International Operation Targets Four Destructive Botnets
The U.S. Justice Department, working alongside authorities in Canada and Germany, has successfully dismantled the operational infrastructure behind four highly disruptive botnets collectively responsible for compromising more than three million Internet of Things (IoT) devices, including consumer routers and web cameras. The botnets — named Aisuru, Kimwolf, JackSkid, and Mossad — were behind a string of recent record-breaking distributed denial-of-service (DDoS) attacks capable of taking nearly any internet-connected target offline.
Seizure Warrants and Infrastructure Takedowns
The Justice Department confirmed that the Department of Defense Office of Inspector General's Defense Criminal Investigative Service (DCIS) executed seizure warrants targeting multiple U.S.-registered domains, virtual servers, and other infrastructure that had been used to conduct DDoS attacks against internet addresses owned by the Department of Defense.
According to the government, the unidentified individuals who controlled these four botnets used them to launch hundreds of thousands of DDoS attacks, frequently pairing those attacks with extortion demands directed at victims. Some targeted organizations reported losing tens of thousands of dollars through direct damages and remediation costs.
Attack Volumes by Botnet
The DOJ provided specific figures on the scale of each botnet's activity:
- Aisuru issued more than 200,000 attack commands, making it the most prolific of the four.
- JackSkid launched at least 90,000 attacks.
- Kimwolf was responsible for more than 25,000 attack commands.
- Mossad conducted roughly 1,000 digital sieges.
Authorities stated that the law enforcement action was specifically intended to stop further infection of victim devices and to limit or eliminate the botnets' ability to conduct future attacks.
Investigation Details and Industry Cooperation
The DCIS is leading the investigation with assistance from the FBI's field office in Anchorage, Alaska. The DOJ's official statement credits nearly two dozen technology companies with supporting the operation.
"By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks." — Special Agent in Charge Rebecca Day, FBI Anchorage Field Office
Timeline: How Aisuru Spawned a New Generation of Botnets
Aisuru first appeared in late 2024 and, by mid-2025, had grown aggressive enough to launch record-breaking DDoS attacks as it rapidly expanded by infecting new IoT devices. In October 2025, Aisuru was used to seed Kimwolf, a variant that introduced a novel spreading mechanism enabling the botnet to compromise devices located behind the protection of a user's internal network — a significant evolution in botnet propagation technique.
On January 2, 2026, security firm Synthient publicly disclosed the vulnerability Kimwolf had been exploiting to spread so rapidly. That disclosure helped slow Kimwolf's expansion to some degree. However, in the period that followed, several additional IoT botnets emerged that effectively replicated Kimwolf's internal-network spreading methods while competing for the same pool of vulnerable devices.
The DOJ noted that JackSkid similarly targeted systems residing on internal networks, mirroring the approach pioneered by Kimwolf.
Suspects Identified in Canada and Germany
The DOJ confirmed that its infrastructure takedown was coordinated with separate law enforcement actions in Canada and Germany against individuals allegedly responsible for operating these botnets. No additional details about those actions were made publicly available at the time of announcement.
In late February, KrebsOnSecurity had already identified a 22-year-old Canadian man as a core operator of the Kimwolf botnet. Multiple sources with knowledge of the investigation also told KrebsOnSecurity that another prime suspect is a 15-year-old living in Germany.
Broader Implications for IoT Security
The operation underscores the growing threat posed by compromised IoT devices, which often run outdated firmware and lack robust security configurations. The emergence of Kimwolf-style internal-network propagation techniques represents a meaningful escalation in botnet sophistication, as it allows malicious actors to reach devices that would otherwise be shielded from direct internet exposure. Security researchers and law enforcement alike are warning that similar spreading mechanisms are now being adopted by competing botnet operators, suggesting the threat landscape will remain elevated even following this disruption.
Source: Krebs on Security