10 Key Facts About the Takedown of Massive IoT Botnets
The recent dismantling of four notorious IoT botnets by U.S., Canadian, and German authorities marks a significant victory against cybercrime. These botnets infected over three million devices and launched devastating DDoS attacks. Here are the essential details you need to know.
1. A Coordinated International Takedown
In a joint operation, the U.S. Department of Justice, along with Canadian and German law enforcement, dismantled the infrastructure of four botnets: Aisuru, Kimwolf, JackSkid, and Mossad. The operation targeted domains, virtual servers, and other assets used to control these networks of compromised IoT devices, including routers and webcams.
2. Over 3 Million Devices Compromised
The botnets collectively compromised more than three million Internet of Things (IoT) devices. These devices were hijacked to form a powerful network capable of launching massive distributed denial-of-service (DDoS) attacks. Many victims were unaware their devices had been infected until after the takedown.
3. The Four Botnets Behind the Attacks
Each botnet played a distinct role. Aisuru, the oldest, issued over 200,000 attack commands. JackSkid launched at least 90,000 attacks, while Kimwolf and Mossad were responsible for 25,000 and roughly 1,000 attacks respectively. Their combined power could knock nearly any target offline.
4. Record-Breaking DDoS Attacks and Extortion
These botnets were used to execute hundreds of thousands of DDoS attacks, often accompanied by extortion demands. Victims reported losses and remediation expenses totaling tens of thousands of dollars. The attacks set new records for scale and disruption, affecting government, military, and private sector networks.
5. The Role of International Cooperation
The operation was led by the U.S. Department of Justice, with assistance from the FBI's Anchorage field office and the Department of Defense's Defense Criminal Investigative Service (DCIS). Authorities in Canada and Germany also conducted parallel actions, demonstrating the global nature of the effort.
6. How the Botnets Spread: Aisuru and Kimwolf
Aisuru emerged in late 2024 and by mid-2025 was rapidly infecting new IoT devices. Its variant, Kimwolf, introduced a novel propagation mechanism that allowed it to infect devices hidden behind internal network protections. This technique bypassed typical firewall safeguards, increasing the botnet's reach.
7. The Impact on Victims and Remediation Costs
Victims included small businesses, school districts, and government agencies. Many reported significant financial losses due to downtime, ransom demands, and the cost of cleaning infected systems. The DOJ noted that remediation expenses often exceeded tens of thousands of dollars per victim.
8. The Critical Vulnerability Disclosure by Synthient
On January 2, 2026, the security firm Synthient publicly disclosed the vulnerability that Kimwolf was exploiting to spread. This disclosure helped curb the botnet's growth, though other botnets quickly adopted similar methods. The discovery was key to slowing down future variants.
9. Law Enforcement Actions and Seizures
The DCIS executed seizure warrants for multiple U.S.-registered domains and virtual servers used in attacks against Department of Defense IP addresses. The operation also involved nearly two dozen technology companies that assisted in identifying and isolating the criminal infrastructure.
10. What This Means for IoT Security Going Forward
The takedown highlights the urgent need for better IoT device security. Authorities urge manufacturers to patch vulnerabilities and consumers to change default passwords. While these botnets are disrupted, copycat networks already exist, so ongoing vigilance is essential to prevent future large-scale attacks.
In conclusion, the dismantling of these four botnets is a major win for cybersecurity cooperation. However, the fight against IoT botnets is far from over. By understanding how these networks operated and the global response, we can better protect our connected world.