DOJ Dismantles Four Major IoT Botnets Behind Record-Breaking DDoS Attacks

The U.S. Department of Justice, in coordination with authorities from Canada and Germany, dismantled the command-and-control infrastructure of four massive Internet of Things (IoT) botnets on March 20, 2026. The operation targeted the networks known as Aisuru, Kimwolf, JackSkid, and Mossad, which had compromised more than three million IoT devices, including web cameras and routers, to launch record-breaking distributed denial-of-service (DDoS) attacks.

As part of the law enforcement action, the Defense Criminal Investigative Service (DCIS), an arm of the Department of Defense Office of Inspector General, executed seizure warrants for multiple virtual private servers and web domains registered in the United States. These systems were used to power the botnets and target internet addresses owned by the U.S. Department of Defense.

Record-Breaking Attack Volumes

The four botnets were responsible for some of the largest DDoS attacks ever recorded. According to the Department of Justice, some of these attacks measured approximately 30 Terabits per second (Tbps). Cloudflare specifically attributed a 31.4 Tbps attack that occurred in November 2025 to the AISURU and Kimwolf botnets; the attack lasted for 35 seconds.

View this post on Instagram

During late 2025, the botnets also executed a series of hyper-volumetric attacks. These attacks averaged 4 Tbps, with volumes of 54 million requests per second (Mrps) and 3 billion packets per second (Bpps).

The botnets varied in their level of activity and scale:

• Aisuru: The most active botnet, issuing more than 200,000 DDoS attack commands. It frequently targeted critical infrastructure in the financial services and telecommunications sectors.
• JackSkid: Generated more than 90,000 attack commands.
• Kimwolf: Issued more than 25,000 attack commands.
• Mossad: Blamed for approximately 1,000 attacks.

Technical Evolution and Propagation

Aisuru first emerged in late 2024 and began launching record-breaking attacks by mid-2025 as it infected new IoT devices. In October 2025, Aisuru was used to seed Kimwolf, a variant that introduced a novel spreading mechanism. This allowed the botnet to infect devices located behind a user’s internal network protection.

On January 2, 2026, the security firm Synthient publicly disclosed the vulnerability Kimwolf used to propagate. While this disclosure slowed the spread of Kimwolf, other botnets, including JackSkid, subsequently adopted similar methods to target systems on internal networks.

Financial Impact and Extortion

The operators of these botnets used the infected machines to conduct hundreds of thousands of attacks, often utilizing the threat of disruption to extort organizations. Some victims reported losses and remediation expenses totaling tens of thousands of dollars.

By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks

Rebecca Day, Special Agent in Charge of the FBI Anchorage Field Office

The investigation was led by the DCIS with assistance from the FBI’s field office in Anchorage, Alaska. A broad coalition of private sector firms assisted in the effort, including Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.

Suspected Operators

While the Department of Justice noted that law enforcement actions were conducted in Canada and Germany targeting the botnet operators, no official arrests have been announced. However, independent reporting by Brian Krebs in late February 2026 identified a 23-year-old Canadian man, Jacob Butler (also known as Dort), as a core operator of the Kimwolf botnet.

Butler told Krebs that he has not used the Dort persona since 2021 and claimed that an unknown party compromised his old account to impersonate him. According to Krebs, another prime suspect is a 15-year-old residing in Germany.