Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

US, allies move to dismantle four high-volume IoT botnets

The armies of hacked computers and internet of things gadgets powered disruption and extortion campaigns that sometimes cost victims tens of thousands of dollars.

Published March 20, 2026
Eric Geller's headshot
Senior Reporter
Close up of hands typing on a keyboard illuminated in orange.
Sean Gallup/Getty Images via Getty Images

The U.S., Canada and Germany on Thursday took steps to dismantle four internet of things botnets responsible for massive distributed denial-of-service (DDoS) attacks around the world.

As part of the operation, the Defense Department inspector general’s Defense Criminal Investigative Service seized U.S.-registered virtual private servers, web domains and other systems that powered the Aisuru, KimWolf, JackSkid and Mossad IoT botnets, the Justice Department said in a statement.

Cyber criminals used the botnets to infect millions of machines, according to prosecutors, especially IoT devices such as routers and webcams.

“As of March 2026, the number of infected devices hijacked worldwide by the botnet administrators exceeded three million, with hundreds of thousands of infected devices located in the United States,” the DOJ said.

Intense attack activity

The botnets’ operators used infected devices to conduct hundreds of thousands of DDoS attacks that sometimes caused tens of thousands of dollars in losses and recovery costs. Cybercriminals also used the threat of botnet attacks to extort victim organizations.

The Aisuru botnet was the most active, with operators issuing more than 200,000 DDoS attack commands. JackSkid generated more than 90,000 commands, KimWolf more than 25,000 and Mossad more than 1,000.

Aisuru often targets critical infrastructure organizations, including in the telecommunications and financial services sectors. Its activity in the third quarter of 2025 helped set records for DDoS attack volume, according to Cloudflare. In October, Microsoft said it had blocked what would have been a record-breaking Aisuru DDoS attack on its Azure cloud platform.

Going after operators too

In tandem with DCIS’s seizure operation, authorities in Germany and Canada also conducted “law enforcement actions” targeting “individuals who operated these botnets.” Security journalist Brian Krebs has reported that KimWolf’s two lead administrators live in those countries.

In addition to DOJ’s foreign government partners, the department also thanked Akamai, Amazon Web Services, Google and other companies for investigative and operational assistance.

Filed Under: Cyberattacks, Threats

Editors' picks

Company Announcements

View all | Post a press release
Akto Announces Partnerships with LangChain, Portkey, TrueFoundry, Arcade, and LiteLLM to expan…
From Akto Io Inc
April 23, 2026
Akto Io Inc logo
Blackpoint Cyber Appoints Jacob Yavil as Chief Financial Officer
From Blackpoint Cyber
April 06, 2026
Blackpoint Cyber logo
Oliver Rochford in Collaboration With Daylight Security: The Governance Gap in AI-Driven Secur…
From Jake Smiths
April 15, 2026
Blackpoint Cyber Releases 2026 Threat Report
From Blackpoint Cyber
April 07, 2026
Blackpoint Cyber logo
Editors' picks
Latest in Cyberattacks
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell