DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks
The U.S. Department of Justice announced the disruption of command-and-control infrastructure for four major IoT botnets (AISURU, Kimwolf, JackSkid, and Mossad) that collectively infected over 3 million devices and launched record-breaking DDoS attacks exceeding 31.4 Tbps. The operation involved international law enforcement from Canada and Germany, along with assistance from major tech firms including AWS, Google, Cloudflare, and Akamai. The botnets, primarily composed of compromised Android TVs, routers, and cameras, were used to conduct hundreds of thousands of DDoS attacks and operate as a "cybercrime-as-a-service" platform.
Summary
The U.S. Department of Justice announced the disruption of command-and-control infrastructure for four major IoT botnets (AISURU, Kimwolf, JackSkid, and Mossad) that collectively infected over 3 million devices and launched record-breaking DDoS attacks exceeding 31.4 Tbps. The operation involved international law enforcement from Canada and Germany, along with assistance from major tech firms including AWS, Google, Cloudflare, and Akamai. The botnets, primarily composed of compromised Android TVs, routers, and cameras, were used to conduct hundreds of thousands of DDoS attacks and operate as a "cybercrime-as-a-service" platform.
Full text
DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks Ravie LakshmananMar 20, 2026Botnet / Network Security The U.S. Department of Justice (DoJ) on Thursday announced the disruption of command-and-control (C2) infrastructure used by several Internet of Things (IoT) botnets like AISURU, Kimwolf, JackSkid, and Mossad as part of a court-authorized law enforcement operation. The effort also saw authorities from Canada and Germany targeting the operators behind these botnets, with a number of private sector firms, including Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab assisting in the investigation efforts. "The four botnets launched distributed denial-of-service (DDoS) attacks targeting victims around the world," the DoJ said. "Some of these attacks measured approximately 30 Terabits per second, which were record-breaking attacks." In a report last month, Cloudflare attributed AISURU/Kimwolf to a massive 31.4 Tbps DDoS attack that occurred in November 2025 and lasted only 35 seconds. Towards the end of last year, the botnet is also assessed to have engaged in hyper-volumetric DDoS attacks that had an average size of 3 billion packets per second (Bpps), 4 Tbps, and 54 million requests per second (Mrps). Independent security journalist Brian Krebs also traced the administrator of Kimwolf to a 23-year-old Jacob Butler (aka Dort) from Ottawa, Canada. Butler told Krebs he has not used the Dort persona since 2021 and claimed someone is impersonating him after compromising his old account. Butler also said, "he mostly stays home and helps his mom around the house because he struggles with autism and social interaction." According to Krebs, the other prime suspect is a 15-year-old residing in Germany. No arrests have been announced. The botnet has conscripted more than 2 million Android devices into its network, most of which are compromised, off-brand Android TVs. In all, the four botnets are estimated to have infected no less than 3 million devices worldwide, such as digital video recorders, web cameras, or Wi-Fi routers, of which hundreds of thousands are located in the U.S. "The Kimwolf and JackSkid botnets are accused of targeting and infecting devices which are traditionally 'firewalled' from the rest of the internet. The infected devices were enslaved by the botnet operators," the DoJ said. "The operators then used a 'cybercrime as a service' model to sell access to the infected devices to other cyber criminals." These infected devices were then used to conduct DDoS attacks against targets of interest across the world. Court documents allege that the four Mirai botnet variants have issued hundreds of thousands of DDoS attack commands - AISURU - >200,000 DDoS attack commands Kimwolf - >25,000 DDoS attack commands JackSkid - >90,000 DDoS attack commands Mossad - >1,000 DDoS attack commands "Kimwolf represented a fundamental shift in how botnets operate and scale. Unlike traditional botnets that scan the open internet for vulnerable devices, Kimwolf exploited a novel attack vector: residential proxy networks," Tom Scholl, VP/Distinguished Engineer at AWS, said in a post shared on LinkedIn. "By infiltrating home networks through compromised devices—including streaming TV boxes and other IoT devices — the botnet gained access to local networks that are typically protected from external threats by home routers." Akamai said the hyper-volumetric botnets generated attacks exceeding 30 Tbps, 14 billion packets per second, and 300 Mrps, adding that cybercriminals leveraged these botnets to launch hundreds of thousands of attacks and demand extortion payments from victims in some cases. "These attacks can cripple core internet infrastructure, cause significant service degradation for ISPs and their downstream customers, and even overwhelm high-capacity cloud-based mitigation services," the web infrastructure company said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE Akamai, botnet, CloudFlare, Cybercrime, cybersecurity, ddos, iot security, law enforcement, Malware, network security Trending News FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Researchers Trick Perplexity's Comet AI Browser Into Phishing Scam in Under Four Minutes Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Popular Resources Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Guide - Discover How to Validate AI Risks With Adversarial Testing Get the 2026 ASV Report to Benchmark Top Validation Tools Fix Security Noise by Focusing Only on Validated Exposures
Indicators of Compromise
- malware — AISURU
- malware — Kimwolf
- malware — JackSkid
- malware — Mossad
- mitre_attack — T1190 (Exploit Public-Facing Application)
- mitre_attack — T1561 (Disk Wipe)