Global Law Enforcement Stuns Cybercrime: Four IoT Botnets Dismantled After Targeting 3 Million Devices

Breaking: Massive Botnet Takedown Disrupts Record DDoS Attacks

The U.S. Justice Department, alongside Canadian and German authorities, has dismantled the infrastructure behind four major IoT botnets that compromised over three million devices, including routers and web cameras. These botnets—named Aisuru, Kimwolf, JackSkid, and Mossad—are blamed for a series of record-breaking distributed denial-of-service (DDoS) attacks capable of taking nearly any target offline.

Law enforcement executed seizure warrants on multiple U.S.-registered domains, virtual servers, and other infrastructure linked to DDoS attacks against Department of Defense (DoD) internet addresses. The operation, led by the DoD Office of Inspector General’s Defense Criminal Investigative Service (DCIS), aimed to prevent further infections and cripple the botnets’ attack capabilities.

Extortion and Financial Losses

Unnamed operators of the botnets allegedly launched hundreds of thousands of DDoS attacks, often demanding extortion payments from victims. Some victims reported tens of thousands of dollars in losses and remediation expenses, according to the DOJ.

The three million compromised devices were mainly IoT gadgets with weak security, such as internet-connected cameras and home routers. The botnets evolved sophisticated spreading methods, including infiltrating devices behind internal corporate networks.

Botnet Timeline and Scale

Analysis revealed the botnets’ attack volumes: Aisuru issued more than 200,000 attack commands, JackSkid launched at least 90,000, Kimwolf executed over 25,000, and Mossad was responsible for roughly 1,000 digital sieges. Aisuru emerged in late 2024 and by mid-2025 was launching record-breaking DDoS attacks while rapidly infecting new devices.

In October 2025, Aisuru was used to seed Kimwolf, a variant that introduced a novel spreading mechanism to infect devices hidden behind internal network protections. On January 2, 2026, security firm Synthient publicly disclosed the vulnerability Kimwolf exploited, which curtailed its spread—but other botnets quickly copied the technique.

International Cooperation and Expert Quotes

“By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office. The DOJ statement credits nearly two dozen technology companies for assisting in the operation, which also involved the FBI field office in Anchorage and Canadian and German authorities.

Background

IoT botnets exploit insecure smart devices to form armies of remotely controlled machines. DDoS attacks flood targets with traffic, often knocking websites, gaming servers, or government portals offline. The disrupted botnets are part of a growing trend where cybercriminals weaponize everyday devices. Similar operations have disrupted other botnets in the past, but this takedown focuses on four that specifically targeted DoD infrastructure and demanded extortion.

Kimwolf’s novel internal-network spreading method marked a shift in botnet capability. JackSkid later adopted the same technique, competing for the same pool of vulnerable devices. The DOJ’s action coincided with law enforcement actions in Canada, though details remain sealed.

What This Means

This takedown shows that international law enforcement can coordinate to disrupt major cybercriminal operations, but it may be only a temporary blow. Experts warn that copycat botnets using similar techniques will likely emerge, and IoT security remains weak—millions of devices still use default passwords and unpatched firmware. Users should change default credentials, update firmware, and segment IoT devices on separate networks.

For businesses, the operation underscores the need for robust DDoS protection and monitoring for unauthorized internal network traffic. The DoD and private sector may need to strengthen collaboration to stay ahead of evolving botnet propagation methods. While this disruption is significant, the same vulnerability pool means future botnets could quickly fill the void.

This article will be updated as more details emerge.