Authorities disrupt four IoT botnets tied to record DDoS attacks topping 30 Tbps
5 min. read 
Published on
U.S., Canadian, and German authorities have disrupted the command-and-control infrastructure behind four major IoT botnets that investigators say powered some of the largest DDoS attacks ever recorded. The botnets, Aisuru, KimWolf, JackSkid, and Mossad, allegedly infected more than 3 million devices worldwide and were used to launch attacks against victims across the internet, including targets connected to the U.S. Department of Defense Information Network.
The key point is that this was a disruption operation, not a final end to the broader botnet problem. The Justice Department said the court-authorized action targeted domains, virtual servers, and other infrastructure used to control the botnets, with the goal of preventing further infections and limiting the operators’ ability to launch future attacks.
The scale was enormous. According to the DOJ, court documents allege that Aisuru issued more than 200,000 DDoS attack commands, JackSkid more than 90,000, KimWolf more than 25,000, and Mossad more than 1,000. Cloudflare separately linked the Aisuru-KimWolf botnet to a record 31.4 Tbps attack in late 2025, which means some reports citing “30 Tbps” are directionally right but slightly understate the peak figure.
What authorities say happened
The DOJ said the botnets mainly abused vulnerable digital video recorders, IP cameras, web cameras, and WiFi routers. Investigators say many of those devices had weak default security or known vulnerabilities, which made them attractive targets for large-scale compromise.
Reuters reported that authorities in Germany and Canada searched the homes of two suspected botnet administrators and seized digital evidence and cryptocurrency worth tens of thousands of dollars. Reuters also said KimWolf was operated as a residential proxy network, which shows the infrastructure was not used only for DDoS activity.
Akamai, which worked with law enforcement on the case, said the operation disrupted several large DDoS botnets and shut down related DDoS-for-hire services. That matters because it points to a commercial ecosystem behind the attacks, not just one-off campaigns by a single actor.
Why the attacks were so dangerous
These botnets were powerful because they relied on huge numbers of infected IoT devices spread across the world. A single home router or camera may not generate much traffic alone, but millions of compromised systems can produce attack volumes that overwhelm websites, apps, cloud services, and even internet infrastructure.
Cloudflare’s 2025 Q4 DDoS report described the Aisuru-KimWolf botnet as a massive collection of malware-infected devices, primarily Android TVs, with an estimated 1 million to 4 million infected hosts. Cloudflare said the botnet was capable of launching hyper-volumetric attacks that could cripple critical infrastructure and disrupt legacy defenses.
Botnets named in the operation
| Botnet | Alleged attack commands issued | Notes |
|---|---|---|
| Aisuru | More than 200,000 | One of the main botnets in the operation |
| JackSkid | More than 90,000 | Linked to heavy DDoS activity |
| KimWolf | More than 25,000 | Also tied to residential proxy activity |
| Mossad | More than 1,000 | Smaller than the others, but still part of the disruption |
These figures come from court documents cited by the DOJ. They help explain why law enforcement described the infrastructure as some of the world’s largest IoT DDoS botnets.
What law enforcement actually seized
The DOJ said the Defense Criminal Investigative Service, supported by the FBI Anchorage Field Office, executed seizure warrants targeting U.S.-registered domains, virtual servers, and related infrastructure used by the operators. The operation was coordinated with international law enforcement actions in Canada and Germany.
That distinction matters because taking down command infrastructure can sharply reduce an operator’s reach, but it does not automatically clean every infected device. Owners of exposed routers, cameras, DVRs, and similar hardware still need to update firmware, change passwords, and remove internet exposure where possible. This is an inference based on how botnet disruptions work and on the DOJ’s focus on C2 infrastructure rather than device-side remediation.
Why this case stands out
- The botnets allegedly infected more than 3 million devices worldwide.
- Investigators tied them to record-setting DDoS activity.
- Some attacks targeted systems tied to the Department of Defense Information Network.
- The operation involved cross-border coordination between the U.S., Canada, and Germany.
- Private-sector firms including Akamai and Team Cymru publicly said they supported the disruption.
Quick takeaway for organizations
| Question | Answer |
|---|---|
| Were the botnets fully eliminated? | Authorities said they disrupted the infrastructure, not that the entire threat disappeared. |
| What devices were most at risk? | DVRs, webcams, IP cameras, WiFi routers, and other poorly secured IoT gear. |
| How big were the attacks? | Authorities cited attacks over 30 Tbps, while Cloudflare linked Aisuru-KimWolf to a 31.4 Tbps event. |
| Why should companies care? | These botnets were used for extortion, service disruption, and attacks on high-value networks. |
FAQ
The official wording from the DOJ says authorities disrupted the command-and-control infrastructure. That means the operation likely reduced or severed the operators’ control, but it does not guarantee that every infected device has been cleaned.
The DOJ described the attacks as exceeding 30 Tbps, while Cloudflare said the Aisuru-KimWolf botnet was behind a 31.4 Tbps attack in late 2025.
The DOJ said the botnets primarily infected DVRs, IP cameras, web cameras, and enterprise WiFi routers. Reuters similarly described the victims as mostly IoT devices such as webcams and routers.
Reuters reported that authorities searched the homes of two suspected administrators in Germany and Canada and seized evidence, but the public announcements I found focus more on infrastructure disruption than on announced criminal convictions or extraditions at this stage.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages