The United States Department of Justice, in a coordinated effort with law enforcement agencies in Canada and Germany, has successfully dismantled the digital infrastructure supporting four of the world’s most disruptive Internet of Things (IoT) botnets. These malicious networks—identified by the monikers Aisuru, Kimwolf, JackSkid, and Mossad—were collectively responsible for compromising more than three million devices globally, including consumer-grade routers, smart home appliances, and web cameras. According to federal authorities, these botnets served as the primary engines for a series of recent, record-smashing distributed denial-of-service (DDoS) attacks that demonstrated the capability to knock virtually any digital target offline, including critical government infrastructure and major private-sector enterprises.
The operation represents a significant milestone in international cyber-policing, highlighting the growing necessity of cross-border cooperation to combat the proliferation of automated cyber threats. The U.S. Justice Department revealed that the Department of Defense Office of Inspector General’s (DoDIG) Defense Criminal Investigative Service (DCIS) led the domestic efforts, executing multiple seizure warrants. These warrants targeted U.S.-registered domains, virtual private servers (VPS), and secondary infrastructure that the botmasters used to orchestrate attacks specifically directed at Internet addresses owned and operated by the Department of Defense (DoD).
The Scale and Scope of the Botnet Operations
The four targeted botnets functioned as "crime machines," allowing their operators to launch hundreds of thousands of coordinated attacks with minimal effort. The government’s investigation alleges that the unnamed individuals behind these networks frequently utilized their capabilities for extortion. Victims were often presented with demands for payment in exchange for the cessation of the digital onslaught. For many businesses, the cost of these attacks extended far beyond the ransom demands; some victims reported losses and remediation expenses totaling tens of thousands of dollars due to lost revenue, hardware damage, and the high cost of emergency cybersecurity intervention.
Data released by the Department of Justice provides a window into the sheer volume of activity generated by these networks. Aisuru, the oldest and most prolific of the group, was responsible for issuing more than 200,000 individual attack commands during its tenure. JackSkid followed with at least 90,000 attack commands. Kimwolf, a more recent but highly aggressive variant, issued over 25,000 attack commands, while Mossad was linked to approximately 1,000 digital sieges. While Mossad’s numbers appear lower by comparison, officials noted that its attacks were often highly targeted and remarkably potent.
A Chronology of Emergence and Evolution
The timeline of these botnets illustrates the rapid evolution of IoT-based threats. Aisuru first emerged on the radar of cybersecurity researchers in late 2024. By mid-2025, it had achieved a massive scale, blanketing U.S.-based Internet Service Providers (ISPs) in record-breaking DDoS traffic. Its growth was fueled by the exploitation of known vulnerabilities in unpatched IoT devices, a common vector for such malware.
In October 2025, the threat landscape shifted with the introduction of Kimwolf. Described by experts as an Aisuru variant, Kimwolf introduced a novel and highly effective spreading mechanism. Unlike traditional botnets that scan the public internet for vulnerable devices, Kimwolf was designed to infiltrate devices hidden behind the protection of a user’s internal network (LAN). Once a single device on a network was compromised, Kimwolf could move laterally, infecting other local devices that were previously considered safe by their owners.
The rapid propagation of Kimwolf prompted intense scrutiny from the private sector. On January 2, 2026, the security firm Synthient publicly disclosed the specific vulnerability Kimwolf was leveraging. While this disclosure allowed manufacturers and savvy users to begin patching their systems, the damage was largely done. The "internal network" infection strategy proved so successful that other botnets, including JackSkid, quickly adopted similar methods, leading to an aggressive competition among botmasters for the same pool of vulnerable hardware.
Technical Analysis of the IoT Threat Landscape
The success of Aisuru, Kimwolf, JackSkid, and Mossad underscores a persistent and systemic weakness in the global technology ecosystem: the insecurity of IoT devices. Many of the three million compromised devices were routers and cameras shipped with "hardcoded" or default credentials, or they utilized outdated firmware containing vulnerabilities that had been public for years.
