Operation Takedown: DOJ and Global Allies Smash 30-Terabit IoT Botnet Empire

In a massive display of international cooperation, the U.S. Justice Department has joined forces with law enforcement in Canada and Germany to dismantle a global network of four predatory IoT botnets. The coordinated strike targeted the Aisuru, KimWolf, JackSkid, and Mossad botnets—a digital armada that had enslaved millions of devices to launch some of the most destructive cyberattacks in history.

The operation, which unfolded simultaneously across three nations, marks a significant victory against the “cybercrime as a service” model that has plagued the internet for years.

At the heart of the conspiracy was a massive fleet of infected Internet of Things (IoT) hardware. According to court documents, the four botnets together infected millions of devices worldwide, ranging from digital video recorders and web cameras to WiFi routers.

By March 2026, the number of hijacked devices exceeded three million, with hundreds of thousands of those victims located right here in the United States. The KimWolf and JackSkid botnets were particularly aggressive, accused of “targeting and infecting devices which are traditionally ‘firewalled’ from the rest of the internet.” Once infected, these devices were “enslaved by the botnet operators” and forced to participate in a relentless barrage of attacks.

The scale of the devastation caused by this network is unprecedented. The botnets were used to launch hundreds of thousands of Distributed Denial of Service (DDoS) attacks, some of which “measured approximately 30 Terabits per second, which were record-breaking attacks.”

These weren’t just technical benchmarks; they caused real-world financial ruin. Victims reported tens of thousands of dollars in losses and remediation expenses, while some cybercriminals used the botnets to demand extortion payments.

The Breakdown of the “Attack Playbook”:

• Aisuru: Issued more than 200,000 DDoS attack commands.
• JackSkid: Launched more than 90,000 DDoS attack commands.
• KimWolf: Issued more than 25,000 DDoS attack commands.
• Mossad: Launched more than 1,000 DDoS attack commands.

The disruption involved the seizure of multiple U.S.-registered internet domains and virtual servers, including infrastructure used to attack the Department of Defense Information Network (DoDIN).

In Germany, the Bundeskriminalamt (BKA) and the Public Prosecutor’s Office in Cologne led the charge, while Canada’s Royal Canadian Mounted Police (RCMP) and provincial partners targeted the individuals operating the infrastructure.

The DOJ extended its thanks to a long list of tech giants, including Google, Amazon Web Services, Cloudflare, and Okta, for their assistance in the investigation.