The U.S. Department of Justice announced that the Department of Defense Office of Inspector General’s (DoDIG) Defense Criminal Investigative Service (DCIS) executed seizure warrants targeting crucial U.S.-registered domains, virtual servers, and other critical infrastructure components that facilitated these destructive DDoS attacks. These attacks were not merely acts of digital vandalism; the government alleges that the shadowy figures controlling these botnets leveraged their compromised armies of devices to launch hundreds of thousands of targeted attacks. These malicious campaigns were often accompanied by extortion demands, leaving victims facing substantial financial losses, with some reporting tens of thousands of dollars in damages and costly remediation expenses.

The sheer scale and activity of these botnets are staggering. Aisuru, the oldest of the group, emerged in late 2024 and by mid-2025 was already responsible for record-breaking DDoS attacks, demonstrating a rapid and aggressive infection rate of new IoT devices. This botnet alone issued over 200,000 attack commands. JackSkid, another major player, hurled at least 90,000 attack commands, showcasing its potent offensive capabilities. Kimwolf, which emerged in October 2025 as a variant of Aisuru, introduced a novel and alarming spreading mechanism. This innovation allowed Kimwolf to infect devices that were previously protected behind the user’s internal network, significantly expanding its reach and potential impact. Kimwolf issued more than 25,000 attack commands. Mossad, while less prolific in terms of sheer attack numbers, was still blamed for approximately 1,000 significant digital sieges, demonstrating that even a smaller number of coordinated attacks can have a substantial disruptive effect.

The U.S. Department of Justice emphasized that this law enforcement action was strategically designed with a dual purpose: to prevent further infection of victim devices and to cripple or completely eliminate the botnets’ ability to launch future attacks. This comprehensive approach aims to protect both individual users and critical infrastructure from the persistent threat of DDoS attacks. The investigation was meticulously carried out by the DCIS, with invaluable assistance from the FBI’s field office in Anchorage, Alaska. Furthermore, the DOJ’s statement specifically credited nearly two dozen technology companies for their crucial support and collaboration in making this complex operation a success.

Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office highlighted the effectiveness of inter-agency and international cooperation. "By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks," she stated, underscoring the global nature of cybercrime and the necessity of a united front.

The emergence and evolution of these botnets paint a concerning picture of the evolving threat landscape. Aisuru’s rapid rise and its capacity for record-breaking attacks set a dangerous precedent. The subsequent development of Kimwolf, with its sophisticated internal network propagation, demonstrated a significant leap in botnet capabilities. In a stark reminder of the speed at which threats evolve, the security firm Synthient publicly disclosed the vulnerability Kimwolf was exploiting on January 2, 2026. While this disclosure helped to temporarily curb Kimwolf’s spread, it also revealed the underlying exploit, which was quickly adopted by other emerging IoT botnets. These newer threats effectively mimicked Kimwolf’s advanced spreading methods while fiercely competing for the same pool of vulnerable devices. The DOJ confirmed that JackSkid, much like Kimwolf, actively sought out and compromised systems residing within internal networks, posing a significant risk to businesses and organizations.

The DOJ’s disruption of these four botnets was synchronized with parallel "law enforcement actions" conducted in Canada and Germany. These actions specifically targeted individuals believed to be the operators behind these malicious networks. While details regarding the suspected operators remain scarce, the coordinated international arrests and disruptions signal a strong commitment by global law enforcement to apprehend those responsible for orchestrating these cyberattacks.

In a developing aspect of this investigation, KrebsOnSecurity identified a 22-year-old Canadian man in late February 2026 as a core operator of the Kimwolf botnet. Further information obtained from multiple sources familiar with the investigation suggests that another prime suspect is a remarkably young 15-year-old residing in Germany, highlighting the concerning involvement of minors in sophisticated cybercriminal activities. This revelation underscores the need for ongoing efforts to combat not only the technical infrastructure of botnets but also the human element behind them, regardless of age or geographical location. The successful disruption of Aisuru, Kimwolf, JackSkid, and Mossad represents a significant victory in the ongoing battle against cyber threats, but the dynamic nature of botnet evolution suggests that vigilance and continued international cooperation will be paramount in safeguarding the digital landscape. The compromised millions of IoT devices serve as a stark reminder of the vulnerabilities inherent in our increasingly connected world and the critical importance of securing these often-overlooked endpoints.