The U.S. Department of Justice (DoJ) announced Thursday that it has disrupted command and control (C2) infrastructure used by several Internet of Things (IoT) botnets, including AISURU, Kimwolf, JackSkid, and Mossad, as part of a court-authorized law enforcement operation.
In this effort, authorities in Canada and Germany are also targeting the operators behind these botnets, and a number of private companies are assisting in the investigation efforts, including Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.
“The four botnets launched distributed denial of service (DDoS) attacks targeting victims around the world,” the Justice Department said. “Some of these attacks measured about 30 terabits per second, which was record-breaking attacks.”
In a report last month, Cloudflare attributed AISURU/Kimwolf to a massive 31.4Tbps DDoS attack that occurred in November 2025 and lasted just 35 seconds. Towards the end of last year, the botnet was assessed to be responsible for large-scale DDoS attacks with an average size of 3 billion packets per second (Bpps), 4 Tbps, and 54 million requests per second (Mrps).
Independent security journalist Brian Krebs also identified Kim Wolf’s administrator as Jacob Butler (also known as Dort), a 23-year-old resident of Ottawa, Canada. Butler told Krebs he had not used the Dort persona since 2021 and claimed someone was impersonating him after compromising his old account.
Butler also said, “Due to his autism and struggles with social interaction, he mostly stays at home and helps his mother.” The other main suspect is a 15-year-old resident of Germany, Krebs said. No arrests have been announced.
The botnet has commandeered more than 2 million Android devices onto its network, most of which are compromised Android TVs from other companies. Together, the four botnets are estimated to have infected more than 3 million devices worldwide, including digital video recorders, web cameras, and Wi-Fi routers, hundreds of thousands of which are in the United States.
“The Kimwolf and JackSkid botnets are suspected of targeting and infecting devices that are traditionally ‘firewalled’ from other parts of the Internet. Infected devices were enslaved by the botnet operators,” the Justice Department said. “The operators then sold access to the infected devices to other cybercriminals using a ‘cybercrime-as-a-service’ model.”
These infected devices were used to carry out DDoS attacks against targets of interest around the world. Court documents claim that four variants of the Mirai botnet issued hundreds of thousands of DDoS attack commands.
AISURU – >200,000 DDoS attack commands Kimwolf – >25,000 DDoS attack commands JackSkid – >90,000 DDoS attack commands Mossad – >1,000 DDoS attack commands
“Kimwolf represents a fundamental change in how botnets operate and scale. Unlike traditional botnets that scan the open internet for vulnerable devices, Kimwolf exploited a new attack vector: residential proxy networks,” Tom Scholl, vice president and special engineer at AWS, said in a post shared on LinkedIn.
“By infiltrating home networks through compromised devices, such as streaming TV boxes and other IoT devices, botnets have gained access to local networks that are typically protected from external threats by home routers.”
Lumen Black Lotus Labs said in a statement shared with The Hacker News that it null-routed nearly 1,000 of the C2 servers used by AISURU and later Kimwolf. According to data collected by the cybersecurity firm, Jackskid’s victims averaged over 150,000 people a day in the first two weeks of March 2026, reaching 250,000 on March 8th. Mossad averaged more than 100,000 victims a day during the same period.
“The problem is that with so many vulnerable devices out there, two things happened: First, Kimwolf proved incredibly resilient,” said Ryan English, security researcher at Black Lotus Labs at Lumen. “The second problem is that several new botnets have started emulating this technique to leverage this vulnerability and grow very large and rapidly.”
Akamai said the massive botnets generated attacks at 30 Tbps, 14 billion packets per second, and over 300 Mrps, adding that cybercriminals used these botnets to launch hundreds of thousands of attacks, in some cases demanding extortion payments from victims.
“These attacks can cripple core Internet infrastructure, cause significant service degradation for ISPs and their downstream customers, and even overwhelm high-capacity cloud-based mitigation services,” the web infrastructure company said.
Source link
