Feds Disrupt IoT Botnets Behind Huge DDoS Attacks

The U.S. Department of Justice, working alongside law enforcement agencies in Canada and Germany, has dismantled the online infrastructure behind four highly disruptive botnets that collectively compromised more than three million hacked Internet of Things (IoT) devices — including consumer routers, IP cameras, and network-attached storage devices.

The coordinated international takedown targeted botnet infrastructure that had been used to conduct some of the largest distributed denial-of-service (DDoS) attacks ever recorded, threatening internet services and critical infrastructure worldwide.

The Four Botnets

The operation targeted four distinct botnet platforms, each operating with its own command-and-control infrastructure but all relying on the same fundamental attack surface: unpatched or default-credential IoT devices exposed to the internet.

The compromised devices were weaponized to form powerful DDoS-for-hire platforms, enabling criminal customers to direct overwhelming volumes of traffic at targets on demand. The scale of the combined infrastructure represented significant capability to disrupt internet services at a global level.

How They Operated

The botnets followed a well-established infection model:

1. Initial compromise — Automated scanning tools probe the internet for IoT devices running known vulnerable firmware or using default manufacturer credentials
2. Malware installation — Upon gaining access (typically via Telnet, SSH, or HTTP admin panels), lightweight botnet malware is installed that persists across reboots
3. C2 registration — Infected devices "phone home" to command-and-control servers, joining the botnet pool
4. DDoS-as-a-service — Criminal customers pay to direct the aggregated bandwidth of tens or hundreds of thousands of bots at target IP addresses, overwhelming defenses

Scale of the Operation

The combined botnets represented an extraordinary concentration of DDoS capability:

• 3+ million compromised devices across multiple countries
• Device types included home routers, IP cameras, DVRs, and NAS devices
• The infrastructure had been linked to record-scale DDoS attack volumes
• Victims included internet infrastructure providers, gaming platforms, and financial services

The takedown involved sinkholing — redirecting botnet traffic to law enforcement-controlled servers to neutralize attack capability without destroying evidence — as well as domain seizures and infrastructure disruption across multiple jurisdictions.

The International Cooperation

The operation highlights the increasingly critical role of multi-national law enforcement coordination in tackling botnet infrastructure. The US, Canada, and Germany each contributed:

• Legal authority to seize domains and infrastructure within their respective jurisdictions
• Threat intelligence to identify C2 nodes and map botnet infrastructure globally
• Notification pipelines to alert affected ISPs and device owners where possible

Why IoT Botnets Are So Persistent

Despite repeated takedowns, IoT botnets remain a persistent and growing threat due to structural weaknesses in the device ecosystem:

Device Lifetime vs. Support Lifetime

Consumer IoT devices are often used for 5–10+ years, while manufacturers typically provide security updates for only 2–3 years after launch. Millions of devices continue operating on firmware that will never receive patches for known vulnerabilities.

Default Credential Problem

Despite industry pressure, a substantial portion of IoT devices ship with default or hardcoded credentials that many users never change. Botnets like Mirai demonstrated in 2016 that even simple credential-stuffing attacks against default passwords could compromise hundreds of thousands of devices in hours — and the problem has not been fully resolved.

No Automatic Updates

Unlike desktop operating systems, most consumer routers and cameras do not automatically download and install security updates. Even when patches are available, deployment rates in the field remain extremely low.

What Device Owners Should Do

If you own consumer network equipment — routers, IP cameras, NAS devices, or smart home hubs — take these immediate steps:

1. Change default passwords — Replace any factory-default admin credentials with strong, unique passwords
2. Update firmware — Check the manufacturer's website for the latest firmware and apply all available security updates
3. Disable remote management — Turn off remote administration (Telnet, SSH, web admin) if you don't actively use it
4. Check for EOL devices — If your device is past its end-of-support date and no firmware updates are available, consider replacing it
5. Segment IoT devices — Use a separate VLAN or guest network to isolate IoT devices from computers and sensitive systems

Implications for the Threat Landscape

While this takedown removes significant DDoS capacity from criminal hands, the operators behind these botnets are unlikely to be deterred permanently. The low cost of compromising new IoT devices — combined with the vast attack surface of billions of unpatched devices globally — means new botnet infrastructure can be rebuilt relatively quickly.

Law enforcement agencies have emphasized that the ultimate solution requires manufacturer accountability: mandatory security update requirements, automatic updates, and elimination of default credentials — goals that legislative efforts such as the EU Cyber Resilience Act and the UK's Product Security and Telecommunications Infrastructure Act are designed to address.

Source: KrebsOnSecurity