US Dismantles Massive Aisuru & Kimwolf Botnets Behind Record DDoS Attacks

US Dismantles Massive Aisuru & Kimwolf Botnets Behind Record DDoS Attacks

March 20, 2026 Sarah Wu - Tech Editor Tech and Science

United States law enforcement agencies have dismantled four significant botnets – Aisuru, Kimwolf, JackSkid, and Mossad – used to launch some of the largest distributed denial-of-service (DDoS) attacks ever recorded. The takedown, announced Thursday by the Department of Justice and involving collaboration with Canadian and German authorities, removes the command-and-control servers that allowed attackers to hijack and control over three million devices globally. These compromised devices, ranging from everyday home routers and webcams to smart TVs and Android-based set-top boxes, were leveraged to overwhelm targeted websites and internet services with malicious traffic, effectively knocking them offline.

The Scale of the Attacks

The Aisuru and Kimwolf botnets, in particular, have gained notoriety for their sheer scale and disruptive power. According to DDoS defense firm Cloudflare, the two botnets, operating in tandem last November, unleashed a cyberattack reaching over 30 terabits of data per second – nearly three times larger than the previously recorded peak. To place that volume into perspective, Cloudflare analysts likened it to “the combined populations of the UK, Germany, and Spain all simultaneously typing a website address and then hitting ‘enter’ at the same second.” These attacks weren’t limited to abstract targets. gaming services like Minecraft and cybersecurity journalist Brian Krebs, known for his in-depth reporting on the botnet underground, were both repeatedly targeted by Aisuru. Krebs himself came under sustained attack last year.

How IoT Botnets Operate

DDoS attacks, at their core, rely on overwhelming a target with traffic from multiple sources. Botnets amplify this effect by harnessing the collective power of numerous compromised devices – the “bots” – to flood a target simultaneously. These aren’t sophisticated, purpose-built hacking tools; rather, attackers exploit vulnerabilities in Internet of Things (IoT) devices, often due to weak default passwords or unpatched software, to gain control. Once compromised, these devices become unwitting participants in the attack, sending requests to the target without the owner’s knowledge. The Aisuru botnet, for example, infected a diverse range of devices including DVRs, network appliances, and webcams, while Kimwolf specifically targeted Android devices.

The botnet operators don’t necessarily launch all the attacks themselves. They frequently rent out access to their networks – a practice known as “booter” or “stresser” services – to other malicious actors willing to pay for the disruptive capabilities. This creates a marketplace for DDoS attacks, lowering the barrier to entry for those seeking to disrupt online services.

A Legacy of Mirai

The four botnets dismantled in this operation aren’t entirely novel creations. They are all variants of Mirai, a notorious IoT botnet that first emerged in 2016. Mirai gained infamy for its record-breaking attacks and its role in a massive outage that took down over 175,000 websites by targeting the domain-name service provider Dyn. The original Mirai code has since served as a foundation for a decade of subsequent IoT botnets, demonstrating the enduring threat posed by insecure devices.

Impact and Response

The disruption caused by these botnets extends beyond mere inconvenience. Victims have reported significant financial losses and remediation expenses, with some facing tens of thousands of dollars in costs. The attacks can cripple critical infrastructure, overwhelm cloud-based DDoS protection systems, and even disrupt internet connectivity for entire nations. The Justice Department’s action, executed in collaboration with the Defense Criminal Investigative Service (DCIS), targeted U.S.-registered domains and servers used to control the botnets. Seizure warrants were executed, aiming to prevent further infection of devices and limit the botnets’ ability to launch future attacks.

While no arrests have been announced immediately, the US government is working with authorities in Canada and Germany to pursue those responsible for operating the botnets. US attorney Michael J. Heyman stated, “The United States is steadfast in our commitment to safeguarding critical internet infrastructure and fighting the cybercriminals who jeopardize its security, wherever they might live.”

What Comes Next: Securing the IoT Ecosystem

The takedown of these botnets represents a significant step in combating DDoS threats, but it’s not a permanent solution. The underlying problem – the proliferation of insecure IoT devices – remains. Addressing this requires a multi-faceted approach. Manufacturers need to prioritize security in the design and development of IoT devices, implementing strong default passwords, providing regular software updates, and incorporating security features like secure boot. Consumers also have a role to play, by changing default passwords, keeping their devices updated, and being mindful of the security implications of connecting devices to the internet.

The Department of Justice’s investigation is ongoing, and further legal action is expected. Technology companies, including Cloudflare, continue to develop and refine DDoS mitigation techniques to protect their customers. The incident underscores the need for continued vigilance and collaboration between law enforcement, the cybersecurity industry, and device manufacturers to address the evolving threat landscape of IoT botnets. Further details on the operation are available from the Department of Justice.

, , , , , ,