International Joint Action Disrupts World's Largest DDoS Botnets
Summary:
On March 19, 2026, the U.S. Department of Justice, in coordination with law enforcement in Canada and Germany, executed a court-authorized operation to dismantle the command-and-control infrastructure of four IoT-based DDoS botnets: Aisuru, KimWolf, JackSkid, and Mossad. The operation was conducted simultaneously with law enforcement actions in Canada and Germany targeting individuals who operated these botnets.
Aisuru and KimWolf are closely linked; KimWolf is essentially Aisuru's Android-focused successor, and Cloudflare previously attributed both to the largest DDoS attack on record, peaking at 31.4 Tbps. These four botnets are Mirai variants, and the operation was supported by a broad coalition of private sector firms, including Akamai, AWS, Cloudflare, Google, Lumen, Nokia, Okta, Oracle, and others.
The Defense Criminal Investigative Service (DCIS) executed seizure warrants targeting multiple U.S.-registered internet domains, virtual servers, and other infrastructure used in attacks against IP addresses owned by the Department of Defense Information Network (DoDIN).
Security Officer Comments:
The four botnets collectively infected millions of IoT devices worldwide, primarily digital video recorders, web cameras, WiFi routers, and malicious Android TV boxes, and operated under a cybercrime-as-a-service model in which access to hijacked devices was sold to other criminal actors. KimWolf and JackSkid demonstrated a significant evolution in botnet capability by deploying exploitation methods capable of compromising devices positioned behind traditional firewalls, effectively bypassing perimeter defenses.
As of March 2026, infected devices exceeded three million globally, with hundreds of thousands located within the United States. Victims reported tens of thousands of dollars in losses and remediation expenses, and in some cases were subjected to extortion demands to halt attacks. The total number of DDoS attacks globally more than doubled in 2025 to 47.1 million, while network-layer attacks more than tripled year over year, with most attacks lasting under 10 minutes, limiting the window for human-led mitigation.
Suggested Corrections:
Organizations should treat this disruption as an opportunity to harden IoT infrastructure against the botnet tactics documented in this operation. The botnet operators built their armies by exploiting poor default security postures and known vulnerabilities in consumer and enterprise IoT devices, including DVRs, IP cameras, and WiFi routers.
Defenders should inventory all internet-connected devices on their networks, apply firmware updates promptly, replace default credentials, and segment IoT devices from critical business systems. Given that KimWolf and JackSkid specifically targeted firewalled devices, internal network segmentation and east-west traffic monitoring are essential; perimeter defenses alone are insufficient.
Link(s):
https://www.justice.gov/usao-ak/pr/...s-botnets-responsible-record-breaking-attacks
On March 19, 2026, the U.S. Department of Justice, in coordination with law enforcement in Canada and Germany, executed a court-authorized operation to dismantle the command-and-control infrastructure of four IoT-based DDoS botnets: Aisuru, KimWolf, JackSkid, and Mossad. The operation was conducted simultaneously with law enforcement actions in Canada and Germany targeting individuals who operated these botnets.
Aisuru and KimWolf are closely linked; KimWolf is essentially Aisuru's Android-focused successor, and Cloudflare previously attributed both to the largest DDoS attack on record, peaking at 31.4 Tbps. These four botnets are Mirai variants, and the operation was supported by a broad coalition of private sector firms, including Akamai, AWS, Cloudflare, Google, Lumen, Nokia, Okta, Oracle, and others.
The Defense Criminal Investigative Service (DCIS) executed seizure warrants targeting multiple U.S.-registered internet domains, virtual servers, and other infrastructure used in attacks against IP addresses owned by the Department of Defense Information Network (DoDIN).
Security Officer Comments:
The four botnets collectively infected millions of IoT devices worldwide, primarily digital video recorders, web cameras, WiFi routers, and malicious Android TV boxes, and operated under a cybercrime-as-a-service model in which access to hijacked devices was sold to other criminal actors. KimWolf and JackSkid demonstrated a significant evolution in botnet capability by deploying exploitation methods capable of compromising devices positioned behind traditional firewalls, effectively bypassing perimeter defenses.
As of March 2026, infected devices exceeded three million globally, with hundreds of thousands located within the United States. Victims reported tens of thousands of dollars in losses and remediation expenses, and in some cases were subjected to extortion demands to halt attacks. The total number of DDoS attacks globally more than doubled in 2025 to 47.1 million, while network-layer attacks more than tripled year over year, with most attacks lasting under 10 minutes, limiting the window for human-led mitigation.
Suggested Corrections:
Organizations should treat this disruption as an opportunity to harden IoT infrastructure against the botnet tactics documented in this operation. The botnet operators built their armies by exploiting poor default security postures and known vulnerabilities in consumer and enterprise IoT devices, including DVRs, IP cameras, and WiFi routers.
Defenders should inventory all internet-connected devices on their networks, apply firmware updates promptly, replace default credentials, and segment IoT devices from critical business systems. Given that KimWolf and JackSkid specifically targeted firewalled devices, internal network segmentation and east-west traffic monitoring are essential; perimeter defenses alone are insufficient.
Link(s):
https://www.justice.gov/usao-ak/pr/...s-botnets-responsible-record-breaking-attacks