The US Department of Justice has joined authorities in Canada and Germany in cracking down on internet infrastructure after four highly disruptive bots that compromised more than three million Internet of Things (IoT) devices, such as routers and webcams. The feds say four botnets – named Aisuru, Kimwolf, JackSkid again The Mossad – are responsible for a series of recent distributed denial-of-service (DDoS) attacks that can knock almost any target offline.
Photo: Shutterstock, @Elzicon.
The Department of Justice said the Department of Defense’s Office of the Inspector General (DoDIG) Defense Criminal Investigation Division (DCIS) issued seizure warrants targeting multiple US-registered domains, virtual servers, and other infrastructure involved in DDoS attacks against DoD Internet addresses.
The government alleges that unnamed individuals who run four botnets have used their criminal machinery to launch hundreds of thousands of DDoS attacks, often demanding payment from victims. Some victims reported tens of thousands of dollars in damages and repair costs.
The oldest bots – Aisuru – issued more than 200,000 attack commands, while JackSkid threw at least 90,000 attacks. Kimwolf issued more than 25,000 attack orders, the government said, and the Mossad is blamed for an estimated 1,000 digital attacks.
The DOJ said the enforcement action is designed to prevent further infections on victims’ machines and to limit or eliminate botnets’ ability to launch future attacks. The case is being investigated by DCIS with the assistance of the FBI office in Anchorage, Alaska, and the DOJ statement credits nearly two dozen technology companies that assisted in the operation.
“Working with DCIS and our international law enforcement partners, we jointly identified and disrupted the criminal infrastructure used for large-scale DDoS attacks,” said the Special Agent in Charge. Rebecca’s day of the FBI Anchorage Field Office.
Aisuru appeared in late 2024, and in mid-2025 it launched a record-breaking DDoS attack as it quickly infected new IoT devices. In October 2025, Aisuru was used to plant Kimwolf, a variant of Aisuru that introduced a novel distribution method that allowed the botnet to infect devices hidden behind the protection of the user’s internal network.
On January 2, 2026, the defense company The Synthient exposed the vulnerability that Kimwolf was using to spread so quickly. That disclosure helped curb Kimwolf’s spread somewhat, but since then other IoT botnets have emerged that successfully copy Kimwolf’s distribution methods while competing against the same pool of vulnerable devices. According to the DOJ, the JackSkid botnet also sought out systems on internal networks such as Kimwolf.
The DOJ said its interception of the four boats coincided with “law enforcement actions” in Canada and Germany targeting people who allegedly operated the boats, although no further details were available on the suspects.
In late February, KrebsOnSecurity identified a 22-year-old Canadian man as the mastermind of the Kimwolf botnet. Multiple sources familiar with the investigation told KrebsOnSecurity that the other main suspect is a 15-year-old who lives in Germany.
