In a significant victory against sophisticated cybercrime, the U.S. Department of Justice (DoJ) announced on Thursday the successful disruption of critical command-and-control (C2) infrastructure vital to several notorious Internet of Things (IoT) botnets, including AISURU, Kimwolf, JackSkid, and Mossad. This extensive, court-authorized law enforcement operation, spearheaded by U.S. authorities, involved crucial collaboration with their counterparts in Canada and Germany, alongside a formidable coalition of private sector cybersecurity and technology firms. The targeted botnets were responsible for launching distributed denial-of-service (DDoS) attacks of unprecedented scale, impacting victims globally and establishing new benchmarks for volumetric cyber assaults.
The Rise of a Digital Scourge: Understanding the Botnets
At the heart of this disruption are botnets, networks of compromised computing devices controlled remotely by a single attacker, known as a "botmaster." These devices, often unbeknownst to their owners, are infected with malicious software (malware) that allows them to be conscripted into this digital army. In the context of IoT botnets, the compromised devices are typically everyday smart gadgets such as digital video recorders (DVRs), web cameras, Wi-Fi routers, and even off-brand Android smart TVs and set-top boxes. Their inherent vulnerabilities, often stemming from weak default passwords, unpatched firmware, or exposed management interfaces, make them prime targets for exploitation.
Once enslaved, these "bots" are collectively leveraged to launch DDoS attacks. A DDoS attack is an attempt to render an online service unavailable by overwhelming it with a flood of traffic from multiple compromised systems. This deluge of data can cripple websites, online services, and critical infrastructure, leading to significant financial losses, reputational damage, and widespread disruption. The botnets targeted in this operation – AISURU, Kimwolf, JackSkid, and Mossad – are all considered variants of the infamous Mirai botnet, which first emerged in 2016 and revolutionized the landscape of IoT-based cyber warfare by exploiting common vulnerabilities in consumer devices.
A Chronology of Cyber Onslaughts
The activities of these botnets have spanned several years, escalating in sophistication and destructive power. AISURU, believed to be the progenitor for some of the more recent variants, has been active since at least August 2024. It laid the groundwork for the techniques and scale that would later define its offshoots.
The Kimwolf botnet, first thoroughly documented by QiAnXin XLab in December 2025, quickly distinguished itself. It amassed a staggering network of over 2 million Android devices, predominantly compromised smart TVs and set-top boxes, marking a significant shift towards Android-focused exploitation. Kimwolf, in particular, gained notoriety for a series of hyper-volumetric DDoS attacks towards the end of 2025. These assaults were characterized by an average size of 3 billion packets per second (Bpps), 4 Terabits per second (Tbps), and 54 million requests per second (Mrps).
One of the most extreme instances attributed to the combined AISURU/Kimwolf botnet occurred in November 2025. Cloudflare reported a massive 31.4 Tbps DDoS attack that, despite lasting only 35 seconds, set a new record for attack volume. This short but intense burst of malicious traffic demonstrated the immense destructive potential these botnets wielded, capable of saturating even robust internet infrastructure. The DoJ highlighted that some of these attacks measured approximately 30 Tbps, firmly establishing them as "record-breaking attacks" in the annals of cybercrime.
In the lead-up to the March 2026 disruption, other variants like JackSkid and Mossad also demonstrated significant activity. Data from Lumen’s Black Lotus Labs indicated that JackSkid averaged over 150,000 daily victims during the first two weeks of March 2026, peaking at 250,000 on March 8. Mossad, during the same period, averaged over 100,000 daily victims. The consistent high victim count underscored the pervasive nature of these threats and the continuous expansion of their compromised networks.
Unprecedented Scale and Sophistication
The sheer scale of the attacks launched by these botnets is difficult to comprehend. To illustrate, Cloudflare provided a vivid analogy for the maximum attack traffic generated by the combined AISURU and Kimwolf botnets: it was equivalent to "the combined populations of the U.K., Germany, and Spain all simultaneously typing a website address and then hitting ‘enter’ at the same second." This comparison underscores the immense computational power and network bandwidth that these illicit networks could marshal, capable of overwhelming even the most resilient online services and internet infrastructure.
