Global Law Enforcement Operation Dismantles Four Major IoT Botnets Responsible for Record Breaking Cyberattacks

In a coordinated international effort, the U.S. Department of Justice (DOJ), alongside law enforcement authorities in Canada and Germany, has successfully dismantled the digital infrastructure powering four of the world’s most disruptive Internet of Things (IoT) botnets. The operation targeted the command-and-control frameworks of the Aisuru, Kimwolf, JackSkid, and Mossad botnets, which collectively compromised more than three million devices globally. These botnets, primarily composed of infected routers, digital video recorders (DVRs), and web cameras, have been identified as the primary engines behind a series of record-shattering distributed denial-of-service (DDoS) attacks that recently paralyzed major segments of the internet.

The disruption involved the execution of seizure warrants for multiple U.S.-registered domains, virtual private servers (VPS), and other critical infrastructure. The Defense Criminal Investigative Service (DCIS), the law enforcement arm of the Department of Defense Office of Inspector General (DoDIG), spearheaded the domestic portion of the operation. This involvement was prompted by sustained DDoS campaigns targeting IP addresses owned by the U.S. Department of Defense (DoD), signaling a direct threat to national security infrastructure.

The Scale and Impact of the Four Botnets

The four botnets in question represented a significant escalation in the capability of cybercriminal syndicates to mobilize hijacked hardware. According to DOJ filings, these networks were utilized to launch hundreds of thousands of individual attacks, often coupled with extortion demands. Victims who refused to pay often faced prolonged outages, with some reporting remediation expenses and lost revenue totaling tens of thousands of dollars.

The sheer volume of traffic generated by these networks was unprecedented. Aisuru, the oldest and most prolific of the group, was responsible for issuing more than 200,000 attack commands during its lifespan. JackSkid, a newer but highly aggressive entrant, launched at least 90,000 attacks. Kimwolf and Mossad, while smaller in scale, contributed roughly 25,000 and 1,000 attacks respectively. Despite the lower numerical count for Mossad, investigators noted that its attacks were highly targeted and effective at knocking sophisticated enterprise defenses offline.

The technological sophistication of these botnets allowed them to bypass traditional DDoS mitigation strategies. By leveraging millions of unique residential IP addresses from compromised IoT devices, the botnets could mimic legitimate traffic patterns, making it difficult for automated systems to distinguish between a genuine user and a malicious bot.

Chronology of Emergence and Evolution

The timeline of these botnets reflects a rapid evolution in malware development and deployment. The Aisuru botnet first emerged in late 2024, quickly gaining notoriety for its ability to infect a wide array of consumer-grade IoT devices. By mid-2025, Aisuru had reached a critical mass, facilitating record-breaking DDoS attacks that overwhelmed major Internet Service Providers (ISPs) in the United States and Europe.

In October 2025, the threat landscape shifted with the emergence of Kimwolf. Investigations revealed that Kimwolf was essentially a variant of Aisuru, but with a critical technical innovation: a novel spreading mechanism that allowed the malware to propagate within internal networks. Unlike previous IoT malware that primarily scanned the public internet for vulnerable devices, Kimwolf could "jump" from a compromised device to other systems hidden behind the protection of a user’s local area network (LAN). This lateral movement capability allowed it to infect devices that were previously considered unreachable by external scans.

The rapid spread of Kimwolf prompted intense scrutiny from the cybersecurity community. On January 2, 2026, the security firm Synthient publicly disclosed the specific vulnerability Kimwolf was exploiting. While this disclosure provided a roadmap for patching and helped slow the botnet’s expansion, it also inadvertently provided a blueprint for other cybercriminals. Shortly thereafter, the JackSkid botnet emerged, adopting Kimwolf’s internal propagation methods to compete for the same pool of vulnerable hardware.

Technical Mechanics of Internal Propagation

The defining characteristic of the Kimwolf and JackSkid botnets was their use of Network Address Translation (NAT) traversal and lateral scanning. Traditional IoT botnets, such as the infamous Mirai, relied on scanning public IP addresses for open ports (like Telnet or SSH) and attempting to log in using default credentials.

