Category: Uncategorized

The U.S. Justice Department joined authorities in Canada and Germany in dismantling the online infrastructure behind four highly disruptive botnets that compromised more than three million Internet of Things (IoT) devices, such as routers and web cameras. The feds say the four botnets — named Aisuru, Kimwolf, JackSkid and Mossad — are responsible for a series of recent record-smashing distributed denial-of-service (DDoS) attacks capable of knocking nearly any target offline.

The Justice Department said the Department of Defense Office of Inspector General’s (DoDIG) Defense Criminal Investigative Service (DCIS) executed seizure warrants targeting multiple U.S.-registered domains, virtual servers, and other infrastructure involved in DDoS attacks against Internet addresses owned by the DoD.

The government alleges the unnamed people in control of the four botnets used their crime machines to launch hundreds of thousands of DDoS attacks, often demanding extortion payments from victims. Some victims reported tens of thousands of dollars in losses and remediation expenses.

The oldest of the botnets — Aisuru — issued more than 200,000 attacks commands, while JackSkid hurled at least 90,000 attacks. Kimwolf issued more than 25,000 attack commands, the government said, while Mossad was blamed for roughy 1,000 digital sieges.

The DOJ said the law enforcement action was designed to prevent further infection to victim devices and to limit or eliminate the ability of the botnets to launch future attacks. The case is being investigated by the DCIS with help from the FBI’s field office in Anchorage, Alaska, and the DOJ’s statement credits nearly two dozen technology companies with assisting in the operation.

“By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office.

Aisuru emerged in late 2024, and by mid-2025 it was launching record-breaking DDoS attacks as it rapidly infected new IoT devices. In October 2025, Aisuru was used to seed Kimwolf, an Aisuru variant which introduced a novel spreading mechanism that allowed the botnet to infect devices hidden behind the protection of the user’s internal network.

On January 2, 2026, the security firm Synthient publicly disclosed the vulnerability Kimwolf was using to propagate so quickly. That disclosure helped curtail Kimwolf’s spread somewhat, but since then several other IoT botnets have emerged that effectively copy Kimwolf’s spreading methods while competing for the same pool of vulnerable devices. According to the DOJ, the JackSkid botnet also sought out systems on internal networks just like Kimwolf.

The DOJ said its disruption of the four botnets coincided with “law enforcement actions” conducted in Canada and Germany targeting individuals who allegedly operated those botnets, although no further details were available on the suspected operators.

In late February, KrebsOnSecurity identified a 22-year-old Canadian man as a core operator of the Kimwolf botnet. Multiple sources familiar with the investigation told KrebsOnSecurity the other prime suspect is a 15-year-old living in Germany.

The U.S. Department of Justice (DoJ) on Thursday announced the disruption of command-and-control (C2) infrastructure used by several Internet of Things (IoT) botnets like AISURU, Kimwolf, JackSkid, and Mossad as part of a court-authorized law enforcement operation.

The effort also saw authorities from Canada and Germany targeting the operators behind these botnets, with a number of private sector firms, including Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab assisting in the investigation efforts.

“The four botnets launched distributed denial-of-service (DDoS) attacks targeting victims around the world,” the DoJ said. “Some of these attacks measured approximately 30 Terabits per second, which were record-breaking attacks.”

In a report last month, Cloudflare attributed AISURU/Kimwolf to a massive 31.4 Tbps DDoS attack that occurred in November 2025 and lasted only 35 seconds. Towards the end of last year, the botnet was also responsible for a series of hyper-volumetric DDoS attacks that had an average size of 3 billion packets per second (Bpps), 4 Tbps, and 54 million requests per second (Mrps).

Independent security journalist Brian Krebs also traced the administrator of Kimwolf to a 23-year-old Jacob Butler (aka Dort) from Ottawa, Canada. Butler told Krebs he has not used the Dort persona since 2021 and claimed someone is impersonating him after compromising his old account.

Butler also said, “he mostly stays home and helps his mom around the house because he struggles with autism and social interaction.” According to Krebs, the other prime suspect is a 15-year-old residing in Germany. No arrests have been announced.

First documented by XLab in December 2025, Kimwolf has conscripted more than 2 million Android devices into its network, most of which are compromised, off-brand Android smart TVs and set-top boxes. It’s an Android-focused version of another botnet known as AISURU, which is known to be active since at least August 2024.

In all, the four botnets are estimated to have infected no less than 3 million devices worldwide, such as digital video recorders, web cameras, or Wi-Fi routers, of which hundreds of thousands are located in the U.S.

Cloudflare described the maximum attack traffic of the combined AISURU and Kimwolf botnets as equivalent to “the combined populations of the U.K., Germany, and Spain all simultaneously typing a website address and then hitting ‘enter’ at the same second.”

“The Kimwolf and JackSkid botnets are accused of targeting and infecting devices which are traditionally ‘firewalled’ from the rest of the internet. The infected devices were enslaved by the botnet operators,” the DoJ said. “The operators then used a ‘cybercrime as a service’ model to sell access to the infected devices to other cyber criminals.”

These infected devices were then used to conduct DDoS attacks against targets of interest across the world. Court documents allege that the four Mirai botnet variants have issued hundreds of thousands of DDoS attack commands –

• AISURU – >200,000 DDoS attack commands
• Kimwolf – >25,000 DDoS attack commands
• JackSkid – >90,000 DDoS attack commands
• Mossad – >1,000 DDoS attack commands

“Kimwolf represented a fundamental shift in how botnets operate and scale. Unlike traditional botnets that scan the open internet for vulnerable devices, Kimwolf exploited a novel attack vector: residential proxy networks,” Tom Scholl, VP/Distinguished Engineer at AWS, said in a post shared on LinkedIn.

“By infiltrating home networks through compromised devices — including streaming TV boxes and other IoT devices — the botnet gained access to local networks that are typically protected from external threats by home routers.”

Lumen Black Lotus Labs, in a statement shared with The Hacker News, said it has null-routed nearly 1,000 of the C2 servers used by AISURU and then Kimwolf. According to data gathered by the cybersecurity company, JackSkid averaged over 150,000 daily victims in the first two weeks of March 2026, hitting 250,000 on March 8. Mossad averaged over 100,000 daily victims during the same period.

“The problem is, there are just so many devices out there that are vulnerable that two things happened – first, Kimwolf proved to be incredibly resilient,” Ryan English, security researcher at Lumen’s Black Lotus Labs, said. “The second problem was that multiple new botnets started to emulate the technique of using the vulnerability to grow very large, very fast.”

XLab told the publication that it provided sample hashes, decrypted C2 configurations, and screenshots of DDoS attacks as evidence. Akamai said the hyper-volumetric botnets generated attacks exceeding 30 Tbps, 14 billion packets per second, and 300 Mrps, adding that cybercriminals leveraged these botnets to launch hundreds of thousands of attacks and demand extortion payments from victims in some cases.

“These attacks can cripple core internet infrastructure, cause significant service degradation for ISPs and their downstream customers, and even overwhelm high-capacity cloud-based mitigation services,” the web infrastructure company said.