5 Critical Facts About the Takedown of Massive IoT Botnets

In a coordinated international operation, U.S. federal authorities alongside Canadian and German law enforcement have dismantled the infrastructure behind four notorious IoT botnets—Aisuru, Kimwolf, JackSkid, and Mossad. These botnets had compromised over three million internet-connected devices, including routers and web cameras, and were responsible for some of the most powerful distributed denial-of-service (DDoS) attacks on record. Here are five key things you need to know about this significant cybercrime takedown.

1. The Botnets Were Engineered for Maximum Disruption

The four botnets weren't just minor nuisances; they were built to cause massive damage. Aisuru, the oldest, issued more than 200,000 attack commands targeting military and civilian networks. JackSkid followed with at least 90,000 attacks, while Kimwolf added 25,000 more. Even the smallest, Mossad, was responsible for roughly 1,000 digital sieges. These botnets employed sophisticated spreading techniques, such as Kimwolf's novel method that infected devices hidden behind internal network protections, making them especially hard to remove. The DoJ stated that these attacks were capable of knocking nearly any target offline, with some victims reporting tens of thousands of dollars in losses and remediation expenses.

2. The Takedown Involved Multiple Government and Private Players

This wasn't a solo effort. The Department of Justice worked closely with the Department of Defense Office of Inspector General’s Defense Criminal Investigative Service (DCIS), which executed seizure warrants targeting U.S.-registered domains and virtual servers used for DDoS attacks against DoD internet addresses. The FBI’s Anchorage Field Office also played a key role, as did nearly two dozen technology companies that provided critical assistance. “By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office. This collaboration demonstrates how law enforcement and industry can join forces to fight cybercrime.

3. A Vulnerability Disclosure Helped Slow One Botnet’s Spread

On January 2, 2026, security firm Synthient publicly disclosed the vulnerability that Kimwolf was exploiting to propagate so quickly. That disclosure was a game-changer: it curtailed Kimwolf’s spread and gave defenders a critical head start. However, the DOJ noted that other IoT botnets have since emerged, effectively copying Kimwolf’s spreading methods while competing for the same pool of vulnerable devices. This highlights the ongoing cat-and-mouse dynamic in cybersecurity—disclosures are vital but temporary fixes, and attackers quickly adapt. The takedown of the original botnets is a major win, but it won’t be the last battle.

4. Extortion Was a Key Motive Behind the Attacks

The individuals controlling these botnets weren’t just causing chaos for fun. The government alleges they launched hundreds of thousands of DDoS attacks and then demanded extortion payments from victims. Many victims—ranging from small businesses to critical infrastructure operators—reported paying tens of thousands of dollars to stop the attacks, or spending even more on remediation. This monetization strategy is common in modern cybercrime, where botnets are rented out or used directly for extortion. The operation to dismantle these botnets also aimed to prevent future infections and to limit the criminals’ ability to profit from further attacks.

5. The Operation Was Part of a Broader International Effort

The Justice Department said its disruption of the four botnets coincided with “law enforcement actions” conducted in Canada and Germany, though details of those actions remain under wraps. This international dimension is crucial because IoT botnets rarely respect borders. The botnets infected devices worldwide, and the criminals likely operated from multiple jurisdictions. By working together, the U.S., Canada, and Germany sent a clear message that targeting critical infrastructure and using IoT devices as weapons will not be tolerated. The case is still under investigation by the DCIS with help from the FBI, and no arrests have been announced yet—but the infrastructure is down, and that’s a significant victory for cybersecurity.

The dismantling of Aisuru, Kimwolf, JackSkid, and Mossad marks a major step in the fight against IoT-based DDoS attacks. It shows that law enforcement agencies can coordinate across borders and with the private sector to disrupt sophisticated criminal operations. However, as the DOJ cautioned, new botnets are emerging that mimic the techniques of these takedown victims. The key takeaway? Vulnerable IoT devices remain a huge threat, and both users and manufacturers must prioritize security updates, strong passwords, and network segmentation. The fight against botnets is far from over, but this operation proves that collective action works.