DoJ Takes Down Four IoT Botnets Behind the World's Largest DDoS Attacks
The U.S. Department of Justice (DoJ) on March 20, 2026, announced the court-authorized disruption of command-and-control (C2) infrastructure used by four interconnected IoT botnets that together infected more than 3 million devices and powered the largest distributed denial-of-service (DDoS) attacks ever recorded.
The operation — conducted jointly with authorities in Germany and Canada — targeted the botnets AISURU, Kimwolf, JackSkid, and Mossad, seizing internet domains, virtual servers, and other digital infrastructure used to orchestrate attacks against targets worldwide, including the U.S. Department of Defense Information Network (DoDIN).
The Four Botnets
AISURU
AISURU emerged in late 2024 as a rapidly spreading IoT botnet targeting digital video recorders, web cameras, and WiFi routers. By mid-2025 it was launching record-breaking DDoS attacks. Court documents show AISURU issued more than 200,000 DDoS attack commands during its operational lifespan.
In November 2025, an AISURU-linked attack peaked at 31.4 Tbps and 200 million requests per second — a UDP flood that Cloudflare researchers confirmed was nearly six times larger than the biggest attack recorded in all of 2024. The same attack set a new record for network-layer assault scale.
Kimwolf
Kimwolf was seeded from AISURU in October 2025 — effectively an evolution of its predecessor — introducing a novel spreading mechanism that allowed it to infect devices hidden behind NAT, including devices not directly accessible from the internet. This made Kimwolf particularly dangerous: it could reach IoT devices that were assumed to be protected by internal network positioning.
Kimwolf ultimately grew to ensnare approximately 2 million devices, many recruited through abuse of residential proxy networks. Court documents record more than 25,000 DDoS attack commands attributed to Kimwolf operators.
In late February 2026, journalist Brian Krebs identified a 22-year-old Canadian man as a core Kimwolf operator. A second prime suspect is reportedly a 15-year-old residing in Germany.
JackSkid
JackSkid also targeted devices designed to be shielded from direct internet exposure, complementing Kimwolf's reach into protected network segments. JackSkid issued more than 90,000 DDoS attack commands — the second-highest volume of any botnet in the operation.
Mossad
Mossad averaged over 100,000 daily victims during the first two weeks of March 2026 alone, demonstrating its capacity for rapid, large-scale abuse. The botnet issued more than 1,000 attack commands during the period covered by court documents.
Scale and Impact
| Botnet | Peak Attack Scale | Attack Commands | Key Feature |
|---|---|---|---|
| AISURU | 31.4 Tbps / 200M rps | 200,000+ | Record-breaking UDP floods |
| Kimwolf | Undisclosed | 25,000+ | Novel NAT-traversal spreading |
| JackSkid | Undisclosed | 90,000+ | Targeting shielded devices |
| Mossad | 100,000+ daily victims | 1,000+ | High-volume rapid infection |
Combined, the four botnets compromised more than 3 million internet-connected devices across the globe — primarily IoT hardware in consumer and small-business environments. Cloudflare's threat research unit, Cloudforce One, documented 19 record-setting attacks during 2025, with total network-layer attacks more than tripling year-over-year.
Cybercrime-as-a-Service Model
The infected devices were folded into a DDoS-for-hire ecosystem, where botnet operators rented out attack capacity to paying customers. Both operators and customers used the infrastructure to launch hundreds of thousands of attacks against targets worldwide — in some cases demanding extortion payments from victims to stop ongoing DDoS campaigns.
This model — sometimes called "booter" or "stresser" services — has industrialized DDoS by separating botnet operation from attack execution, allowing individuals with no technical expertise to purchase attacks at scale.
Law Enforcement Operation Details
The DoJ action was enabled by seizure warrants targeting U.S.-registered internet domains and virtual servers linked to the botnet infrastructure. The Defense Criminal Investigative Service (DCIS), part of the DoD Office of Inspector General, also executed warrants targeting infrastructure used in attacks against the DoDIN.
Lumen Black Lotus Labs stated it has null-routed nearly 1,000 C2 servers used by AISURU and Kimwolf as part of the joint takedown effort.
Private-sector organizations assisting in the investigation included:
Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab
Protecting IoT Infrastructure
The scale of this operation underscores the persistent risk posed by insecure IoT devices. Recommendations for organizations and consumers:
- Change default credentials on all IoT devices immediately after deployment
- Apply firmware updates promptly — most botnets exploit known, patchable vulnerabilities
- Segment IoT devices on isolated VLANs, separate from critical business systems
- Monitor for anomalous outbound traffic — infected devices often exhibit unusual DNS queries or high-volume UDP traffic
- Disable remote management interfaces (UPnP, Telnet, default web admin) when not required
- Replace end-of-life devices that no longer receive security patches from manufacturers
- Consider hardware with security-by-default features — boot attestation, signed firmware updates, network isolation
Key Takeaways
- 31.4 Tbps is now the confirmed record for the largest DDoS attack ever observed — nearly 6x the 2024 record
- DDoS-as-a-service ecosystems commoditize attacks, enabling unsophisticated actors to launch record-scale disruptions
- NAT-traversal techniques in Kimwolf represent a technical evolution: IoT devices behind firewalls are no longer safe from botnet recruitment
- Private-public sector coordination was essential — 14+ major technology companies contributed to the investigation
- Young operators (ages 15 and 22) running infrastructure responsible for the world's largest cyberattacks highlights the accessibility of cybercrime-as-a-service tooling
- Total DDoS attacks more than doubled in 2025 to 47.1 million — the takedown addresses the supply side but demand for attack services remains high
Sources
- DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks — The Hacker News
- International joint action disrupts world's largest DDoS botnets — BleepingComputer
- Feds Disrupt IoT Botnets Behind Huge DDoS Attacks — Krebs on Security
- Authorities disrupt four IoT botnets behind record DDoS attacks — Help Net Security
- Feds disrupt IoT botnets behind record-breaking DDoS attacks — The Register