DOJ Dismantles Massive IoT Botnet Network Behind Record-Breaki...
U.S. authorities dismantled four IoT botnets (AISURU, Kimwolf, JackSkid, Mossad) responsible for the largest DDoS attacks ever recorded.
Executive Summary
The U.S. Department of Justice dismantled command-and-control infrastructure for four massive IoT botnets: AISURU, Kimwolf, JackSkid, and Mossad. Together they enslaved over 3 million devices and launched record-breaking DDoS attacks including a 31.4 Tbps assault in November 2025. International cooperation with Canada, Germany, and major tech companies made the takedown possible.
Technical Analysis
The combined botnets generated attack traffic exceeding 31.4 terabits per second, 3 billion packets per second, and 54 million requests per second. Cloudflare recorded the 31.4 Tbps attack as the largest DDoS ever observed.
Kimwolf pioneered a novel infection technique by exploiting residential proxy networks. Rather than scanning the open internet, it infiltrated home networks through compromised streaming TV boxes and IoT devices running Android Debug Bridge. JackSkid and Mossad quickly adopted the same approach.
Lumen Black Lotus Labs null-routed nearly 1,000 C2 servers. JackSkid averaged 150,000 daily victims in early March 2026, peaking at 250,000 on March 8th. The botnets operated as cybercrime-as-a-service, with AISURU issuing over 200,000 attack commands, JackSkid over 90,000, and Kimwolf over 25,000.
Security journalist Brian Krebs traced Kimwolf's administrator to a 23-year-old in Ottawa, Canada. German authorities are investigating a 15-year-old suspect. No arrests announced yet.
Indicators of Compromise
Organizations should audit their networks for IoT devices with exposed Android Debug Bridge, compromised streaming boxes, or unusual outbound traffic patterns consistent with botnet C2 communication.
Remediation Steps
Audit all IoT devices on your network. Disable Android Debug Bridge where not required. Segment IoT devices onto isolated VLANs. Keep firmware updated. Consider DDoS protection services for critical infrastructure. The techniques are public now and copycat botnets are already emerging.
References
[{"title": "DOJ Press Release", "url": "https://www.justice.gov/opa/pr/justice-department-disrupts-botnet-infrastructure"}]
References
- DOJ Press Release
https://www.justice.gov/opa/pr/justice-department-disrupts-botnet-infrastructure
Concerned about this threat?
Our security team can assess your exposure and recommend immediate actions.
Protect Your Organization
Find vulnerabilities like this in your systems before attackers do.
24/7 monitoring to detect and respond to threats like these in real time.
Block phishing and malware delivery targeting your organization.
Map security controls to 26 frameworks including NIST, SOC 2, and HIPAA.