The U.S. Department of Justice has announced a major cybersecurity operation that successfully disrupted the command-and-control infrastructure used by multiple large-scale Internet of Things botnets, including AISURU, Kimwolf, JackSkid, and Mossad.
This coordinated law enforcement effort, carried out under court authorization, also involved international cooperation with authorities from Canada and Germany. Several leading technology and cybersecurity companies supported the investigation, highlighting the global scale of the threat.
According to officials, these botnets were responsible for launching distributed denial-of-service attacks against targets worldwide. Some of these attacks reached unprecedented levels, with traffic volumes approaching 30 terabits per second, making them among the most powerful DDoS campaigns ever recorded.
Record-Setting DDoS Activity Linked to Botnets
Security researchers previously linked the AISURU and Kimwolf botnets to a massive 31.4 Tbps DDoS attack that occurred in late 2025. Although the attack lasted only a short time, it demonstrated the extreme capacity of modern botnets.
In addition to peak traffic, these botnets carried out repeated high-volume attacks, generating billions of packets per second and tens of millions of requests per second. Such hyper-volumetric attacks can overwhelm even advanced cloud-based protection systems.
Millions of Devices Compromised Worldwide
Investigations revealed that these botnets collectively infected more than three million devices across the globe. The compromised systems included a wide range of internet-connected hardware such as:
- Smart TVs and Android-based streaming devices
- Digital video recorders (DVRs)
- Web cameras and home routers
A large portion of these devices were low-cost or unbranded products with weak security protections, making them easy targets for attackers.
Kimwolf alone is believed to have recruited over two million Android-based devices into its network, marking a significant evolution in botnet scale and efficiency.
Cybercrime-as-a-Service Model Expands Threat
Authorities stated that the operators behind these botnets adopted a “cybercrime-as-a-service” approach. Instead of using the networks solely for their own attacks, they rented access to other cybercriminals, enabling widespread abuse.
Court documents indicate that hundreds of thousands of attack commands were issued across the four botnets:
- AISURU, more than 200,000 attack commands
- Kimwolf, over 25,000 commands
- JackSkid, exceeding 90,000 commands
- Mossad, more than 1,000 commands
This model significantly increased the scale and frequency of global DDoS incidents.
New Attack Techniques Increase Botnet Power
Researchers highlighted that Kimwolf introduced a new method for expanding botnets by exploiting residential proxy networks. By compromising home devices such as TV boxes, attackers gained access to internal networks that are typically shielded from the public internet.
This approach allowed the botnet to grow rapidly while remaining resilient against takedown efforts. Other botnets, including JackSkid and Mossad, later adopted similar techniques to expand their reach.
Additionally, vulnerabilities affecting proxy services enabled attackers to access devices with exposed Android Debug Bridge interfaces, further accelerating infection rates.
Ongoing Threat Despite Disruption
Although authorities successfully disrupted key infrastructure, experts warn that the threat remains significant. The sheer number of vulnerable IoT devices worldwide continues to provide opportunities for new botnets to emerge.
Security researchers also observed that some botnets were capable of targeting hundreds of thousands of victims daily, demonstrating the persistent and evolving nature of these attacks.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
