U.S. Department of Justice Dismantles Massive IoT Botnets Behind Record-Breaking DDoS Attacks
In a significant crackdown on cybercrime, the U.S. Department of Justice (DoJ) announced on Thursday the successful disruption of command-and-control (C2) infrastructures associated with several notorious Internet of Things (IoT) botnets, including AISURU, Kimwolf, JackSkid, and Mossad. This operation, authorized by the courts, marks a pivotal step in combating large-scale cyber threats.
These botnets were responsible for orchestrating distributed denial-of-service (DDoS) attacks on a global scale, some reaching unprecedented magnitudes. Notably, in November 2025, AISURU and Kimwolf were linked to a colossal 31.4 terabits per second (Tbps) DDoS attack that lasted 35 seconds, setting a new record for such cyber assaults. Subsequent attacks by these botnets averaged 3 billion packets per second (Bpps), 4 Tbps, and 54 million requests per second (Mrps), underscoring their formidable capabilities.
The operation was a collaborative effort involving law enforcement agencies from Canada and Germany, alongside private sector partners such as Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab. This coalition exemplifies the necessity of international and cross-sector cooperation in addressing cyber threats that transcend national borders.
Investigations into the botnet operators have identified key individuals. Independent security journalist Brian Krebs traced the administrator of Kimwolf to Jacob Butler, a 23-year-old from Ottawa, Canada, known online as Dort. Butler, however, claims that his Dort persona has been inactive since 2021 and suggests that someone may be impersonating him. Another suspect is a 15-year-old residing in Germany. As of now, no arrests have been announced.
Kimwolf, first documented by QiAnXin XLab in December 2025, has infected over 2 million Android devices, primarily off-brand smart TVs and set-top boxes. This botnet represents a significant evolution in cyber threats, exploiting residential networks to amass a vast array of compromised devices. Collectively, the four botnets have infected at least 3 million devices worldwide, including digital video recorders, web cameras, and Wi-Fi routers, with hundreds of thousands located in the United States.
The scale of these attacks is staggering. Cloudflare described the combined attack traffic of AISURU and Kimwolf as equivalent to the combined populations of the U.K., Germany, and Spain all simultaneously typing a website address and then hitting ‘enter’ at the same second. This analogy highlights the immense pressure these botnets can exert on targeted systems.
The DoJ’s operation not only disrupted the botnets’ infrastructures but also targeted their operators. The Kimwolf and JackSkid botnets, in particular, infected devices that were typically protected by firewalls, enslaving them into their networks. The operators then monetized this access by offering it to other cybercriminals, effectively creating a cybercrime as a service model. These infected devices were subsequently used to launch DDoS attacks against various global targets.
Court documents reveal the extensive reach of these botnets:
– AISURU: Over 200,000 DDoS attack commands issued.
– Kimwolf: More than 25,000 DDoS attack commands.
– JackSkid: Exceeding 90,000 DDoS attack commands.
– Mossad: Over 1,000 DDoS attack commands.
The disruption of these botnets is a testament to the effectiveness of coordinated efforts between law enforcement and private sector entities in combating cyber threats. However, it also underscores the evolving nature of cybercrime, where attackers continually adapt their methods to exploit new vulnerabilities.
The DoJ’s actions serve as a reminder of the critical importance of cybersecurity vigilance. Organizations and individuals must remain proactive in securing their devices and networks to prevent them from being co-opted into such malicious activities. Regular software updates, strong password policies, and network monitoring are essential components of a robust cybersecurity posture.
As cyber threats continue to evolve, the collaboration between international law enforcement agencies and private sector partners will be crucial in identifying, disrupting, and dismantling malicious networks. The recent operation against these IoT botnets marks a significant victory in the ongoing battle against cybercrime, but it also highlights the need for continued vigilance and cooperation in the face of ever-changing threats.
