The U.S. Justice Department, along with Canadian and German law enforcement agencies, has dismantled the infrastructure behind four major IoT botnets. The botnets, named Aisuru, Kimwolf, JackSkid, and Mossad, were responsible for hundreds of thousands of DDoS attacks, impacting more than three million devices such as routers and web cameras. These botnets launched record-breaking attacks and demanded extortion payments from victims.
The botnet operations were primarily carried out by the U.S. Department of Defense's Office of Inspector General’s (DoDIG) Defense Criminal Investigative Service (DCIS). The DCIS executed seizure warrants targeting multiple U.S.-registered domains, virtual servers, and other infrastructure used in DDoS attacks against DoD addresses.
The oldest botnet, Aisuru, issued over 200,000 attack commands. By mid-2025, it was rapidly infecting new devices and seeding Kimwolf, an Aisuru variant that introduced a novel spreading mechanism. In October 2025, Synthient publicly disclosed the vulnerability used by Kimwolf, curbing its spread somewhat but leading to competition among other botnets.
The disruption of these botnets coincided with law enforcement actions in Canada and Germany targeting individuals who operated them. A security firm identified a 22-year-old Canadian man as a core operator of the Kimwolf botnet, while multiple sources pointed to a 15-year-old German suspect.