In a coordinated international operation, the U.S. Justice Department, along with authorities in Canada and Germany, has dismantled the online infrastructure of four highly disruptive botnets that compromised over three million Internet of Things (IoT) devices, including routers and web cameras. The botnets—named Aisuru, Kimwolf, JackSkid, and Mossad—are believed to be responsible for a series of record-breaking distributed denial-of-service (DDoS) attacks capable of knocking nearly any target offline.

The Four Malicious Networks

Each botnet operated with varying scale and sophistication. According to the Justice Department, the unnamed individuals controlling these networks used compromised devices to launch hundreds of thousands of DDoS attacks, often demanding extortion payments from victims. Some victims reported tens of thousands of dollars in losses and remediation expenses.

Aisuru

The oldest of the botnets, Aisuru, emerged in late 2024 and quickly escalated its activity. By mid-2025, it was launching record-breaking DDoS attacks while rapidly infecting new IoT devices. The government documented that Aisuru issued more than 200,000 attack commands, making it the most prolific of the four networks.

Kimwolf

In October 2025, Aisuru was used to seed Kimwolf, an advanced variant that introduced a novel spreading mechanism. This technique allowed Kimwolf to infect devices hidden behind the protection of a user's internal network, bypassing standard firewall defenses. Kimwolf issued more than 25,000 attack commands before its growth was curtailed by a public vulnerability disclosure.

JackSkid

Operating similarly to Kimwolf, JackSkid also sought out systems on internal networks, targeting devices otherwise thought safe. The botnet hurled at least 90,000 attacks, causing widespread disruption and financial damage to victims.

Mossad

The smallest of the four, Mossad, was responsible for approximately 1,000 digital sieges. While less active than its counterparts, it still contributed to the overall threat landscape.

Law Enforcement Action

The Justice Department announced that the Department of Defense Office of Inspector General’s (DoDIG) Defense Criminal Investigative Service (DCIS) executed seizure warrants targeting multiple U.S.-registered domains, virtual servers, and other infrastructure used in DDoS attacks against Internet addresses owned by the Department of Defense. The operation was designed to prevent further infection of victim devices and to limit or eliminate the ability of the botnets to launch future attacks.

The case is being investigated by the DCIS with help from the FBI’s field office in Anchorage, Alaska, and the DOJ’s statement credits nearly two dozen technology companies with assisting in the operation. “By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office.

Attack Scale and Impact

The botnets were responsible for some of the most powerful DDoS attacks ever recorded. Their ability to harness millions of compromised IoT devices gave them enormous bandwidth to overwhelm targets. Many victims faced extortion demands, with some reporting remediation costs and losses ranging into tens of thousands of dollars. The collective attack commands across all four networks exceeded 300,000, highlighting the scale of the threat.

Technical Evolution of the Botnets

The botnets demonstrated increasing sophistication over time. Aisuru, with its rapid infection rate, set the stage for Kimwolf's novel spreading mechanism that exploited vulnerabilities in local network configurations. On January 2, 2026, the security firm Synthient publicly disclosed the vulnerability Kimwolf was using to propagate so quickly. That disclosure helped curtail Kimwolf’s spread somewhat, but since then several other IoT botnets have emerged that effectively copy Kimwolf’s spreading methods while competing for the same pool of vulnerable devices.

This cat-and-mouse dynamic means that while the takedown of these four botnets is a significant victory, the underlying vulnerabilities remain. Law enforcement and security experts continue to monitor for new variants that might adopt similar techniques.

International and Private Sector Collaboration

The disruption effort was a multinational endeavor. In addition to U.S. agencies, Canadian and German authorities executed their own law enforcement actions simultaneously, targeting infrastructure within their jurisdictions. Nearly two dozen private-sector technology companies provided critical support, from threat intelligence to infrastructure takedowns. This public-private partnership was essential to identifying and dismantling the botnets’ command-and-control servers and domains.

The operation reflects a growing recognition that combating IoT-based cybercrime requires global cooperation. As more devices connect to the internet, the potential for massive botnets like those behind Aisuru, Kimwolf, JackSkid, and Mossad will persist unless both technical defenses and law enforcement capacities evolve.