The U.S. Department of Justice announced a major law enforcement operation to disrupt four IoT botnets — AISURU, Kimwolf, JackSkid, and Mossad — responsible for record-breaking distributed denial-of-service (DDoS) attacks reaching 31.4 terabits per second.
The court-authorized takedown, conducted in partnership with authorities from Canada and Germany, targeted command-and-control infrastructure that had enslaved over 3 million IoT devices worldwide, including digital video recorders, web cameras, and Wi-Fi routers.
Why It Matters
This operation represents one of the largest botnet disruptions in history, targeting infrastructure capable of overwhelming even cloud-based DDoS mitigation services. The scale of these attacks — equivalent to the combined populations of the UK, Germany, and Spain simultaneously sending web requests — demonstrates how compromised IoT devices can be weaponized into devastating cyber weapons.
Key Findings
- Attack scale: Combined botnets launched DDoS attacks exceeding 30 Tbps, 14 billion packets per second, and 300 million requests per second
- Infection footprint: Over 3 million devices globally, with hundreds of thousands in the U.S.
- Primary targets: Off-brand Android smart TVs, set-top boxes, and compromised residential network devices
- Business model: Operators used a “cybercrime as a service” approach, selling access to infected devices to other criminals
Novel Attack Vector
Unlike traditional botnets that scan the open internet for vulnerable devices, Kimwolf exploited residential proxy networks to infiltrate home networks through compromised streaming TV boxes and other IoT devices. This approach granted access to local networks typically protected from external threats by home routers — a fundamental shift in botnet operations.
Industry Response
The investigation involved an unprecedented coalition of private sector firms, including Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Team Cymru, Unit 221B, and QiAnXin XLab.
Lumen’s Black Lotus Labs null-routed nearly 1,000 command-and-control servers used by AISURU and Kimwolf. According to their data, JackSkid averaged over 150,000 daily victims in early March 2026, hitting 250,000 on March 8.
Defensive Implications
Organizations should immediately review their IoT device inventory, ensure firmware is updated, and consider network segmentation to isolate consumer IoT devices from critical infrastructure. The success of these botnets in targeting residential networks highlights the need for enhanced security in consumer IoT products.
Source: The Hacker News
