Four huge IoT botnets behind massive denial of service attacks are disrupted by authorities

The command and control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid, and Mossad Internet of Things (IoT) botnets have been distrupted by law enforcement authorities in the U.S., Canada and Germany.

The U.S. Justice Department said Thursday that action targeted individuals who operated the four botnets, which launched distributed denial of service (DDoS) attacks targeting victims around the world. Some of these attacks measured approximately 30 Terabits per second, which were record-breaking attacks.

Multiple U.S.-registered internet domains, virtual servers, and other infrastructure allegedly engaged in cyber-enabled criminal activity were seized.

The majority of the infected internet-connected devices that composed the botnets were IoT devices, such as digital video recorders, web cameras, or WiFi routers. The KimWolf and JackSkid botnets are believed to have targeted and infected devices which are traditionally firewalled from the rest of the internet, the Justice Department statement said. Then infected devices were enslaved by the botnet operators. The operators then used a cybercrime-as-a-service model to sell access to the infected devices to other cyber criminals, which launched hundreds of thousands of DDoS attacks. Often threat actors using the service demanded money for the attacks to stop, but sometimes DDoS attacks were used to divert IT defenders from compromises elsewhere on a target’s network.

Among the targets were the U.S. Department of Defense.

As of March 2026, the number of infected devices hijacked worldwide by the botnet administrators exceeded three million, with hundreds of thousands of infected devices located in the United States.

The Justice Department credited Europol for its help, as well as IT companies including Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Nokia, Okta, Oracle, PayPal, the Shadowserver Foundation and Sony Interactive Entertainment.

This is the latest international effort to go after the IT infrastructure behind the distribution of malicious software. Some of it is conducted under Operation Endgame, a collaboration between the authorities of the Netherlands, Germany, the United States, Australia, France, Denmark, Belgium, the United Kingdom and Canada, with the support of Europol and Eurojust.

Separately, the Justice Department announced the seizure of four domains as part of an ongoing effort to disrupt hacking and transnational repression schemes conducted by the Islamic Republic of Iran’s Ministry of Intelligence and Security (MOIS).

The seized domains – Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, and Handala-Redwanted[.]to – were used by the MOIS for attempted psychological operations against adversaries of Iran by claiming credit for hacking activity, posting sensitive data stolen during hacks and calling for the killing of journalists, regime dissidents, and Israeli persons. For example, the MOIS used the Handala-hack[.]to domain to claim credit for last week’s destructive malware attack against the U.S.-based multinational medical technologies firm Stryker.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged IT departments to tighten access controls over their endpoint management systems in the wake of that attack. Click here to see my story for CSOonline.com on that advice.