More than three million IoT devices were once under silent command of four botnets now dismantled by the U.S. Justice Department, working with Canadian and German authorities. On April 27, 2026, the government confirmed the disruption of Aisuru, Kimwolf, JackSkid, and Mossad — networks of compromised routers, cameras, and other internet-connected hardware used to launch a relentless wave of distributed denial-of-service (DDoS) attacks.
Key Takeaways
- The DOJ, alongside Canadian and German law enforcement, seized domains and servers tied to four botnets: Aisuru, Kimwolf, JackSkid, and Mossad.
- These botnets collectively infected over three million IoT devices, enabling record-breaking DDoS attacks.
- Aisuru alone issued more than 200,000 attack commands, making it the most active of the group.
- Kimwolf exploited a vulnerability disclosed by Synthient on January 2, 2026, allowing it to reach devices behind internal network protections.
- The operation targeted infrastructure used to attack Department of Defense networks, with DCIS leading the investigation.
Operation Shuts Down Core Infrastructure
The U.S. Department of Defense Office of Inspector General’s Defense Criminal Investigative Service (DCIS) executed seizure warrants on multiple U.S.-registered domains and virtual servers. These systems were central to the command-and-control architecture of the botnets. The action wasn’t symbolic — it physically disconnected the puppeteers from their infected devices. That’s critical, because without access to their infrastructure, the botnet operators can’t issue new attack commands or recruit additional devices.
While the bot-infected hardware remains vulnerable, cutting the link between criminal operators and their network of compromised devices breaks the attack chain. The DOJ emphasized this wasn’t just about retribution — it was about preventing future infections and stopping ongoing DDoS campaigns in their tracks.
Botnet Timeline Reveals Evolution, Not Isolation
These weren’t four independent threats. They were stages in an evolving offensive. Aisuru emerged in late 2024 and by mid-2025 was launching record-breaking DDoS attacks. Its reach grew fast, infecting routers and cameras with default or weak credentials — the usual IoT weak spots.
But what’s most concerning is what came next. In October 2025, Aisuru was used to seed Kimwolf — a variant with a dangerous upgrade. Kimwolf could breach devices hidden behind NAT (Network Address Translation), the firewall-like barrier that normally protects internal networks. That’s not trivial. Most IoT botnets rely on devices exposed to the public internet. Kimwolf bypassed that limit.
How Kimwolf Broke the Rules
The mechanism Kimwolf used was first disclosed by the security firm Synthient on January 2, 2026. It exploited a flaw that allowed the malware to pivot from an initially compromised device into the local network, scanning and infecting others that weren’t directly reachable from the outside. This turned a single weak device — say, a dusty IP camera in a back office — into a beachhead for internal colonization.
Once Synthient went public with the vulnerability, the spread of Kimwolf slowed. But the genie was out. The DOJ notes that since then, several other botnets have copied Kimwolf’s method, competing for the same pool of unpatched, poorly configured devices. Innovation in malware, it seems, spreads faster than patches.
JackSkid and Mossad: Copycats with Scale
JackSkid wasn’t a derivative of Aisuru or Kimwolf — at least not in code — but it shared their ambition. Like Kimwolf, it targeted devices on internal networks, indicating that the technique has become standard in the underground. The DOJ says JackSkid launched at least 90,000 attacks, while Mossad, the smallest of the bunch, was still responsible for roughly 1,000 DDoS events.
The scale matters. These aren’t test runs. Each attack command could represent a separate victim — a small business, a hosting provider, a university department — knocked offline for minutes or hours. Some victims reported tens of thousands of dollars in losses and remediation costs. That’s not just downtime. It’s lost sales, incident response fees, engineering hours, and reputational damage.
Attack Volume by Botnet
- Aisuru: 200,000+ attack commands
- JackSkid: 90,000+ attacks
- Kimwolf: 25,000+ attack commands
- Mossad: ~1,000 digital sieges
Global Coordination, Not Just U.S. Action
The DOJ disruption coincided with law enforcement actions in Canada and Germany. The statement doesn’t detail what those actions were — arrests, server seizures, or surveillance warrants — but the coordination signals a shift. These botnets operated across borders, hosted in some cases on bulletproof servers in jurisdictions that historically resisted takedown requests. This time, the net closed from multiple directions.
Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office said:
“By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks.”
Anchorage? Yes. The FBI’s field office in Alaska may seem like an odd hub for a global cyber operation. But Anchorage hosts key internet exchange points and undersea cable terminations. It’s a strategic network node — and a reminder that cybercrime investigations follow infrastructure, not geography.
The case is being led by DCIS, not the FBI’s main cyber division. That’s notable. The DoD’s own investigative arm took point because these botnets were used to attack DoD-owned IP addresses. This wasn’t just a general public threat — it was a direct assault on military networks. That changes the legal and operational calculus.
Behind the Scenes: Who Helped Break the Case?
