Authorities Disrupt Four IoT Botnets Behind 30 Tbps DDoS Attacks
U.S., Canadian, and German authorities disrupted the command-and-control infrastructure of four major IoT botnets — Aisuru, KimWolf, JackSkid, and Mossad — that collectively compromised more than three million internet-connected devices worldwide. Investigators said the botnets, built largely from vulnerable DVRs, IP cameras, web cameras, and enterprise Wi‑Fi routers, were used in hundreds of thousands of distributed denial-of-service attacks, including operations targeting U.S. Department of Defense systems, other high-value networks, and critical infrastructure. Officials said the malware networks were capable of generating traffic above 30 Tbps, with one attack reaching roughly 31.4 Tbps, placing them among the largest DDoS threats recorded.
The operators allegedly ran the infrastructure as a DDoS-for-hire service and also used it for extortion, threatening victims with sustained attacks unless they paid. The U.S. action, led by the Defense Criminal Investigative Service with support from the FBI Anchorage Field Office, included seizure warrants for domains and virtual servers, while Germany’s BKA and Canada’s RCMP carried out parallel enforcement steps. Private-sector partners including Akamai, AWS, Cloudflare, Team Cymru, and The Shadowserver Foundation supported the disruption. Authorities said the takedown degraded the botnets’ ability to operate, but warned that the underlying risk remains because millions of infected or insecure devices are still online with weak credentials or outdated firmware.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
KimWolf operators shift infrastructure to I2P after disruption
After disruption of the IPIDEA residential proxy network and broader law-enforcement action against the botnets, operators moved parts of KimWolf's infrastructure to the I2P anonymity network. The change showed the botnet actors adapting their command-and-control and proxy-abuse operations to evade takedown efforts.
German police identify suspects and search homes in botnet probe
German police identified two suspected administrators of the Aisuru, KimWolf, JackSkid, and Mossad botnets and conducted searches at residences in Germany and Canada. Authorities seized extensive evidence, including data storage devices and cryptocurrencies, as part of the multinational investigation.
US, German, and Canadian authorities disrupt four botnets
US authorities, working with counterparts in Germany and Canada, disrupted the command-and-control infrastructure of the Aisuru, KimWolf, JackSkid, and Mossad botnets. The operation included seizure warrants for domains and virtual servers, with support from private-sector partners such as Akamai, AWS, Cloudflare, Shadowserver, and Team Cymru.
One botnet attack reaches roughly 31.4 Tbps
Officials said at least one attack generated about 31.4 Tbps of traffic, placing it among the largest DDoS attacks ever recorded. The four botnets were assessed as capable of producing traffic volumes above 30 Tbps.
Botnet operators launch massive DDoS attacks and extortion campaigns
Using the infected devices, the operators carried out hundreds of thousands of DDoS attacks against global targets, including critical infrastructure and US Department of Defense systems. The botnets were also monetized through DDoS-for-hire services and extortion demands to stop attacks.
IoT botnets infect more than 3 million devices worldwide
The Aisuru, KimWolf, JackSkid, and Mossad botnets compromised over three million internet-connected devices, primarily vulnerable DVRs, IP cameras, web cameras, and enterprise Wi‑Fi routers. The infections created a large pool of systems that could be remotely controlled for DDoS activity.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
18 references tracked. Mallory keeps watching after this page renders.
Mirai Malware Evolves into Hundreds of Variants Driving Botnet Growth
hackread.com
Open sourceMirai-Based Botnets Evolve Into Massive DDoS and Proxy Abuse Threat
cybersecuritynews.com
Open sourceThe Operations of the Swarm: Inside the Complex World of Mirai-Based Botnets
blog.pulsedive.com
Open sourceGlobal Crackdown Dismantles 4 Botnets Behind Major DDoS Attacks
hackread.com
Open sourceDistrict of Alaska | Authorities disrupt world’s largest IoT DDoS botnets responsible for record breaking attacks targeting victims worldwide | United States Department of Justice
share.google
Open sourceDistrict of Alaska | Authorities disrupt world’s largest IoT DDoS botnets responsible for record breaking attacks targeting victims worldwide | United States Department of Justice
justice.gov
Open sourceAkamai Helps Authorities Disrupt the World’s Largest IoT Botnets
akamai.com
Open sourceUnclassified
ismg-cdn.nyc3.cdn.digitaloceanspaces.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Authorities Seize DDoS-for-Hire Domains in Operation PowerOFF Crackdown
U.S. and international law enforcement agencies expanded **Operation PowerOFF** by seizing additional domains tied to DDoS-for-hire, or **booter/stressor**, services used to launch distributed denial-of-service attacks on demand. The U.S. Department of Justice said the FBI took control of 13 more domains linked to prolific platforms, including services that had resurfaced after an earlier disruption of 48 booter sites. Investigators found the platforms had amassed **hundreds of thousands of registered users** and had been used against school districts, government websites, businesses, and other targets; FBI testing on government-controlled systems showed some attacks were strong enough to completely cut off internet connectivity. The takedowns build on years of coordinated enforcement that has included the seizure of 15 booter websites, action against users of major DDoS-for-hire platforms, and prosecutions of operators tied to services such as **RoyalStresser.com**, **SecurityTeam.io**, **Astrostress.com**, and **Booter.sx**. Europol says the long-running campaign targets services that sell attacks for as little as **EUR 10**, lowering the barrier for low-skilled offenders and sometimes supporting broader criminal activity, including ransomware operations. The effort has involved the FBI, Europol, the U.K. National Crime Agency, Dutch police, and other global partners, alongside prevention campaigns aimed at deterring would-be users.
