In a coordinated cross-border operation, the U.S. Department of Justice, alongside authorities in Canada and Germany, has taken down the infrastructure supporting four major botnets that infected over three million Internet of Things (IoT) devices—including routers and web cameras. The botnets, identified as Aisuru, Kimwolf, JackSkid, and Mossad, were responsible for a series of record-breaking distributed denial-of-service (DDoS) attacks that could knock nearly any target offline, according to federal officials.
Source: krebsonsecurity.com
The Botnets Under Fire
The Justice Department announced that the Defense Criminal Investigative Service (DCIS) of the Department of Defense Office of Inspector General executed seizure warrants on multiple U.S.-registered domains, virtual servers, and other infrastructure used in DDoS attacks against Internet addresses owned by the Department of Defense. The unnamed operators of these botnets allegedly used the compromised devices to launch hundreds of thousands of DDoS attacks, often demanding extortion payments from victims. Some victims reported financial losses and remediation expenses amounting to tens of thousands of dollars.
The Scale of the Attacks
Among the botnets, the oldest—Aisuru—issued more than 200,000 attack commands. JackSkid hurled at least 90,000 attacks, while Kimwolf issued over 25,000 attack commands. The smallest of the group, Mossad, was blamed for roughly 1,000 digital sieges. These figures highlight the immense scale and persistence of the threat.
How Law Enforcement Acted
The DOJ stated that the law enforcement action was designed to prevent further infection of victim devices and to limit or eliminate the ability of the botnets to launch future attacks. The case was investigated by the DCIS with assistance from the FBI’s Anchorage, Alaska field office, and the DOJ’s statement credits nearly two dozen technology companies for their support.
“By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office.
Source: krebsonsecurity.com
The Evolution of Aisuru and Kimwolf
Aisuru emerged in late 2024 and by mid-2025 was launching record-breaking DDoS attacks as it rapidly infected new IoT devices. In October 2025, Aisuru was used to seed Kimwolf, a variant that introduced a novel spreading mechanism. This allowed Kimwolf to infect devices hidden behind the protection of a user’s internal network—a significant escalation in capability.
On January 2, 2026, security firm Synthient publicly disclosed the vulnerability Kimwolf was using to propagate so quickly. That disclosure helped curtail Kimwolf’s spread, but since then several other IoT botnets have emerged that effectively copied Kimwolf’s spreading methods while competing for the same pool of vulnerable devices. According to the DOJ, the JackSkid botnet also sought out systems on internal networks, mirroring Kimwolf’s approach.
Impact and Aftermath
The disruption of these four botnets marks a significant victory against cybercriminal infrastructure. However, the emergence of copycat botnets underscores the ongoing challenge of securing IoT devices. The DOJ said its action coincided with law enforcement operations conducted in Canada, though details of those actions remain limited. The operation serves as a warning to cybercriminals that international cooperation can dismantle even the most powerful botnets.
For organizations and individuals, this case highlights the critical importance of securing IoT devices with strong passwords, regular firmware updates, and network segmentation. As the FBI noted, collaboration between public and private sectors is essential to staying ahead of evolving threats.