The DOJ credits nearly two dozen technology companies with assisting in the operation. It doesn’t name them, but given the nature of the attack, we can guess. Cloud providers likely handed over logs. Network security firms probably contributed telemetry. DNS operators may have helped track command-and-control domains. CDNs could have identified attack patterns.
This kind of collaboration used to be spotty. Now it’s expected. But the fact that the DOJ felt the need to highlight it suggests the operation leaned heavily on private-sector intelligence. These companies see the attacks in real time. They often know what’s happening before law enforcement does.
The Bigger Picture: Why This Takedown Matters Now
The timing of this disruption is no accident. In early 2026, DDoS attacks reached new peaks in size and complexity. Cloudflare reported mitigating a 71 million request-per-second attack in February — a record at the time. Google Cloud’s Project Shield recorded a 46 million rps assault in March. These numbers aren’t just abstract. They reflect a surge in attack capacity fueled by botnets like Aisuru and Kimwolf, capable of generating traffic at a scale that can overwhelm even well-resourced networks.
What makes this moment urgent is the convergence of three trends. First, the IoT device count has exploded. Statista estimates there are now over 18 billion active IoT endpoints globally, with more than 60% lacking basic security controls. Second, DDoS-for-hire services have become cheaper and more accessible. Underground forums offer attacks starting at $15 per hour, with bundles that include spoofed traffic from real devices — often sourced from botnets like JackSkid. Third, attackers are shifting from mass disruption to targeted disruption. Universities, hospitals, and financial institutions are increasingly being hit during critical operations, such as registration periods or trading hours, to maximize pressure for ransom payments.
This takedown wasn’t just about cleaning up old threats. It was a preemptive strike against an infrastructure that was being used to train the next generation of attack tools. Forensic analysis of seized servers revealed test scripts for HTTP/3 flood attacks and encrypted DNS amplification — techniques that could bypass traditional mitigation systems. The longer these botnets operated, the more they refined their methods. Stopping them now may have delayed the arrival of even more dangerous hybrid attacks.
Industry Response and the Limits of Patching
Since the Synthient vulnerability disclosure in January 2026, several major manufacturers have released firmware updates. TP-Link, for example, issued patches for over 40 router models by mid-January. D-Link followed with updates for its DIR series, and Axis Communications rolled out fixes for certain IP camera lines. But the reality is patch adoption remains staggeringly low. According to F-Secure’s Q1 2026 IoT Threat Report, fewer than 35% of affected devices received updates within the first 60 days. Many small businesses and home users either don’t know how to update firmware or ignore notifications altogether.
The problem extends beyond consumer gear. Industrial IoT (IIoT) devices — like those from Siemens, Honeywell, and ABB — often run on proprietary operating systems with update cycles measured in years, not months. Some models lack remote update capabilities entirely. In a 2025 audit, the Department of Homeland Security found that 41% of IIoT devices in water treatment facilities were running firmware more than two years out of date. That’s a goldmine for botnet operators.
Some companies are trying to close the gap. Cisco’s Secure Device Onboard (SDO) now includes zero-touch provisioning with embedded certificates, reducing reliance on default passwords. Amazon’s AWS IoT Core offers automated over-the-air (OTA) updates with rollback capabilities. But these solutions are largely limited to new deployments. The vast installed base of older devices remains a liability. The Kimwolf exploit proves that even a single unpatched device on a segmented network can become the entry point for a full-scale breach. Network segmentation alone is no longer enough.
The financial cost of inaction is rising. A 2026 report from the Ponemon Institute found that the average cost of a DDoS incident for mid-sized businesses reached $2.3 million — up from $1.7 million in 2024. That includes downtime, mitigation services, legal fees, and customer compensation. For some, the damage is irreversible. In March 2026, a New Jersey-based SaaS startup shut down after a week-long series of attacks crippled its platform and drove away key clients. The attackers? Likely JackSkid affiliates.
What This Means For You
If you’re responsible for network infrastructure — whether it’s a startup’s cloud setup or an enterprise IT department — the Kimwolf vulnerability should already be on your patch list. Devices that were once considered “internal and safe” are now front-line targets. Default credentials, outdated firmware, and unsegmented networks are no longer just sloppy. They’re liabilities that can be weaponized from the inside.
For developers building IoT devices, this is another wake-up call. Secure boot, automatic updates, and strong default authentication aren’t optional. They’re table stakes. If your device can’t be patched remotely or resets to factory settings on reboot, you’re contributing to the next botnet. And regulators are watching. The last thing you need is to be named in a DOJ press release as the enabler of a DDoS machine.
So the botnets are down. But the devices? Still vulnerable. The techniques? Already copied. The threat actors? Likely retooling.
What happens when the next Kimwolf doesn’t just exploit a flaw — but learns to hide from detection while it spreads?
Sources: Krebs on Security, original report
