Cyber Security

DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks

Photo of pleasuremandarya@gmail.com pleasuremandarya@gmail.com Send an email 4 weeks ago
0 6 3 minutes read
DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks

The US Department of Justice (DoJ) on Thursday announced the disruption of the Command-and-control (C2) infrastructure used by several Internet of Things (IoT) botnets such as AISURU, Kimwolf, JackSkid, and Mossad as part of a court-ordered law enforcement operation.

The effort has also seen authorities in Canada and Germany target users following the bots, with a number of private companies, including Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin in investigative efforts.

“Four botnets launched distributed denial-of-service (DDoS) attacks against victims around the world,” the DoJ said. “One of these attacks measured about 30 Terabits per second, which was a record-breaking attack.”

In a report last month, Cloudflare said AISURU/Kimwolf was responsible for a massive 31.4 Tbps DDoS attack that occurred in November 2025 and lasted only 35 seconds. Late last year, the botnet was also tested for participating in hyper-volumetric DDoS attacks that averaged 3 billion packets per second (Bpps), 4 Tbps, and 54 million requests per second (Mrps).

Freelance security reporter Brian Krebs also tracked Kimwolf’s director to 23-year-old Jacob Butler (aka Dort) from Ottawa, Canada. Butler told Krebs he hasn’t used the Dort persona since 2021 and said someone was impersonating him after hacking his old account.

Butler also said, “he usually stays at home and helps his mother around the house because he has autism and social issues.” According to Krebs, another prime suspect is a 15-year-old who lives in Germany. No arrests have been announced.

The botnet has registered more than 2 million Android devices in its network, most of which are non-branded Android TVs. In total, the four botnets are estimated to have infected no less than 3 million devices worldwide, such as digital video recorders, web cameras, or Wi-Fi routers, hundreds of thousands of which are located in the US.

“The Kimwolf and JackSkid bots are suspected of targeting and infecting traditional ‘firearm’ devices from across the Internet. Infected machines were enslaved by botnet operators,” the DoJ said. “Users then use a ‘crime-as-a-service’ model to sell access to infected machines to other cybercriminals.”

These infected devices are then used for DDoS attacks against targets of interest around the world. Court documents allege that four strains of the Mirai botnet issued hundreds of thousands of DDoS attack commands –

  • AISURU – >200,000 DDoS attack commands
  • Kimwolf ->25,000 DDoS attack commands
  • JackSkid – >90,000 DDoS attack commands
  • Mossad ->1,000 DDoS attack orders

“Kimwolf represents a fundamental change in the way botnets operate and scale. Unlike traditional botnets that explore the open Internet on vulnerable devices, Kimwolf used a novel attack vector: residential proxy networks,” Tom Scholl, VP / Honorable Engineer at AWS, said in a post shared on LinkedIn.

“By entering home networks through compromised devices – including TV set-top boxes and other IoT devices – the botnet gained access to local networks that are normally protected from outside threats by home routers.”

Lumen Black Lotus Labs, in a statement shared with The Hacker News, said it has deployed nearly 1,000 C2 servers operated by AISURU and then Kimwolf. According to data collected by the cybersecurity company, JackSkid averaged more than 150,000 daily victims in the first two weeks of March 2026, hitting 250,000 on March 8. Mossad averaged more than 100,000 daily victims during the same period.

“The problem is, there are so many tools out there that are vulnerable that two things happen – first, Kimwolf has shown incredible resilience,” said Ryan English, a security researcher at Lumen’s Black Lotus Labs. “The second problem was that many of the new botnets started imitating how to use the vulnerability to grow much, much faster.”

Akamai said that hyper-volumetric botnets have produced attacks exceeding 30 Tbps, 14 billion packets per second, and 300 Mrps, adding that cybercriminals have used these botnets to launch hundreds of thousands of attacks and demand extortion payments from victims in some cases.

“These attacks can cripple Internet infrastructure, cause significant service disruptions for ISPs and their downstream customers, and overwhelm cloud-based mitigation services,” the web infrastructure company said.

Photo of pleasuremandarya@gmail.com pleasuremandarya@gmail.com Send an email 4 weeks ago
0 6 3 minutes read
Photo of pleasuremandarya@gmail.com

pleasuremandarya@gmail.com

Related Articles

Patch Tuesday, April 2026 Edition – Krebs on Security

Patch Tuesday, April 2026 Edition – Krebs on Security

2 hours ago
4 questions to ask before issuing an MDR

4 questions to ask before issuing an MDR

3 hours ago
The PI Protocol 23 network targets Wall Street

The PI Protocol 23 network targets Wall Street

3 hours ago
Satochip Announces Bridge Funding as It Prepares for US Push on Open Hardware Wallets

Satochip Announces Bridge Funding as It Prepares for US Push on Open Hardware Wallets

6 hours ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button