Jun 21, 2026
Aisuru Botnet Launches Record-Breaking DDoS Attacks Against US ISPs and Enterprises
The Aisuru botnet, now recognized as the world’s largest and most disruptive DDoS botnet, has escalated its operations by leveraging a vast network of compromised Internet-of-Things (IoT) devices, particularly those hosted on major US Internet providers such as AT&T, Comcast, and Verizon. Security experts have observed that the concentration of infected devices within these US-based ISPs is complicating mitigation efforts and increasing the risk of collateral damage during attacks. In recent months, Aisuru has demonstrated its dominance over other IoT-based botnets, with its arsenal estimated at 300,000 compromised hosts globally, including consumer-grade routers, security cameras, and digital video recorders running outdated firmware or default settings. The botnet’s operators continuously scan for vulnerable devices, conscripting them into their network to launch distributed denial-of-service (DDoS) attacks of unprecedented scale. Aisuru’s attack capabilities have grown rapidly, with a notable incident in May 2025 where KrebsOnSecurity was targeted with a 6.35 Tbps DDoS attack, then the largest ever mitigated by Google’s Project Shield. This record was quickly surpassed days later when Aisuru unleashed an 11 Tbps assault. By late September, the botnet was observed flexing its power with attacks exceeding 22 Tbps, culminating in a staggering 29.6 Tbps traffic flood on October 6, 2025. This latest demonstration, though brief and directed at a server designed to measure such events, shattered previous DDoS records and highlighted the botnet’s potential for catastrophic disruption. The technical sophistication of these attacks is not limited to sheer bandwidth. Recent case studies reveal that Aisuru and similar botnets are employing complex, multi-vector strategies. For example, a major US technology company was recently hit by two massive network-layer DDoS attacks in a single day, with the first peaking at 1.2 Tbps and 563 million packets per second (PPS), and the second reaching nearly 1.5 Tbps and sustaining over 1 billion PPS for 20 minutes. These attacks targeted Layers 3 and 4 of the OSI model, using high PPS rates to overwhelm not just bandwidth but also the routing and switching infrastructure of the victim. The attackers utilized UDP-driven floods and, in subsequent waves, introduced TCP components to increase complexity and resource exhaustion. Amplification techniques, exploiting misconfigured services, were also employed to magnify the impact. The globally distributed nature of the botnet, with compromised devices spanning multiple regions, has made it difficult for defenders to block malicious traffic without affecting legitimate users. The attacks have underscored the limitations of relying solely on raw network capacity for DDoS defense. Instead, effective mitigation now requires distributed defense architectures, rapid time-to-mitigation, high-quality traffic scrubbing, and resilience against both volumetric and packet-intensive floods. The evolving tactics of the Aisuru botnet demonstrate a deliberate escalation in both scale and sophistication, posing a significant threat to ISPs, enterprises, and the broader Internet infrastructure. Security teams are urged to reassess their DDoS defense strategies in light of these developments, as traditional approaches may no longer suffice against the scale and complexity of modern botnet-driven attacks.
Mar 21, 2026
Dutch Police Takedown Hits 17 Million-Device Botnet Linked to Proxy Abuse
Dutch police and the Netherlands’ National Cyber Security Center disrupted a botnet spanning roughly **17 million infected devices** by taking offline about **200 servers** hosted in the Netherlands. Authorities said the network included compromised computers, mobile phones, IoT devices, and routers, and that the investigation began after a security researcher alerted NCSC-NL. While officials did not publicly name the botnet, reporting tied the infrastructure to **Asocks**, a commercial residential and mobile proxy service, and to prior research on covert proxy enrollment through the **PROXYLIB** library and **LumiApps SDK** ecosystem. The takedown highlights growing abuse of **residential proxy networks**, which can mask malicious traffic behind trusted consumer IP addresses and support operations including **DDoS attacks, spam, credential stuffing, brute-force attacks, click fraud, SMS pumping, phishing, online fraud, and malware delivery**. The action follows broader Dutch enforcement against malicious infrastructure, including the seizure of more than **800 servers** tied to **THE.Hosting**, a Russian-linked bulletproof hosting network associated with scanning, botnet recruitment, cryptomining, credential theft, and exploitation of exposed services; researchers said that operation had limited effect because much of the network’s routed infrastructure remained active across multiple countries.
Jun 1, 2026