Breaking: Feds, International Partners Disrupt IoT Botnets Compromising 3M+ Devices
The U.S. Justice Department, alongside authorities in Canada and Germany, has dismantled the online infrastructure of four powerful IoT botnets that infected over three million devices, including routers and web cameras. The botnets—named Aisuru, Kimwolf, JackSkid, and Mossad—are blamed for a series of record-breaking distributed denial-of-service (DDoS) attacks capable of knocking virtually any target offline.
According to the Justice Department, the Department of Defense Office of Inspector General’s (DoDIG) Defense Criminal Investigative Service (DCIS) executed seizure warrants targeting multiple U.S.-registered domains, virtual servers, and other infrastructure. These were used to launch DDoS attacks against Internet addresses owned by the Department of Defense.
The unnamed controllers behind the four botnets allegedly used their crime machines to launch hundreds of thousands of DDoS attacks, often demanding extortion payments from victims. Some victims reported losses and remediation expenses totaling tens of thousands of dollars.
Scale of the Attacks
The oldest botnet, Aisuru, issued more than 200,000 attack commands. JackSkid hurled at least 90,000 attacks, while Kimwolf issued over 25,000 attack commands. Mossad was responsible for roughly 1,000 digital sieges, according to the government.
“By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office.
The DOJ said the law enforcement action was designed to prevent further infection of victim devices and to limit or eliminate the botnets’ ability to launch future attacks. The case is being investigated by DCIS with help from the FBI’s field office in Anchorage, Alaska, and nearly two dozen technology companies assisted in the operation.
Background
These four IoT botnets emerged and evolved over the last two years. Aisuru first appeared in late 2024 and by mid-2025 was launching record-breaking DDoS attacks while rapidly infecting new IoT devices. In October 2025, Aisuru was used to seed Kimwolf, an Aisuru variant that introduced a novel spreading mechanism allowing it to infect devices hidden behind internal network protections.
On January 2, 2026, cybersecurity firm Synthient publicly disclosed the vulnerability Kimwolf was using to propagate so quickly. That disclosure helped curtail Kimwolf’s spread, but since then several other IoT botnets have emerged that effectively copy Kimwolf’s spreading methods while competing for the same pool of vulnerable devices. The JackSkid botnet also targeted systems on internal networks, just like Kimwolf.
What This Means
The disruption of these botnets significantly reduces the global capacity for massive DDoS attacks. Law enforcement actions in Canada and other jurisdictions, which the DOJ said coincided with the U.S. operation, further weakened the infrastructure. However, cybersecurity experts warn that copycat botnets using similar techniques could emerge, and vulnerable IoT devices remain a persistent threat.
For organizations, this operation highlights the critical need to secure IoT devices—routers, cameras, and other connected gear—with strong passwords, regular firmware updates, and network segmentation. The DOJ’s seizure of domains and servers also demonstrates the increasing effectiveness of international cooperation in fighting cybercrime.
The four botnets are no longer operational, but the underlying vulnerabilities that allowed them to spread remain. Users are urged to apply patches and follow best practices to reduce the risk of future infections.