The U.S. Department of Justice, working with Canadian and German authorities, took down the online infrastructure of four major botnets responsible for infecting over three million IoT devices, including routers and webcams. The authorities state that the four botnets — Aisuru, Kimwolf, JackSkid, and Mossad — are behind a wave of recent record-breaking distributed denial-of-service (DDoS) attacks powerful enough to take almost any target offline. Image: Shutterstock, @Elzicon.
The Justice Department reported that the Department of Defense Office of Inspector General’s (DoDIG) Defense Criminal Investigative Service (DCIS) carried out seizure warrants on multiple U.S.-registered domains, virtual servers, and other infrastructure used in DDoS assaults against DoD-owned IP addresses.
Officials claim the unidentified operators of these four botnets used their networks to carry out hundreds of thousands of DDoS attacks, frequently demanding ransom payments from victims. Some victims suffered losses and recovery costs in the tens of thousands of dollars. The oldest botnet, Aisuru, issued over 200,000 attack commands, while JackSkid launched at least 90,000 attacks. Kimwolf issued more than 25,000 attack commands, the government said, while Mossad was blamed for roughy 1,000 digital sieges.. The DOJ said the law enforcement action was designed to prevent further infection to victim devices and to limit or eliminate the ability of the botnets to launch future attacks. The investigation is being led by the DCIS, supported by the FBI’s Anchorage field office, with the DOJ acknowledging assistance from nearly two dozen technology firms in the operation. “By collaborating closely with DCIS and our international law enforcement partners, we were able to identify and dismantle the criminal infrastructure behind large-scale DDoS attacks,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office. Aisuru first appeared in late 2024 and, by mid-2025, was conducting record-setting DDoS attacks while quickly compromising additional IoT devices. In October 2025, Aisuru was leveraged to create Kimwolf, a modified variant that introduced an innovative propagation technique enabling the botnet to compromise devices shielded behind internal network protections. On January 2, 2026, security company Synthient publicly revealed the vulnerability that allowed Kimwolf to spread at such a rapid pace. That disclosure helped curtail Kimwolf’s spread somewhat, but since then several other IoT botnets have emerged that effectively copy Kimwolf’s spreading methods while competing for the same pool of vulnerable devices. According to the DOJ, the JackSkid botnet, like Kimwolf, also hunted for systems on internal networks. The department said its takedown of the four botnets coincided with law-enforcement operations in Canada and Germany aimed at individuals believed to be running those networks, though no additional details about the suspected operators were released. In late February, KrebsOnSecurity named a 22-year-old Canadian as a key figure behind the Kimwolf botnet.
Krebs on Security