Akamai, another key partner in the disruption, corroborated these figures, noting that the hyper-volumetric botnets generated attacks exceeding 30 Tbps, 14 billion packets per second, and 300 Mrps. Such extraordinary volumes of traffic can paralyze core internet infrastructure, cause severe service degradation for Internet Service Providers (ISPs) and their downstream customers, and even overwhelm high-capacity cloud-based mitigation services designed to withstand large-scale attacks. The DoJ estimated that the four botnets collectively infected no less than 3 million devices worldwide, with hundreds of thousands of these compromised machines located within the United States alone. These numbers paint a stark picture of the global reach and pervasive threat these operations represented.
The "Cybercrime as a Service" Model
A critical aspect of these botnets’ operation was their adoption of a "cybercrime as a service" model. Instead of exclusively using their compromised networks for their own attacks, the operators monetized their illicit infrastructure by selling access to other cybercriminals. This model democratizes large-scale cyberattacks, allowing individuals or groups without the technical prowess or resources to build their own botnets to rent the capacity for launching devastating DDoS attacks.
As the DoJ statement highlighted, "The operators then used a ‘cybercrime as a service’ model to sell access to the infected devices to other cyber criminals." This effectively created a marketplace for digital disruption, where clients could purchase the ability to target competitors, extort payments from businesses, or engage in politically motivated cyber vandalism. Court documents suggest that the four Mirai botnet variants issued hundreds of thousands of DDoS attack commands, indicating a highly active and profitable criminal enterprise built upon this service model. In some cases, Akamai noted, cybercriminals leveraged these botnets to launch attacks and demand extortion payments from victims, adding another layer of financial motivation to their operations.
Kimwolf’s Novel Attack Vector: Residential Proxies
One of the most concerning innovations observed in the Kimwolf botnet, and subsequently emulated by JackSkid and Mossad, was its unique attack vector involving residential proxy networks. As Tom Scholl, VP/Distinguished Engineer at AWS, explained in a LinkedIn post, "Kimwolf represented a fundamental shift in how botnets operate and scale. Unlike traditional botnets that scan the open internet for vulnerable devices, Kimwolf exploited a novel attack vector: residential proxy networks."
This method allowed the botnet to infiltrate home networks through already compromised devices, such as streaming TV boxes and other IoT gadgets. By gaining access to these local networks, the botnet could then exploit vulnerabilities that are typically protected from external threats by home routers. Specifically, the vulnerability affected proxy providers like IPIDEA, granting threat actors access to local network devices with Android Debug Bridge (ADB) exposed. ADB is a versatile command-line tool that lets developers communicate with an Android device, but when left exposed and unprotected, it becomes a severe security risk. This exploitation allowed Kimwolf, and later JackSkid and Mossad, to leverage these residential proxy networks to "sweep up those bots for their own use," dramatically increasing their reach and resilience. This technique made the botnets incredibly resilient, as Ryan English, a security researcher at Lumen’s Black Lotus Labs, noted, because they could continually find new vulnerable devices within supposedly secure residential networks.
The Collaborative Counter-Offensive
The successful disruption of these botnets is a testament to the power of international cooperation and public-private partnerships in combating sophisticated cyber threats. The DoJ’s operation was not a solitary effort but a concerted initiative involving numerous stakeholders.
Law enforcement agencies from Canada and Germany worked in tandem with U.S. authorities to target the operators behind these botnets. On the private sector front, a broad coalition of technology and cybersecurity giants provided critical assistance. This included Akamai, Amazon Web Services (AWS), Cloudflare, DigitalOcean, Google, Lumen (through its Black Lotus Labs), Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab. These firms contributed their expertise, intelligence, and resources, ranging from identifying malicious infrastructure and tracking attack patterns to providing forensic data and assisting with the legal process.