Kimwolf improved upon this by utilizing infected "bridge" devices. Once a single device on a home or office network was compromised, the malware would scan the internal 192.168.x.x or 10.x.x.x address ranges. Because many users do not change default passwords on internal devices—assuming their router’s firewall provides sufficient protection—Kimwolf was able to achieve an exceptionally high infection rate within localized environments. This method turned a single point of failure into a total network compromise, turning entire households of "smart" devices into a unified weapon for the botmasters.

International Law Enforcement and Suspect Identification

The dismantling of these botnets was not merely a technical operation but also a human one. While the DOJ focused on the infrastructure, law enforcement in Canada and Germany conducted simultaneous "law enforcement actions" against the individuals suspected of operating the networks.

In late February 2026, investigative reports identified a 22-year-old Canadian man as a core operator of the Kimwolf botnet. Sources familiar with the ongoing multi-jurisdictional investigation have also pointed to a 15-year-old living in Germany as another prime suspect. These revelations highlight a recurring trend in the DDoS-for-hire and botnet industry: the involvement of young, technically proficient individuals who often operate from their bedrooms while managing global criminal enterprises.

The DOJ’s statement credited nearly two dozen private-sector technology companies for their assistance in the operation. This public-private partnership was essential for identifying the command-and-control (C2) nodes and redirecting botnet traffic to "sinkholes" managed by the FBI and its partners.

Official Reactions and Policy Implications

Special Agent in Charge Rebecca Day of the FBI’s Anchorage Field Office emphasized the importance of collective action in her statement following the disruption. "By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks," Day said. She noted that the action was specifically designed to prevent further infection of victim devices and to eliminate the botnets’ ability to launch future attacks.

The involvement of the DCIS underscores a growing concern within the Department of Defense regarding the vulnerability of civilian infrastructure and its impact on military readiness. DDoS attacks on DoD-owned addresses can interfere with logistics, communication, and administrative functions, making the neutralization of these botnets a matter of national security.

The case has also reignited discussions regarding the lack of standardized security protocols for IoT manufacturers. Because many of the devices compromised in the Aisuru and Kimwolf campaigns lacked the ability to receive security updates or required manual firmware flashes that the average consumer is unlikely to perform, they remain "forever vulnerable" until they are physically replaced.

Broader Impact on the Cyber Threat Landscape

The successful takedown of Aisuru, Kimwolf, JackSkid, and Mossad represents a significant victory, but experts warn that the vacuum left by these botnets will likely be filled quickly. The "source code" for such malware often leaks or is sold on underground forums, allowing new actors to spin up similar networks within weeks.

However, the legal precedent set by this operation is substantial. The ability of the DOJ and DCIS to seize virtual servers and domains across multiple jurisdictions sends a clear message to botnet operators. Furthermore, the focus on internal network propagation has forced a shift in defensive thinking. Security professionals are now advocating for "Zero Trust" architectures even in residential settings, where devices are isolated from one another to prevent the lateral spread seen with Kimwolf.

For the three million owners of the compromised devices, the disruption of the C2 servers means their hardware will no longer receive instructions to attack others. However, without a firmware update or a factory reset coupled with a password change, these devices remain open to reinfection by the next generation of IoT malware.

Conclusion and Future Outlook

The dismantling of these four botnets is a testament to the efficacy of international cooperation in the face of borderless cybercrime. By targeting the infrastructure and the operators simultaneously, the DOJ, DCIS, and their partners in Canada and Germany have provided a temporary reprieve from the massive DDoS surges that characterized 2025.

As the investigation continues, the focus will likely shift toward the prosecution of the identified suspects and a broader push for IoT security legislation. For now, the "digital sieges" led by Aisuru and its successors have been broken, marking one of the largest and most complex botnet takedowns in the history of internet security. The operation serves as a stark reminder of the power inherent in the billions of connected devices that surround us, and the ongoing struggle to ensure they are not turned against the very infrastructure that sustains them.