A massive international law enforcement operation has successfully dismantled the command and control infrastructure behind four highly destructive Internet of Things (IoT) botnets.
These sprawling networks were responsible for launching record-breaking Distributed Denial of Service (DDoS) attacks against global targets, with some traffic floods reaching an astonishing 30 Terabits per second (Tbps).
The coordinated strike took down the Aisuru, KimWolf, JackSkid, and Mossad botnets. By March 2026, these four networks had collectively enslaved over three million devices worldwide, including hundreds of thousands of machines located within the United States.
The threat actors primarily targeted vulnerable, internet-exposed IoT hardware such as digital video recorders, web cameras, and home WiFi routers.
Notably, the operators behind the KimWolf and JackSkid botnets utilized advanced infection techniques to compromise devices that were situated behind traditional network firewalls, bypassing standard perimeter security measures entirely.
Cybercrime as a Service
According to the US Department of Justice, after successfully hijacking the hardware, the botnet administrators operated a highly lucrative “cybercrime as a service” model.
They leased out access to their massive networks of infected devices to other cybercriminals.
These secondary customers then weaponized the networks to execute targeted DDoS attacks, frequently demanding extortion payments from the victims to stop the digital onslaught.
The attacks targeted servers and computer systems globally, including IP addresses managed by the U.S. Department of Defense Information Network (DoDIN).
For private sector victims, these massive disruptions often resulted in tens of thousands of dollars in direct financial losses and emergency remediation expenses.
Before the infrastructure was seized, the botnets were heavily utilized by their criminal clientele. The breakdown of attack commands issued by each specific network highlights the massive scale of the operation:
| Botnet Name | Attack Commands Issued | Noteworthy Capabilities |
|---|---|---|
| Aisuru | 200,000+ | High-volume attack generation |
| JackSkid | 90,000+ | Bypassing traditional firewalls |
| KimWolf | 25,000+ | Targeting firewalled IoT devices |
| Mossad | 1,000+ | Specialized target disruption |
International Disruption Efforts
The successful disruption required a synchronized global response. In the United States, the Defense Criminal Investigative Service (DCIS) and the FBI executed seizure warrants to neutralize multiple U.S.-registered internet domains and virtual servers.
Simultaneously, law enforcement agencies in Germany (BKA and ZAC NRW) and Canada (RCMP, OPP, and SQ) launched operations specifically targeting the human administrators operating the botnets.
This takedown also relied heavily on extensive public-private partnerships. Over a dozen major technology companies and threat intelligence groups, including Cloudflare, Akamai, Amazon Web Services, and The Shadowserver Foundation, provided critical assistance.
By seizing the command and control servers, authorities have successfully severed the attackers’ connection to the millions of enslaved devices, neutralizing the threat of future 30 Tbps attacks from these specific botnets.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
