Authorities disrupt world’s largest IoT DDoS botnets responsible for record breaking attacks targeting victims worldwide

ANCHORAGE, Alaska - The U.S. Justice Department participated in a court-authorized law enforcement operation today to disrupt Command and Control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid and Mossad Internet of Things (IoT) botnets.

The operation was conducted simultaneously to law enforcement actions conducted in Canada and Germany, which targeted individuals who operated these botnets. The four botnets launched Distributed Denial of Service (DDoS) attacks targeting victims around the world. Some of these attacks measured approximately 30 Terabits per second, which were record-breaking attacks.

During the operation, the Department of Defense Office of Inspector General's (DoDIG) Defense Criminal Investigative Service (DCIS) executed seizure warrants which targeted multiple U.S.-registered internet domains, virtual servers, and other infrastructure allegedly engaged in cyber-enabled criminal activity, including DDoS attacks against IP's owned by the Department of Defense Information Network (DoDIN).

According to court documents, the four botnets targeted in the operation together infected millions of devices worldwide. The majority of these devices were IoT devices, such as digital video recorders, web cameras, or WiFi routers. The KimWolf and JackSkid botnets are accused of targeting and infecting devices which are traditionally "firewalled" from the rest of the internet. The infected devices were enslaved by the botnet operators. The operators then used a "cybercrime as a service" model to sell access to the infected devices to other cyber criminals. The operators and their customers forced the victim devices to participate in hundreds of thousands of DDoS attacks, targeting computers and servers located throughout the world. As of March 2026, the number of infected devices hijacked worldwide by the botnet administrators exceeded three million, with hundreds of thousands of infected devices located in the United States.

Some victims reported the DDoS attacks resulted in tens of thousands of dollars in losses and remediation expenses. Cybercriminals used these botnets to launch hundreds of thousands of attacks, in some cases demanding extortion payments from victims. Court documents allege that the Aisuru botnet issued more than 200,000 DDoS attack commands, the KimWolf botnet issued more than 25,000 DDoS attack commands, the JackSkid botnet launched more than 90,000 DDoS attack commands and the Mossad botnet launched more than 1,000 DDoS attack commands.

This operation, in coordination with other international law enforcement actions, is intended to disrupt communications associated with the Aisuru, KimWolf, JackSkid, and Mossad botnets, preventing further infection to victim devices and limiting or eliminating the ability of the botnets to launch future attacks.

"Today, the United States joined international law enforcement partners in coordinated enforcement actions to disrupt DDoS threats impacting Alaskans and victims around the world," said U.S. Attorney Michael J. Heyman for the District of Alaska. "Effective collaboration bolsters our collective ability to combat emerging threats. The United States is steadfast in our commitment to safeguarding critical internet infrastructure and fighting the cybercriminals who jeopardize its security, wherever they might live."

"Today's disruption of four powerful botnets highlights our commitment to eliminate emerging cyber threats to the Department of Defense and its warfighters," said Special Agent in Charge Kenneth DeChellis of the Department of Defense Office of Inspector General, Defense Criminal Investigative Service (DCIS), Cyber Field Office. "Cybercriminals infiltrate infrastructure beyond physical borders and DCIS participates in international operations to help safeguard the Department's global footprint. Collaboration among law enforcement and industry partners has proven vital to this success."

"By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks," said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office. "This operation reflects the strength of that collaboration and our shared commitment to combatting cybercrime and protecting victims worldwide."

DoDIG DCIS is investigating the case, with assistance from the FBI Anchorage Field Office.

Law enforcement agencies from Canada and Germany conducted their own operations targeting botnet administrators and botnet infrastructure. International partners include:

• Germany: Bundeskriminalamt (BKA) Cyber and Public Prosecutor's Office in Cologne (ZAC NRW)
• Canada: Royal Canadian Mounted Police (RCMP), Ontario Provincial Police (OPP) and Sûreté du Québec (SQ)

Additionally, the U.S. Justice Department thanks Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Epieos, Google, Hydrolix, Lumen, Nokia, Okta, Oracle, PayPal, Registrar of Last Resort, The Shadowserver Foundation, Sony Interactive Entertainment, SpyCloud, Synthient, Team Cymru, Unit 221B, XLAB and Netherlands Politie and EUROPOL's PowerOFF team for their assistance provided during this investigation and operation.

Assistant U.S. Attorney for the District of Alaska Adam Alexander is prosecuting this matter.

If anyone has information on the alleged threats or other DDoS threats, please contact U.S. authorities at [email protected].

###