What happened
Authorities in the United States, Germany, and Canada disrupted command-and-control infrastructure used by the Aisuru, KimWolf, JackSkid, and Mossad botnets, targeting virtual servers, domains, and related systems used to launch large-scale distributed denial-of-service attacks. According to the U.S. Justice Department, the four botnets collectively infected more than three million IoT devices, including web cameras, digital video recorders, and Wi-Fi routers, and were used to issue more than 316,000 DDoS attack commands. The operation followed months of activity tied to some of the largest recent DDoS incidents, including the Aisuru botnet’s 31.4 Tbps record attack in December. Authorities said the botnet operators sold access to other cybercriminals under a cybercrime-as-a-service model, enabling attacks against victims worldwide, including IP addresses owned by the Department of Defense Information Network.Â
Who is affected
Organizations worldwide targeted by the four botnets were affected, including victims hit by extortion-driven DDoS attacks and service disruption campaigns, while millions of compromised IoT devices were used as the attack infrastructure.Â
Why CISOs should care
The operation highlights the scale of DDoS infrastructure built from compromised IoT devices and shows how botnet operators continue to commercialize attack capacity for extortion and disruption.Â
3 practical actions
- Review exposure to IoT-based botnet risk. Identify internet-facing devices such as cameras, DVRs, and routers that could be abused in botnet activity.Â
- Monitor for DDoS extortion patterns. The disrupted botnets were used to launch attacks for other cybercriminals under a service model.Â
- Track law enforcement and infrastructure takedowns. Joint actions like this can reveal active botnet names, tactics, and affected device categories relevant to enterprise defense.
For more coverage of major incidents and threat activity, explore our reporting on Cyberattacks.