Lumen’s Black Lotus Labs played a particularly active role, announcing that it had null-routed nearly 1,000 of the C2 servers used by AISURU and then Kimwolf. Null-routing is a network technique used to drop unwanted traffic, effectively severing the connection between the botmasters and their enslaved devices. QiAnXin XLab provided crucial intelligence, including sample hashes, decrypted C2 configurations, and screenshots of DDoS attacks, which served as vital evidence in the investigation. Akamai, with its deep insights into internet traffic and DDoS mitigation, confirmed the hyper-volumetric nature of the attacks and the extortion tactics employed by the cybercriminals.
The Human Element: Suspects and Challenges
While the technical disruption of the botnets’ infrastructure is a major success, the human element of cybercrime often presents complex challenges. Independent security journalist Brian Krebs, known for his investigative work in cybersecurity, traced the administrator of Kimwolf to a 23-year-old Jacob Butler, also known by his online alias "Dort," from Ottawa, Canada.
When confronted, Butler claimed he had not used the "Dort" persona since 2021 and alleged that someone was impersonating him after compromising his old account. He further stated that "he mostly stays home and helps his mom around the house because he struggles with autism and social interaction." Krebs’s investigations also pointed to another prime suspect, a 15-year-old residing in Germany. As of the DoJ’s announcement, no arrests have been publicly announced, highlighting the ongoing investigative challenges, including issues of attribution, jurisdiction, and the complexities of prosecuting individuals, particularly minors, in international cybercrime cases. These circumstances underscore the intricate legal and ethical considerations involved in bringing cybercriminals to justice, especially when identities are obscured or disputed.
Broader Implications and Future Security
The disruption of the AISURU, Kimwolf, JackSkid, and Mossad botnets represents a significant blow to the global cybercrime ecosystem. It temporarily dismantles a powerful infrastructure used for widespread digital attacks and undermines the "cybercrime as a service" model that fuels much of today’s online illicit activities. However, the fight against botnets is often likened to a game of "whack-a-mole," where shutting down one operation often leads to the emergence of new ones. As Ryan English from Lumen’s Black Lotus Labs noted, "The problem is, there are just so many devices out there that are vulnerable that two things happened – first, Kimwolf proved to be incredibly resilient. The second problem was that multiple new botnets started to emulate the technique of using the vulnerability to grow very large, very fast."
This incident highlights several critical implications for future cybersecurity:
- The Persistent Threat of IoT Vulnerabilities: The reliance on millions of insecure IoT devices remains a fundamental weakness in global cybersecurity. Manufacturers must prioritize security by design, implementing strong default passwords, regular firmware updates, and secure configuration options. Consumers, in turn, must be educated on the importance of securing their smart devices.
- The Evolution of Attack Vectors: Kimwolf’s exploitation of residential proxy networks and exposed ADB ports demonstrates a shift towards more sophisticated infiltration methods that bypass traditional perimeter defenses. This necessitates new detection and mitigation strategies focused on internal network security and endpoint protection for IoT devices.
- The Indispensability of Collaboration: The success of this operation underscores the critical importance of multi-national law enforcement cooperation and robust public-private partnerships. The sharing of intelligence, resources, and expertise between governments and private companies is essential to effectively combat globally distributed cyber threats.
- The Resilience of Cybercrime: Despite major disruptions, the underlying motivations and technical ingenuity of cybercriminals ensure that new threats will continually emerge. This necessitates ongoing vigilance, continuous threat intelligence sharing, and adaptive security measures.
- Legal and Attribution Challenges: The complexities surrounding suspect identification, international jurisdiction, and the legal prosecution of cybercriminals, particularly those who may be minors or claim impersonation, remain significant hurdles that require evolving legal frameworks and international agreements.
In conclusion, while the disruption of these record-breaking IoT botnets is a commendable achievement, it serves as a stark reminder of the dynamic and relentless nature of the cyber threat landscape. It reinforces the need for sustained investment in cybersecurity, proactive defense strategies, and a collaborative global effort to safeguard digital infrastructure and ensure the integrity of the internet.