In a joint operation between authorities in the United States, Germany and Canada, much of the infrastructure that controlled several of the most harmful botnets aimed at connected devices was put out of circulation: Aisuru, KimWolf, JackSkid and Mossad. The researchers intervened virtual servers, domains and other control points that these networks used to command millions of domestic and business equipment, allowing them to launch massive waves of service denial attacks distributed worldwide.
This is a relevant action because it pointed to the technical spine - the command and control servers - that converts daily devices into digital weapons -. According to the U.S. Department of Justice statement, the orders sent from these botnets add up to hundreds of thousands of attack commands and, as a whole, the groups have committed more than three million devices such as IP cameras, video recorders and Wi-Fi routers, in many cases located on U.S. territory. The official note can be read here: Department of Justice (USA).
The firepower of these networks is not theoretical: in December the Aisuru botnet reached a record peak in an attack that reached 31.4 Tbps and 200 million applications per second, figures that force us to raise the extent to which the biggest malicious actors can reach when they gather billions or millions of poorly protected devices. Press and technical reports that followed the investigation also show that these botnets have been used as a service: their operators sold access to third parties for other criminals to orchestrate campaigns, often asking for ransom or extortion of the victims.
Coordination between public agencies and private companies was key to the operation. Cybersecurity firms and cloud service providers usually work together in this type of response because large-scale attacks can saturate critical infrastructure, degrade access service providers and even test large platform mitigation mechanisms. The press reports that covered the action offer context and reactions from the sector, for example in articles such as BleepingComputer.
However, breaking down the control servers does not amount to eliminating the root problem. Engaged devices remain in the networks of their owners until they are disinfected or replaced, and botnet creators can reconfigure alternative infrastructure if they retain access to sufficient vulnerable equipment. The authorities therefore insist that these actions should be complemented by measures of cyberhygiene, the responsibility of manufacturers and best practices by operators and end-users.
If you have devices connected at home or in the office, there are concrete and simple steps that significantly reduce the risk of being recruited into a botnet: change default passwords, keep the firmware up-to-date, segment the IoT devices in a separate network from that using computers or phones, and disable unnecessary functions such as UPnP when possible. For those who want to deepen practical measures and how these attacks work, there are information and technical resources that explain it in an accessible way, for example the basic guide on DDoS attacks. Cloudflare and historical documentation on IoT botnets such as the US-CERT alert on Mirai available on the CERT site: US-CERT: Mirai.
The episode leaves two clear lessons: on the one hand, international and public-private cooperation can deactivate significant offensive capacities On the other hand, prevention at the level of the device and design remains the most effective barrier against the resurgence of these threats. If safety standards in the IoT industry are not improved and a more responsible position is not taken by manufacturers and distributors, it is likely that new actors will try to reuse similar techniques and that the botnet saga will be repeated.
The authorities' efforts immediately reduce the operational capacity of these networks and provide a break for potential victims, but also stresses the need for more ambitious public policies, investments in rapid response and a much more widespread digital security culture between users and companies.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...