All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Authorities disrupt world’s largest IoT DDoS botnets
ANCHORAGE, Alaska – The U.S. Justice Department participated in a court-authorized law enforcement operation today to disrupt Command and Control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid and Mossad Internet of Things (IoT) botnets.
The operation was conducted simultaneously to law enforcement actions conducted in Canada and Germany, which targeted individuals who operated these botnets. The four botnets launched Distributed Denial of Service (DDoS) attacks targeting victims around the world. Some of these attacks measured approximately 30 Terabits per second, which were record-breaking attacks.
During the operation, the Department of Defense Office of Inspector General’s (DoDIG) Defense Criminal Investigative Service (DCIS) executed seizure warrants which targeted multiple U.S.-registered internet domains, virtual servers, and other infrastructure allegedly engaged in cyber-enabled criminal activity, including DDoS attacks against IP’s owned by the Department of Defense Information Network (DoDIN).
According to court documents, the four botnets targeted in the operation together infected millions of devices worldwide. The majority of these devices were IoT devices, such as digital video recorders, web cameras, or WiFi routers. The KimWolf and JackSkid botnets are accused of targeting and infecting devices which are traditionally “firewalled” from the rest of the internet. The infected devices were enslaved by the botnet operators. The operators then used a “cybercrime as a service” model to sell access to the infected devices to other cyber criminals. The operators and their customers forced the victim devices to participate in hundreds of thousands of DDoS attacks, targeting computers and servers located throughout the world. As of March 2026, the number of infected devices hijacked worldwide by the botnet administrators exceeded three million, with hundreds of thousands of infected devices located in the United States.
Some victims reported the DDoS attacks resulted in tens of thousands of dollars in losses and remediation expenses. Cybercriminals used these botnets to launch hundreds of thousands of attacks, in some cases demanding extortion payments from victims. Court documents allege that the Aisuru botnet issued more than 200,000 DDoS attack commands, the KimWolf botnet issued more than 25,000 DDoS attack commands, the JackSkid botnet launched more than 90,000 DDoS attack commands and the Mossad botnet launched more than 1,000 DDoS attack commands.
This operation, in coordination with other international law enforcement actions, is intended to disrupt communications associated with the Aisuru, KimWolf, JackSkid, and Mossad botnets, preventing further infection to victim devices and limiting or eliminating the ability of the botnets to launch future attacks.
“Today, the United States joined international law enforcement partners in coordinated enforcement actions to disrupt DDoS threats impacting Alaskans and victims around the world,” said U.S. Attorney Michael J. Heyman for the District of Alaska. “Effective collaboration bolsters our collective ability to combat emerging threats. The United States is steadfast in our commitment to safeguarding critical internet infrastructure and fighting the cybercriminals who jeopardize its security, wherever they might live.”
“Today’s disruption of four powerful botnets highlights our commitment to eliminate emerging cyber threats to the Department of Defense and its warfighters,” said Special Agent in Charge Kenneth DeChellis of the Department of Defense Office of Inspector General, Defense Criminal Investigative Service (DCIS), Cyber Field Office. “Cybercriminals infiltrate infrastructure beyond physical borders and DCIS participates in international operations to help safeguard the Department’s global footprint. Collaboration among law enforcement and industry partners has proven vital to this success.”
“By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office. “This operation reflects the strength of that collaboration and our shared commitment to combatting cybercrime and protecting victims worldwide.”
DoDIG DCIS is investigating the case, with assistance from the FBI Anchorage Field Office.
Law enforcement agencies from Canada and Germany conducted their own operations targeting botnet administrators and botnet infrastructure. International partners include:
- Germany: Bundeskriminalamt (BKA) Cyber and Public Prosecutor’s Office in Cologne (ZAC NRW)
- Canada: Royal Canadian Mounted Police (RCMP), Ontario Provincial Police (OPP) and Sûreté du Québec (SQ)
Additionally, the U.S. Justice Department thanks Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Epieos, Google, Hydrolix, Lumen, Nokia, Okta, Oracle, PayPal, Registrar of Last Resort, The Shadowserver Foundation, Sony Interactive Entertainment, SpyCloud, Synthient, Team Cymru, Unit 221B, XLAB and Netherlands Politie and EUROPOL’s PowerOFF team for their assistance provided during this investigation and operation.
