The U.S. Department of Justice, spearheading this multi-national effort, announced that the Department of Defense Office of the Inspector General’s (DoDIG) Defense Criminal Investigative Service (DCIS) executed crucial seizure warrants. These warrants targeted a multitude of U.S.-registered domains, virtual servers, and other critical components of the botnets’ operational infrastructure. The primary objective of these seizures was to cripple the botnets’ ability to launch further attacks, particularly those directed at Internet addresses owned by the Department of Defense itself, a high-profile target for such malicious activities.

The government’s allegations paint a grim picture of the botnets’ operations. Unnamed individuals, operating behind the veil of anonymity, allegedly commanded these vast networks of compromised devices to unleash hundreds of thousands of DDoS attacks. A common modus operandi involved demanding extortionate payments from victims, threatening to maintain or escalate the attacks unless their demands were met. The financial fallout for these victims was substantial, with some reporting losses and remediation expenses reaching tens of thousands of dollars. The sheer scale and frequency of these attacks underscore the significant economic and operational disruption that well-organized botnets can inflict.

Delving deeper into the individual botnets, the Justice Department revealed a staggering volume of malicious activity. Aisuru, the oldest of the implicated botnets, stands accused of issuing more than an astonishing 200,000 attack commands, demonstrating its long-standing presence and persistent threat. JackSkid, another formidable player, was responsible for hurling at least 90,000 attack commands, showcasing its aggressive and widespread deployment. Kimwolf, while responsible for a comparatively lower, yet still significant, figure of over 25,000 attack commands, proved to be particularly insidious due to its innovative propagation methods. Mossad, though credited with a smaller, albeit still impactful, number of approximately 1,000 digital sieges, was also part of this coordinated disruption.

The overarching objective of this law enforcement action, as articulated by the DOJ, was multifaceted. Primarily, it aimed to prevent further infection of vulnerable victim devices, thereby safeguarding a broader spectrum of the internet ecosystem. Concurrently, the operation sought to significantly limit or entirely eliminate the future capacity of these botnets to launch disruptive attacks. This coordinated effort was spearheaded by the DCIS, with invaluable assistance from the FBI’s field office in Anchorage, Alaska. The DOJ also publicly acknowledged the critical contributions of nearly two dozen technology companies, whose expertise and resources were instrumental in the success of this complex operation.

Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office emphasized the collaborative nature of this success. "By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks," she stated, highlighting the importance of global cooperation in tackling transnational cybercrime.

The emergence and evolution of these botnets offer a glimpse into the rapid advancements in IoT-based cyber threats. Aisuru, for instance, first appeared in late 2024 and by mid-2025 was already responsible for record-breaking DDoS attacks, its rapid infection of new IoT devices fueling its exponential growth. In a disturbing development, in October 2025, Aisuru served as the progenitor for Kimwolf, a variant that introduced a novel spreading mechanism. This innovation allowed Kimwolf to bypass conventional security measures, infecting devices even when they were shielded behind the protection of a user’s internal network, a significant escalation in its stealth and reach.

The security community played a crucial role in exposing and mitigating these threats. On January 2, 2026, the security firm Synthient publicly disclosed the specific vulnerability that Kimwolf was exploiting for its rapid propagation. This timely disclosure undoubtedly helped to curtail Kimwolf’s spread to some extent. However, the dynamic nature of cybercrime means that adversaries quickly adapt. Following Kimwolf’s exposure, several other IoT botnets emerged, effectively replicating Kimwolf’s spreading methods while vying for the same pool of vulnerable devices. The DOJ’s announcement confirmed that JackSkid also exhibited similar behavior, actively seeking out and compromising systems located on internal networks, mirroring Kimwolf’s aggressive infiltration tactics.

The DOJ’s coordinated disruption of these four botnets was intrinsically linked to parallel law enforcement actions undertaken in Canada and Germany. These international operations targeted individuals who are alleged to be the operators of these botnets. While specific details regarding these suspected operators remain limited due to ongoing investigations, the collaboration underscores the global reach of these criminal enterprises and the corresponding international efforts to bring them to justice.

Further investigation into the identities of the botnet masterminds has yielded some insights. In late February, KrebsOnSecurity identified a 22-year-old Canadian man as a key operator of the Kimwolf botnet. This revelation was corroborated by multiple sources familiar with the investigation, who also indicated that another prime suspect is a 15-year-old residing in Germany. The involvement of a minor in such sophisticated and large-scale cybercriminal activities is a particularly concerning aspect of this case, highlighting the evolving demographics and accessibility of advanced cyber weaponry. The disruption of these botnets marks a significant victory in the ongoing battle against IoT-based cyber threats, but the persistent ingenuity of cybercriminals ensures that vigilance and continuous adaptation remain paramount.