Four Major DDoS Botnets Dismantled in Global Law Enforcement Operation

A coordinated DDoS botnet disruption operation has taken down the infrastructure behind four of the most destructive botnet networks seen in recent years. Authorities from the United States, Germany, and Canada dismantled the command-and-control infrastructure used by the Aisuru, KimWolf, JackSkid, and Mossad botnets — networks collectively responsible for some of the largestdenial-of-service attacks ever recorded. The action marks one of the most significant law enforcement takedowns of IoT-based cybercrime infrastructure to date.

Millions of Devices, Hundreds of Thousands of Attacks

As of March2026, the four botnets had compromised more than three million devices worldwide, including DVRs, cameras, Wi-Fi routers, and other IoT systems. Hundreds of thousands of those infected devices were located in the United States.

KimWolf and JackSkid specifically targeted devices designed to be shielded from direct internet exposure. Once compromised, those systems were folded into a cybercrime-as-a-service model where access was sold to other actors. In some cases, operators demanded extortion payments directly from victims.

Court documents allege that Aisuru issued more than 200,000 DDoS attack commands, JackSkid launched more than 90,000, KimWolf issued more than 25,000, and Mossad issued more than 1,000. Some victims reported losses and remediation costs running into the tens of thousands of dollars.

Record-Breaking Attacks and a Novel Spreading Technique

Aisuru emerged in late 2024 and by mid-2025 was launching record-breaking attacks as it rapidly infected new IoT devices. In October 2025, it was used to seed KimWolf, a successor variant that introduced a novel spreading mechanism allowing the botnet to compromise devices hidden behind internal network protections.

KimWolf exploited residential proxy networks to expand at scale. Unlike traditional botnets that scan the open internet for vulnerable devices, it used this approach to reach systems that were never meant to be publicly accessible. JackSkid adopted the same technique. Both were linked to the largest DDoS attack on record, which peaked at 31.4 Tbps and 200 million requests per second, targeting companies in the telecommunications sector.

A security firm publicly disclosed the vulnerability KimWolf was exploiting on January 2, 2026. That disclosure slowed its spread, but it also triggered a wave of copycat botnets competing for the same pool of vulnerable devices.

What the Operation Targeted

The U.S. Justice Department executed the operation under court authorization. The Defense Criminal Investigative Service executed seizure warrants targeting multiple U.S.-registered internet domains, virtual servers, and other infrastructure used in DDoS attacks against IP addresses on the Department of Defense Information Network.

Nearly two dozen technology companies assisted, including Akamai, AWS, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, and PayPal. Lumen's security research team null-routed nearly 1,000 C2 servers used by Aisuru and KimWolf.

In early March 2026, JackSkid averaged over 150,000 daily victims, peaking at 250,000 on March 8. Mossad averaged over 100,000 daily victims during the same period. The scale of active targeting in the days before the takedown underlines how urgently the disruption was needed.

The Broader DDoS Threat Landscape

This DDoS botnet disruption does not happen in isolation. The total number of DDoS attacks more than doubled in 2025 to 47.1 million, while network-layer attacks more than tripled year over year. Most attacks lasted under 10 minutes, limiting the window for human-led mitigation.

The botnets dismantled in this operation were not fringe tools. They drove a measurable share of that global attack volume. Telecoms, cloud providers, and government systems all appeared on target lists. At their peak, these networks generated attacks exceeding 30 Tbps, 14 billion packets per second, and 300 million requests per second.

The cybercrime-as-a-service model is central to why this threat grew so fast. Operators did not just use the botnets themselves. They rented out access, turning infected consumer devices into a commercial attack product. Routers and cameras purchased by ordinary users became infrastructure for hire.

What Happens Next

The operation was designed to disrupt communications tied to all four botnets, prevent additional infections, and reduce their ability to launch future attacks. Canada and Germany conducted parallel operations targeting individuals linked to the networks, though no arrests have been publicly confirmed.

The technical disruption is meaningful, but it addresses the infrastructure, not the underlying vulnerability pool. Millions of IoT devices remain exposed, patchable only if their owners act. The botnets built on KimWolf's technique have already spawned copycat networks, and those remain active.

For businesses, this operation is a reminder that consumer-grade devices inside corporate networks carry real risk. An unmanaged router or IP camera is not a neutral endpoint. In the hands of a botnet operator, it becomes a weapon pointed outward at other targets, while the owner has no indication anything is wrong. Regular firmware updates, network segmentation, and visibility into connected devices are not optional hygiene measures. They are the basic controls that prevent your infrastructure from becoming someone else's attack tool.