Assistant U.S. Attorney for the District of Alaska Adam Alexander is prosecuting this matter.
Comments
Don't get me wrong, good, this shit needs to go.
But uh... where are the arrests?
It’s hard to investigate and/or arrest someone in Russia, China, North Korea, or any other country where the authorities have zero jurisdiction.
If I'm not mistaken, one of the operators is a 15 year old operating out of Germany. Another being a 22 year old Canadian.
FEDs and law enforcement are more persistent then some LET Providers.
Some of you choose to ignore your abuse emails until publicly called out.....
Didn't know government workers were more dedicated then summer hosts here
https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/
which is a server from @dan_onlyservers
Do you have any evidence that @dan_onlyservers receieved and ignored abuse reports?
A good question, but do you think that the "world’s largest IoT DDoS botnets" operated while receiving no abuse reports?
I think itll be a bit hard to identify specifically who actually runs these types of things as people love claiming they operate/own stuff like this because they think it makes them look cool, or because it helps them get a sale (or something else petty lol). In my opinion the real builder/maintainer is probably behind the scenes in a place where they cant be touched (like Russia) while other people play the face of the whole thing.
With a botnet that was this big I dont think whoever actually made/maintains it is going to be openly out here saying its theirs, let alone let something as personal as their age get doxxed. Way more likely theyve got layers to it, with people fronting as the "owner" while they're actually just an admin or reseller, with everything eventually funneling back to whoever is actually running the show.
I do agree with you though, where are the arrests/seizures so they can start a proper investigation?
https://imgur.com/a/TVYCPNj
or Reliablesite:
https://imgur.com/a/6aMk6FJ
they were called out on LET on march 16.
Alleged perpetrators were 15 and 20+ years old. Probably autists.
Weaponized...
Without arrests this isn't going to do shit, they'll just spin up new infra.
Afaik, there is few competing groups for iot devices. Largest taken down. This will shake down industry a bit. Probably until some out of this world malware driven by llm and even more twisted autism.
@dan_onlyservers I am still awaiting a reply
You're not reporting a C2 server, you're reporting a proxy server. You have no proof linking the two together.
Matter of fact, the server isn't even online, and for the time that it was online, it wasn't working since it was unable to talk to the actual C2.
The "S" in IoT stands for Secure.
Perhaps we should start penalizing the companies whose negligence makes this not only possible, but trivial. If you're going to release millions of a product and you know that millions of users will keep using it even after you stop releasing security updates and then you do stop releasing security updates and your whole fleet is turned into a botnet, you should be liable.
He never claimed to report a C2 server, he said "entry point for proxies sourced from a botnet". It's a gateway, you connect to it, it connects to the actual proxies.
Onlyservers' NOC confirmed his report the first time though?
I'm also curious how you came to the conclusion it wasn't working, please elaborate.
It doesn't necessarily need the C2 anymore once the proxy provider's SDK has been installed on the compromised device.
With that logic, isn't every single proxy provider doing the same exact thing?
I'm a customer of their proxies. I talked to the guy behind them, and he says they stopped working because the C2 got taken down, and they can't update it.
That SDK has to talk to a server. That server is the C2 I'm referencing.
Hello,
We process all abuse reports and send a receipt to the submitter. When abuse reports are marked as resolved by our server customers, we also notify the sender so they can revalidate or escalate any problems.
The IP mentioned above 85.159.92.250 is a new server purchased in the last few days. I have made our NOC team aware to take action and this IP is no longer reachable.
Should anyone have any concerns or evidence on IP's please notify our abuse team by emailing [email protected]
Anonymous proxy services are strictly forbidden by our T&C's so these services will be removed when detected or reported.
Dan
https://web.archive.org/web/20260322164452/https://t.me/maskifysu/110
okay then