DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps DDoS Attacks
In a significant law enforcement operation, the U.S. Department of Justice (DoJ) has successfully dismantled the command-and-control (C2) infrastructure of several Internet of Things (IoT) botnets, including AISURU, Kimwolf, JackSkid, and Mossad. This operation, which involved collaboration with authorities from Canada and Germany, has disrupted the activities of botnets responsible for launching record-breaking distributed denial-of-service (DDoS) attacks.
A Coordinated International Effort
The operation saw the involvement of numerous private sector firms, including Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab. These organizations played a crucial role in the investigation and disruption of the botnets.
According to the DoJ, the four botnets targeted victims globally, executing DDoS attacks that reached unprecedented levels. Some of these attacks measured approximately 30 Terabits per second, marking them as record-breaking incidents in the realm of cyber threats.
The Scale of the Threat
Cloudflare reported that the AISURU/Kimwolf botnet was linked to a massive 31.4 Tbps DDoS attack in November 2025, which lasted only 35 seconds. Towards the end of the previous year, this botnet was also responsible for a series of hyper-volumetric DDoS attacks, averaging 3 billion packets per second (Bpps), 4 Tbps, and 54 million requests per second (Mrps).
The scale of these attacks is staggering. The combined attack traffic from AISURU and Kimwolf was described as equivalent to the combined populations of the U.K., Germany, and Spain all simultaneously attempting to access a website.
Identifying the Operators
Independent security journalist Brian Krebs traced the administration of the Kimwolf botnet to Jacob Butler, a 23-year-old from Ottawa, Canada. Butler claimed he has not used the Dort persona since 2021 and alleged that someone is impersonating him after compromising his old account. Krebs also reported that another prime suspect is a 15-year-old residing in Germany. As of now, no arrests have been made.
First documented by XLab in December 2025, Kimwolf has conscripted over 2 million Android devices, primarily off-brand smart TVs and set-top boxes, into its network. This botnet operates as an Android-focused variant of AISURU, which has been active since at least August 2024.
The Impact of Botnets
The four botnets are estimated to have infected no less than 3 million devices worldwide, including digital video recorders, web cameras, and Wi-Fi routers. Hundreds of thousands of these compromised devices are located in the United States.
The DoJ highlighted that the Kimwolf and JackSkid botnets targeted devices traditionally protected by firewalls. The infected devices were exploited by the botnet operators, who utilized a “cybercrime as a service” model to sell access to these devices to other cybercriminals.
Court documents allege that the four Mirai botnet variants have issued hundreds of thousands of DDoS attack commands:
- AISURU: Over 200,000 commands
- Kimwolf: Over 25,000 commands
- JackSkid: Over 90,000 commands
- Mossad: Over 1,000 commands
Evolving Tactics in Cybercrime
Tom Scholl, VP/Distinguished Engineer at AWS, noted that Kimwolf represents a fundamental shift in how botnets operate and scale. Unlike traditional botnets that scan the open internet for vulnerable devices, Kimwolf exploited residential proxy networks to infiltrate home networks through compromised devices, including streaming TV boxes and other IoT devices.
This tactic allowed the botnet to access local networks typically shielded from external threats by home routers. Lumen Black Lotus Labs reported that it has null-routed nearly 1,000 of the C2 servers used by AISURU and Kimwolf.
Data from Lumen indicated that JackSkid averaged over 150,000 daily victims in early March 2026, peaking at 250,000 on March 8. Mossad also averaged over 100,000 daily victims during this timeframe.
The Broader Implications
The vulnerabilities exploited by these botnets have led to a surge in similar cybercriminal activities. Black Lotus Labs confirmed that the same vulnerabilities affecting proxy providers like IPIDEA have been exploited by JackSkid and Mossad, allowing them to leverage residential proxy networks for their own purposes.
Akamai reported that these hyper-volumetric botnets generated attacks exceeding 30 Tbps, 14 billion packets per second, and 300 million requests per second. Such attacks can severely disrupt core internet infrastructure, degrade services for Internet Service Providers (ISPs) and their customers, and overwhelm high-capacity cloud-based mitigation services.
The DoJ’s operation underscores the ongoing battle against cybercrime, particularly as IoT devices continue to proliferate and become increasingly vulnerable to exploitation. The collaboration between law enforcement and private sector firms is crucial in addressing these threats and safeguarding digital infrastructure.
For further details, refer to publicly available reporting from thehackernews.com.
Follow the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
