The US Justice Department has worked with authorities in Canada and Germany to dismantle the infrastructure behind four highly disruptive botnets that compromised more than three million internet of things (IoT) devices, such as routers and web cameras, and were responsible for a series of record-breaking distributed denial-of-service (DDoS) attacks capable of knocking nearly any target offline.
Aisuru emerged in late 2024 and by mid-2025 was launching record-breaking DDoS attacks as it rapidly infected new IoT devices. In October 2025, Aisuru was used to seed Kimwolf, a variant which introduced a novel spreading mechanism that allowed the botnet to infect devices hidden behind the protection of a user's internal network.
The government alleges the unnamed people in control of the four botnets used their crime machines to launch hundreds of thousands of DDoS attacks, often demanding extortion payments from victims. Some victims reported tens of thousands of dollars in losses and remediation expenses.
Aisuru issued more than 200,000 attack commands, while JackSkid hurled at least 90,000 attacks. Kimwolf issued more than 25,000 attack commands, the government said, while Mossad was blamed for roughly 1,000 digital sieges.
The scale of destruction represents a significant escalation in botnet capabilities. Aisuru-Kimwolf has been responsible for some of the largest hyper-volumetric DDoS attacks on record, including a 31.4 terabit-per-second DDoS attack, a 14.1 billion packet-per-second DDoS attack, sophisticated DNS-based DDoS attacks such as "Water Torture" and Random Prefix attacks, and HTTP DDoS attacks exceeding 200 million requests per second.
The Justice Department said the Department of Defense Office of Inspector General's Defence Criminal Investigative Service (DCIS) executed seizure warrants targeting multiple US-registered domains, virtual servers, and other infrastructure involved in DDoS attacks against Internet addresses owned by the DoD. The case is being investigated by the DCIS with help from the FBI's field office in Anchorage, Alaska, and the DOJ's statement credits nearly two dozen technology companies with assisting in the operation.
The infrastructure underpinning these botnets represents a systemic vulnerability in the global internet ecosystem. Both botnets are part of a system that monetizes compromised devices by turning them into "residential proxies." The parties who run Aisuru and Kimwolf sell access to these infected devices' IP addresses to other users or proxy providers, allowing cyber criminals to keep their attacks anonymous.
On January 2, 2026, the security firm Synthient publicly disclosed the vulnerability Kimwolf was using to propagate so quickly. However, that disclosure helped curtail Kimwolf's spread somewhat, but since then several other IoT botnets have emerged that effectively copy Kimwolf's spreading methods while competing for the same pool of vulnerable devices.
The takedown reflects an important shift in law enforcement's approach to combating cybercrime. Rather than waiting for botnets to emerge fully formed, authorities are now executing coordinated international operations that target the underlying infrastructure. The DOJ said the law enforcement action was designed to prevent further infection to victim devices and to limit or eliminate the ability of the botnets to launch future attacks.
Yet experts caution that dismantling one botnet does not solve the underlying problem. The same vulnerabilities in poorly secured IoT devices, weak default credentials, and outdated firmware that enabled Aisuru, Kimwolf, JackSkid and Mossad remain pervasive. Device manufacturers continue to ship routers, cameras, and streaming boxes with minimal security hardening. Until the supply chain for consumer and small-office hardware improves, new botnets will likely continue to emerge, exploiting the same weaknesses.
The operation underscores the critical importance of device security and network hygiene. Home users and small businesses that own the infected devices remain largely unaware their equipment has been weaponised. The case is being investigated by the DCIS with help from the FBI's field office in Anchorage, Alaska, and nearly two dozen technology companies, with Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office stating that by working closely with DCIS and international law enforcement partners, they collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks.