet addresses owned by the Department of Defense.</p><figure style="margin:20px 0"><img src="https://krebsonsecurity.com/wp-content/uploads/2021/03/kos-27-03-2021.jpg" alt="Global Law Enforcement Shuts Down Four IoT Botnets Behind Record DDoS Attacks" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: krebsonsecurity.com</figcaption></figure> <p>“By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office.</p> <h2>Massive Scale of Attacks</h2> <p>Authorities allege that unnamed operators used the botnets to launch hundreds of thousands of DDoS attacks, often demanding extortion payments. Some victims reported tens of thousands of dollars in losses and remediation costs.</p> <p>The oldest botnet, Aisuru, issued more than 200,000 attack commands. JackSkid launched at least 90,000 attacks, Kimwolf issued over 25,000, and Mossad was responsible for roughly 1,000 attacks.</p> <h2>Timeline of Botnet Evolution</h2> <p>Aisuru emerged in late 2024 and by mid-2025 was setting records for DDoS scale while rapidly infecting new IoT devices. In October 2025, Aisuru seeded Kimwolf, a variant that introduced a novel spreading mechanism to infect devices behind internal networks.</p><figure style="margin:20px 0"><img src="https://krebsonsecurity.com/wp-content/uploads/2026/01/ss-botnet.png" alt="Global Law Enforcement Shuts Down Four IoT Botnets Behind Record DDoS Attacks" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: krebsonsecurity.com</figcaption></figure> <p>On January 2, 2026, security firm Synthient publicly disclosed the vulnerability Kimwolf exploited for rapid propagation. That disclosure curbed its spread, but other botnets have since copied the technique. The DOJ says JackSkid also targeted internal networks similarly.</p> <h2 id="background">Background</h2> <p>The DOJ action was designed to prevent further infections and limit the botnets' ability to launch future attacks. The investigation involved DCIS, the FBI’s Anchorage field office, and nearly two dozen technology companies. The statement also acknowledged “law enforcement actions” in Canada.</p> <h2 id="what-this-means">What This Means</h2> <p>This takedown significantly degrades the capacity for massive DDoS attacks, but experts warn that copycat botnets are already competing for the same vulnerable devices. The operation highlights the critical need for IoT security improvements and international cooperation to disrupt cybercriminal infrastructure.</p> <p>“This is a major blow to cybercriminals, but the fight is far from over,” said a cybersecurity analyst speaking on condition of anonymity. “The methods used by Kimwolf are now in the open, and we can expect more variants.”</p> <p>Users are urged to update IoT device firmware, change default passwords, and disable unnecessary remote access to reduce the risk of infection.</p>