Here's an uncomfortable truth: this week's international operation against four massive botnets is being celebrated as a victory that solves nothing. Law enforcement in the United States, Germany, and Canada did impressive coordination work. They seized domains, shut down command-and-control infrastructure, and traced the criminals behind some of the largest distributed denial-of-service attacks ever recorded. By all measures, the operation was successful. And yet, in six months or a year, we will have another story exactly like this one.
Authorities from the United States, Germany, and Canada have taken down command-and-control infrastructure used by the Aisuru, KimWolf, JackSkid, and Mossad botnets, which targeted virtual servers, internet domains, and other infrastructure used to launch hundreds of thousands of massive DDoS attacks against victims worldwide, including systems associated with the US Department of Defense Information Network. The scale alone warrants attention. The networks were capable of generating traffic volumes exceeding 30 Tbps, with one attack peaking at roughly 31.4 Tbps. For context, Cloudflare described the maximum attack traffic of the combined Aisuru and Kimwolf botnets as equivalent to "the combined populations of the U.K., Germany, and Spain all simultaneously typing a website address and then hitting 'enter' at the same second."
The monetisation model is equally telling about why this problem persists. The operators monetised access to the networks by offering DDoS-for-hire services and extorting victims by threatening to sustain attacks unless payments were made. That model essentially turned compromised consumer electronics into rentable attack infrastructure, becoming a staple of the cybercrime economy and lowering the barrier to entry for anyone looking to knock a rival offline. Some victims reported that the DDoS attacks resulted in tens of thousands of dollars in losses and remediation expenses.
What's particularly striking is the operational sophistication. In October 2025, Aisuru was used to seed Kimwolf, an Aisuru variant which introduced a novel spreading mechanism that allowed the botnet to infect devices hidden behind the protection of the user's internal network. This isn't crude malware. This is crime-as-a-service with technical innovation.
Now consider the actual outcome of this operation: The disruption focused on seizing domains and backend systems used to coordinate the botnets, effectively cutting off the instructions that tell infected devices where and when to send traffic. As with similar operations, the devices themselves remain infected, but without functioning command infrastructure, they are far less useful to their operators. Disabled, not cleaned. Dormant, not destroyed. The infection lingers.
The botnets spread largely across routers, IP cameras, and digital video recorders that are often shipped with weak credentials and rarely patched. These are devices that ship from the factory with default passwords, devices that receive security updates once or twice in their entire lifespan, devices that sit in people's homes and businesses doing precisely what they're supposed to do, yet vulnerable by design. Millions of insecure devices are still online, many running outdated firmware or stuck with default passwords, providing a ready-made recruitment pool for the next wave of botnet builders.
The question nobody in government seems willing to ask is straightforward: why are we still selling connected devices that arrive pre-compromised by virtue of their own factory settings? Why is it someone else's responsibility to babysit a manufacturer's negligence? A router or camera that ships with a default password in 2026 is not a security problem you've created; it's a product defect the manufacturer created.
This operation will be cited as proof that international law enforcement works. It does. But every arrested operator is replaced. Every seized server spawns two alternatives. And every device still running outdated firmware is simply waiting. According to court documents, the Aisuru botnet issued more than 200,000 DDoS attack commands, the KimWolf botnet issued more than 25,000 DDoS attack commands, the JackSkid botnet launched more than 90,000 DDoS attack commands and the Mossad botnet launched more than 1,000 DDoS attack commands. That's 316,000 distinct attacks from a single cluster of four botnets.
The law enforcement result is real. The victory is temporary. The underlying vulnerability is permanent until manufacturers decide that security is worth the cost. Until then, we'll celebrate takedowns whilst doing nothing about the actual problem.