Authorities disrupt four IoT botnets behind record DDoS attacks
The U.S. Justice Department and international partners have disrupted four IoT botnets linked to DDoS attacks that reached 30 terabits per second, among the largest ever recorded.
The four botnets targeted in the operation—Aisuru, KimWolf, JackSkid and Mossad—infected millions of devices worldwide, primarily IoT systems such as digital video recorders, web cameras and WiFi routers.
KimWolf and JackSkid targeted devices designed to be shielded from direct internet exposure, compromising and bringing them under the control of their operators. The infected systems were then folded into a cybercrime-as-a-service model, where access to the botnets was sold to other actors.
Both the operators and their customers used these devices to carry out hundreds of thousands of DDoS attacks against computers and servers worldwide, in some cases demanding extortion payments from victims.
“Some victims reported that the DDoS attacks resulted in tens of thousands of dollars in losses and remediation expenses,” authorities said.
According to court documents, the Aisuru botnet issued more than 200,000 DDoS attack commands, followed by KimWolf with more than 25,000, JackSkid with over 90,000, and Mossad with more than 1,000.
During the operation, the Defense Criminal Investigative Service (DCIS), part of the Department of Defense Office of Inspector General, executed seizure warrants targeting U.S.-registered internet domains, virtual servers and other infrastructure linked to criminal activity, including DDoS attacks against IP addresses on the Department of Defense Information Network (DoDIN).
“Collaboration among law enforcement and industry partners has proven vital to this success,” noted Special Agent in Charge Kenneth DeChellis of the Department of Defense Office of Inspector General, DCIS, Cyber Field Office.
The total number of DDoS attacks more than doubled in 2025 to 47.1 million, while network-layer attacks more than tripled year over year. Cloudflare’s threat research unit, Cloudforce One, recorded 19 record-setting attacks during the year. The largest, a 31.4 Tbps UDP flood linked to the Aisuru botnet in November 2025, was nearly six times larger than the biggest attack recorded in 2024.
Most attacks in 2025 lasted under 10 minutes, limiting the window for human-led mitigation. The Aisuru botnet and its successor, KimWolf, are estimated to control between one and four million infected devices.