IoT botnets operate by turning these everyday devices into "zombies." When a botmaster issues a command, millions of these devices simultaneously flood a target’s server with junk traffic. This overwhelming volume of data consumes the target’s bandwidth and processing power, making it impossible for legitimate users to access the service. The record-smashing attacks seen in 2025 and early 2026 reached speeds measured in terabits per second (Tbps), a scale that can overwhelm even the most robust DDoS mitigation services.
The involvement of the DCIS in this takedown is particularly noteworthy. Because these botnets were used to target Department of Defense assets, the investigation was treated as a matter of national security. The seizure of U.S.-based infrastructure effectively "decapitated" the botnets, severing the link between the botmasters’ command-and-control (C2) servers and the millions of infected devices.
International Coordination and Investigations into the Operators
The disruption of the online infrastructure was timed to coincide with law enforcement actions in Canada and Germany. While the DOJ statement was sparse on details regarding the specific individuals involved, independent investigations have begun to shed light on the suspected operators. In late February, reporting from KrebsOnSecurity identified a 22-year-old Canadian man as a core operator of the Kimwolf botnet. Furthermore, sources familiar with the ongoing investigation suggested that another prime suspect is a 15-year-old resident of Germany.
The profile of these suspects—young, technically proficient individuals operating from their bedrooms—is a recurring theme in modern cybercrime. The availability of "leaked" source code from previous botnets, such as the infamous Mirai botnet of 2016, has lowered the barrier to entry for aspiring cybercriminals. By modifying existing code and finding new vulnerabilities, small groups or even individuals can exert disproportionate influence over the stability of the global internet.
The FBI’s Anchorage Field Office played a central role in the domestic side of the operation. Special Agent in Charge Rebecca Day emphasized the importance of the partnership between government and the private sector. The DOJ’s official statement credited nearly two dozen technology companies with providing the technical intelligence and assistance necessary to track the botnets’ movements and identify their hosting providers.
Official Responses and Strategic Implications
"By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks," said Special Agent in Charge Rebecca Day. "This action was designed to prevent further infection to victim devices and to limit or eliminate the ability of the botnets to launch future attacks."
The broader implications of this takedown are two-fold. First, it serves as a deterrent to other botnet operators by demonstrating that law enforcement can and will reach across borders to dismantle infrastructure and identify perpetrators. Second, it highlights the urgent need for a shift in how IoT devices are manufactured and managed.
Industry analysts suggest that without stricter regulations on IoT security standards—such as banning default passwords and requiring mandatory security updates—new botnets will inevitably rise to fill the vacuum left by Aisuru and Kimwolf. The "arms race" between botmasters and security researchers continues, with each side learning from the other’s successes and failures.
Impact on Victims and the Path Forward
For the millions of individuals whose devices were conscripted into these botnets, the takedown brings a silent relief. Most users are unaware that their home router or baby monitor is being used to attack a government agency or a multi-national corporation. However, an infected device often suffers from degraded performance, instability, and increased data usage.
The Justice Department has stated that the seizure of the domains and servers will prevent the botnets from receiving new instructions, effectively rendering the malware on the devices dormant. However, the DOJ also warned that this does not "clean" the devices. Users are encouraged to reboot their hardware, update to the latest firmware, and change all administrative passwords to prevent re-infection by the next wave of emerging botnets.
As the legal proceedings against the suspects in Canada and Germany move forward, the cybersecurity community remains vigilant. The dismantling of Aisuru, Kimwolf, JackSkid, and Mossad is a significant victory, but in the world of cybercrime, the "hydra" effect is real: for every head cut off, two more may grow. This operation underscores that the defense of the digital frontier is an ongoing, collaborative, and global responsibility.
The success of this mission provides a blueprint for future operations, emphasizing that when international law enforcement, defense agencies, and private technology firms align their resources, they can strike a decisive blow against even the most sophisticated digital adversaries. The focus now shifts to the long-term goal of hardening the world’s IoT infrastructure to ensure that such massive botnets can never again achieve the same level of unchecked dominance.
