The US Department of Justice has dismantled the command-and-control infrastructure powering four sprawling botnets that collectively compromised more than three million internet-connected devices worldwide. The operation, announced Thursday, represents one of the most significant law enforcement actions against distributed denial-of-service infrastructure in recent memory, though it also exposes the persistent vulnerability of everyday consumer electronics.
The takedown targeted Aisuru, KimWolf, JackSkid and Mossad, networks that had been weaponising household devices including routers, internet cameras, digital video recorders and Android smart televisions. According to court documents, these botnets collectively launched more than 300,000 DDoS attacks against targets worldwide, some of which targeted US Department of Defense systems. The scale of the attacks set records. One assault in November 2025 reached 31.4 terabits per second, enough bandwidth to cripple critical infrastructure or entire nations.
The operational scope reflects genuine international cooperation. Law enforcement from Canada and Germany joined their US counterparts in targeting the individuals operating these networks. Major technology firms including Amazon Web Services, Google, Cloudflare, Akamai and PayPal assisted in identifying command-and-control infrastructure, reversing malware, and tracing attack patterns. The coordinated seizure of domains, virtual servers and other infrastructure is designed to prevent further infections and disable the botnets' ability to launch future attacks.
What makes this action significant from a cybersecurity policy perspective is its focus on infrastructure disruption rather than arrest-driven responses. As cybersecurity researchers have noted, botnets function as platforms for cybercrime, with operators selling access to compromised devices to other criminals who use them for extortion, account takeovers and fraudulent activity. Some victims of DDoS attacks lost hundreds of thousands of dollars through ransom demands or remediation costs. By seizing the underlying infrastructure, authorities removed the ability for attackers to coordinate new campaigns, at least temporarily.
The operation also reveals important truths about the weakness of consumer IoT security. The majority of infected devices were household appliances that shipped with weak default credentials and rarely receive security updates. Routers and cameras from budget manufacturers are particularly common vectors. The botnets spread through publicly known vulnerabilities that vendors either never patched or patched so late that millions of devices remained exposed. Aisuru and its successor variant Kimwolf were particularly aggressive, with Kimwolf infecting over two million Android streaming devices and smart televisions by exploiting a novel technique that abused residential proxy networks for local control.
Yet a cautionary note underlies this enforcement victory. The three million devices themselves remain online in homes across the globe. Most owners will never know their equipment was compromised. Security researchers warn that without firmware updates and credential changes, many of these devices remain vulnerable to reinfection by successor botnets or new variants. The underlying conditions that enabled these networks to flourish have not changed; outdated hardware, poor security defaults, and the economic incentives driving cybercrime-as-a-service remain intact.
The timing of the takedown reflects escalating federal attention to botnet infrastructure used for cyberattacks for hire. Similar operations have targeted QakBot, 911 S5, DanaBot and other networks over the past three years. Yet law enforcement and security researchers freely acknowledge that new botnets emerge as quickly as old ones are dismantled. The question is not whether this operation will reduce DDoS attack volume permanently; it likely will not. Rather, the question is whether coordinated enforcement sends a message to operators that the costs of running such infrastructure have increased, and whether manufacturers will finally treat device security as a business-critical issue rather than an afterthought.