The U.S. Department of Justice announced that the Department of Defense Office of Inspector General’s (DoDIG) Defense Criminal Investigative Service (DCIS) executed seizure warrants targeting a multitude of U.S.-registered domains, virtual servers, and other critical infrastructure components that were instrumental in launching DDoS attacks against internet addresses owned by the Department of Defense. This action represents a major blow to cybercriminals who leverage compromised IoT devices for malicious purposes, highlighting the growing threat posed by the proliferation of insecure connected devices.

Government prosecutors allege that the anonymous individuals in control of these four botnets utilized their vast networks of compromised devices, often referred to as "crime machines," to orchestrate hundreds of thousands of DDoS attacks. These attacks were frequently employed as a tactic to extort money from their victims. The financial impact on affected organizations has been substantial, with some reporting tens of thousands of dollars in direct losses and significant remediation expenses to restore their services. The sheer scale of these operations underscores the economic and operational disruption that can be wrought by such sophisticated cyber threats.

The age and scale of the botnets provide a stark illustration of their persistent threat. Aisuru, the oldest of the four, alone issued over 200,000 attack commands, demonstrating its extensive reach and sustained malicious activity. JackSkid was not far behind, launching at least 90,000 attacks, while Kimwolf issued more than 25,000 attack commands. Mossad, though less prolific in terms of sheer command volume, was still blamed for approximately 1,000 significant digital sieges, demonstrating that even smaller botnets can inflict considerable damage.

The Department of Justice (DOJ) explicitly stated that this significant law enforcement action was strategically designed with two primary objectives: to prevent further infection of vulnerable victim devices and to severely limit or entirely eliminate the capability of these botnets to launch future attacks. The investigation, spearheaded by the DCIS, received crucial assistance from the FBI’s field office in Anchorage, Alaska, and the DOJ’s statement also acknowledged and credited the invaluable contributions of nearly two dozen technology companies that collaborated and provided essential support throughout this complex operation.

Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office emphasized the collaborative nature of this success, stating, "By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks." This sentiment underscores the critical importance of global cooperation in combating increasingly transnational cybercrime.

The timeline of these botnets paints a picture of rapid evolution and escalating threat. Aisuru first emerged in late 2024 and by mid-2025, it had already begun launching record-breaking DDoS attacks, a testament to its rapid growth and ability to infect new IoT devices at an alarming rate. A significant development occurred in October 2025 when Aisuru was used to seed Kimwolf, an offspring variant. Kimwolf introduced a novel spreading mechanism that allowed it to infect devices that were previously protected behind the user’s internal network, significantly expanding its attack surface and making it more difficult to detect and mitigate.

On January 2, 2026, the security firm Synthient publicly disclosed the specific vulnerability that Kimwolf was exploiting to propagate so rapidly. This timely disclosure undoubtedly helped to curtail Kimwolf‘s spread to some extent. However, the threat landscape proved to be dynamic. Since that disclosure, several other IoT botnets have emerged, effectively mirroring Kimwolf‘s propagation methods while simultaneously competing for the same pool of vulnerable devices. The DOJ confirmed that JackSkid, much like Kimwolf, also actively sought out and compromised systems located within internal networks, indicating a trend towards more sophisticated and stealthy infiltration tactics.

The DOJ confirmed that its coordinated disruption of these four botnets coincided with "law enforcement actions" carried out in Canada and Germany. These international actions were specifically targeted at individuals who are alleged to have operated these botnets. While no further details were immediately available regarding the identities of these suspected operators, the synchronicity of these global efforts highlights a concerted international push to bring cybercriminals to justice.

Further investigative reporting by KrebsOnSecurity has shed additional light on the individuals behind these operations. In late February, KrebsOnSecurity identified a 22-year-old Canadian man as a core operator of the Kimwolf botnet. Compounding the complexity of the investigation, multiple sources familiar with the ongoing inquiries informed KrebsOnSecurity that another prime suspect in the Kimwolf operation is believed to be a 15-year-old residing in Germany, underscoring the challenge of targeting younger perpetrators in the cybercrime space. This dual revelation of adult and juvenile involvement highlights the diverse demographics and evolving modus operandi of modern cybercriminals. The successful disruption of these botnets is a significant victory for cybersecurity, but the ongoing evolution of IoT threats necessitates continuous vigilance and proactive security measures from both individuals and organizations. The vast number of insecure IoT devices remains a critical vulnerability, and the ongoing cat-and-mouse game between law enforcement and cybercriminals is far from over.