Authorities have successfully dismantled the command-and-control (C2) infrastructure powering four massive Internet of Things (IoT) botnets.
The U.S. Justice Department, collaborating closely with Canadian and German agencies, targeted the administrators and architecture behind the Aisuru, KimWolf, JackSkid, and Mossad botnets.
Together, these malicious networks infected over three million devices globally and launched catastrophic Distributed Denial of Service (DDoS) attacks, with peak volumetric traffic reaching an unprecedented 30 Terabits per second (Tbps).
The botnets primarily weaponized vulnerable IoT infrastructure, including digital video recorders, web cameras, and enterprise WiFi routers. The threat actors built an expansive botnet army by exploiting poor default security postures and known vulnerabilities.
Notably, the operators behind the KimWolf and JackSkid botnets demonstrated sophisticated evasion capabilities, specifically targeting and infecting devices that were traditionally isolated and positioned behind network firewalls.
Once compromised, these devices were enslaved into a massive “cybercrime-as-a-service” platform. The administrators monetized their illicit infrastructure by leasing access to other threat actors, effectively democratizing the ability to launch highly disruptive volumetric and application-layer DDoS attacks.
These attacks targeted servers worldwide, notably including critical infrastructure and IP addresses owned by the Department of Defense Information Network (DoDIN).
Botnet FamilyAttack Commands IssuedPrimary Target FocusAisuru> 200,000Global infrastructure and serversJackSkid> 90,000Firewalled IoT devicesKimWolf> 25,000Firewalled IoT devicesMossad> 1,000General IoT devices
The sheer scale of the combined botnets allowed threat actors to launch hundreds of thousands of coordinated campaigns. Victims facing these record-breaking 30 Tbps attacks experienced severe operational downtime, resulting in tens of thousands of dollars in remediation costs and direct financial losses.
In many instances, the cybercriminals leveraged this overwhelming attack capacity as a coercive tool, demanding extortion payments from targeted organizations to halt the malicious traffic flow. As of March 2026, hundreds of thousands of the three million globally infected devices were located within the United States.
The operational takedown focused on surgically severing the communication channels between the infected IoT endpoints and the threat actors’ C2 architecture.
The Defense Criminal Investigative Service (DCIS), supported by the FBI Anchorage Field Office, executed numerous seizure warrants targeting U.S.-registered internet domains, virtual servers, and related cyber infrastructure utilized by the botnet operators.
Simultaneous legal actions and target apprehensions were conducted by Germany’s Bundeskriminalamt (BKA) and Canada’s Royal Canadian Mounted Police (RCMP) to disable the individuals operating the networks.
This operation underscores the critical necessity of public-private threat intelligence sharing in the modern security landscape. Law enforcement agencies were supported by a vast coalition of technology and security firms, including Akamai, Amazon Web Services, Cloudflare, The Shadowserver Foundation, and Team Cymru.
This collective intelligence allowed authorities to map the vast C2 networks and execute a coordinated disruption, severely limiting the operators’ ability to issue further attack commands and preventing future infections.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Authorities Disrupt IoT Botnet Infrastructure Behind Record-Breaking 30 Tbps DDoS Attacks appeared first on Cyber Security News.
