Dismantled the biggest IoT botnets in an international operation that cut record DDoS attacks

In an authorized judicial operation between several countries, law enforcement forces dismantled some of the control infrastructure that fed some of the most powerful committed device networks in recent years. The US authorities announced that command and control servers (C2) linked to Internet of Things (IoT) botnets such as AISURU, Kimwolf, JackSkid and Mossad have been involved in an action involving partners in Canada and Germany and many private sector companies. This was a coordinated response to cut the supply that allowed these networks to launch massive attacks; the research had technical support from actors such as Akamai, Amazon Web Services, Cloudflare, Google, Lumen, among others, according to the official statement of the Department of Justice.

The scale of the problem explains the urgency of the operation. These botnets have been responsible for distributed service denial (DDoS) attacks that reached unprecedented magnitude: some events measured by mitigation companies exceeded 30 terabits per second, and in a specific case Cloudflare attributed a peak of 31.4 Tbps in November 2025 that lasted just 35 seconds. We talk about traffic waves that can saturate key Internet infrastructure and leave suppliers and organizations out of service. You can read the Department of Justice's note about the operation here: justice.gov and a technical and journalistic coverage of research in Krebs on Security.

The actors behind these networks used mainly day-to-day devices: Android TV decoders from low-cost Chinese brands, digital video recorders, web cameras and domestic routers. By exploiting vulnerabilities and credentials by default, operators managed to convert millions of devices into "zombies" that executed attack orders. According to the judicial documents, the variants linked to the old Mirai came to issue hundreds of thousands of attack commands throughout their activity. The result was a global botnet composed of millions of devices, which offered its power as a venable product in an illicit market.

One of the new developments that researchers point out as a cause of rapid expansion was the adoption of new techniques: Kimwolf, in particular, exploited what has been described as residential proxy networks, allowing attackers to pivote from devices within domestic networks and to remove protections that usually isolate domestic environments from mass scanning. In the words of experts involved in the operation, that was a paradigm shift: instead of merely looking for equipment exposed on the public edge of the Internet, the attackers are recruited into the local networks themselves, with all that this entails for the resilience and anonymity of the botnet. Akamai's analysis of technical intervention and impact is available on his blog: Akamai.

Media research has also tried to identify those behind some of these operations. Press reports have pointed to at least two people as potential suspects: a 23-year-old in Ottawa who, according to the coverage, claimed not to use for years an alias linked to the botnet and claimed to have been supplanted, and another minor individual in Germany. In both cases the authorities have not reported public arrests at the close of the communiqués, and investigations are ongoing; you can consult the follow-up work at Krebs on Security.

Beyond who pressed the buttons, the technical response was strong: network operators and security companies made measures such as null-routing hundreds of command servers, filtering deployments and cooperation to track the infrastructure. Lumen Black Lotus Labs, for example, reported efforts to block C2 servers and operational data on the daily growth of botnet victims such as JackSkid and Mossad in March 2026, figures that illustrate the speed with which these threats can expand. At the same time, multiple suppliers helped close the lever with which these traffic waves were ordered. The Department of Justice's note details part of that collaboration and the actors involved.

This episode has several clear lessons for device managers and public policies. First, the huge amount of connected equipment and the lack of minimum safety measures in many cheap models create a breeding stock for bots networks. Secondly, the ability to rent or sell access to these resources to criminal third parties multiplies the potential damage: it is not just an operator who attacks, but a market that professionalizes and scale the criminal supply. And third, defence requires coordination between companies, private intelligence and law enforcement to neutralize both the technical infrastructure and the economic chain that supports these activities.

If you have devices connected at home or manage a small network, it is appropriate to take concrete measures: apply firmware updates, change default passwords, disable unnecessary services and, where possible, segregate IoT devices into a separate subnetwork to limit their access to critical resources. It is also recommended to choose manufacturers with support history and activate automatic update mechanisms. These practices do not guarantee total immunity, but significantly reduce the attack surface.

The recent operation shows that, although massive botnets can become a global threat, international and public-private collaboration can effectively hit their infrastructure. However, As long as unsafe devices and business models continue to exist that prioritize them, we will continue to see attempts at exploitation and outbreaks of new botnet families. Maintaining cybersecurity as a priority in everyday manufacturing, regulation and use is the only way to lower the temperature of this problem.

To expand information: Department of Justice's statement on the intervention ( justice.gov), journalistic and technical inquiries in Krebs on Security, corporate research reports such as Akamai and about JackSkid in Foresiet.