Authorities Dismantle IoT Botnet Linked to Record-Shattering 30 Tbps DDoS Campaigns
An international law enforcement operation has dismantled the core infrastructure of four destructive IoT botnets: Aisuru, KimWolf, JackSkid, and Mossad.
These sprawling networks generated record-breaking DDoS attacks, with traffic volumes exceeding 30 Terabits per second, crippling global targets.
By March 2026, the combined efforts of these botnets had infected over three million devices worldwide, including hundreds of thousands within the United States.
The threat actors primarily targeted vulnerable internet-facing IoT hardware, including digital video recorders, web cameras, and home WiFi routers.
A notable tactic involved KimWolf and JackSkid exploiting advanced techniques to compromise devices shielded behind traditional network firewalls.
Cybercrime as a Service
According to the US Department of Justice, after seizing the infected hardware, botnet operators ran a lucrative “cybercrime as a service” model.
They leased access to their vast networks of compromised devices to other criminals.
These secondary clients weaponized the networks to launch targeted DDoS attacks, frequently extorting victims for payment to cease the onslaught.
Attacks targeted servers globally, including systems managed by the U.S. Department of Defense Information Network (DoDIN), causing significant financial losses and remediation costs for private sector victims.
Prior to the operation, the botnets were heavily utilized. Attack command statistics reveal the massive scale:
| Botnet Name | Attack Commands Issued | Noteworthy Capabilities |
|---|---|---|
| Aisuru | 200,000+ | High-volume attack generation |
| JackSkid | 90,000+ | Bypassing traditional firewalls |
| KimWolf | 25,000+ | Targeting firewalled IoT devices |
| Mossad | 1,000+ | Specialized target disruption |
The successful takedown required a synchronized global response. In the U.S., the Defense Criminal Investigative Service (DCIS) and FBI executed seizure warrants for U.S.-registered domains and servers.
Simultaneously, law enforcement agencies in Germany (BKA and ZAC NRW) and Canada (RCMP, OPP, and SQ) targeted the human administrators operating the botnets.
The operation also depended on extensive public-private partnerships. Over a dozen technology companies and threat intelligence groups, including Cloudflare, Akamai, Amazon Web Services, and The Shadowserver Foundation, provided critical assistance.
By seizing the command and control servers, authorities severed the link between the attackers and the millions of enslaved devices, eliminating the threat of future 30 Tbps attacks from these specific botnets.