Botnets linked to Aisuru, Kimwolf, JackSkid and Mossad had infected more than 3 million devices in total, many inside home networks, according to the US Justice Department(DoJ).

In a joint operation DoJ with ​Germany and Canada to take down infrastructure used by ‌four major botnets infecting 3 million devices worldwide, including hundreds of thousands in the U.S.

Attack Scenario

The botnet has conscripted more than 2 million Android devices into its network, most of which are compromised, off-brand Android TVs. In all, the four botnets are estimated to have infected no less than 3 million devices worldwide, such as digital video recorders, web cameras, or Wi-Fi routers, of which hundreds of thousands are located in the U.S.

The four botnets launched Distributed Denial of Service (DDoS) attacks targeting victims around the world. Some of these attacks measured approximately 30 Terabits per second, which were record-breaking attacks.

• The majority of these devices were IoT devices, such as digital video recorders, web cameras, or WiFi routers.
• The KimWolf and JackSkid botnets are accused of targeting and infecting devices which are traditionally “firewalled” from the rest of the internet. 
• The infected devices were enslaved by the botnet operators. The operators then used a “cybercrime as a service” model to sell access to the infected devices to other cyber criminals.
• The operators and their customers forced the victim devices to participate in hundreds of thousands of DDoS attacks, targeting computers and servers located throughout the world.
• As of March 2026, the number of infected devices hijacked worldwide by the botnet administrators exceeded three million, with hundreds of thousands of infected devices located in the United States.

Vulnerable IoT Infrastructure Under Threat

The botnet has conscripted more than 2 million Android devices into its network, most of which are compromised, off-brand Android TVs. The four botnets targeted in the operation together infected millions of devices worldwide is a huge take on.

The botnets primarily weaponized vulnerable IoT infrastructure, including digital video recorders, web cameras, and enterprise WiFi routers. The threat actors built an expansive botnet army by exploiting poor default security postures and known vulnerabilities.

As per DoJ if these devices could be compromised once they could be enslaved into a massive “cybercrime-as-a-service” platform.

“By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office. “This operation reflects the strength of that collaboration and our shared commitment to combatting cybercrime and protecting victims worldwide.”

The threat actors and their administrators monetized their illicit infrastructure by leasing access to other threat actors. This gave them upper hand to effectively standardizing the ability to launch highly disruptive attack that had volume and application-layer DDoS attacks.

Botnet DDoS attacks for Financial Gains

It has been observed that Cybercriminals often use these botnets to launch hundreds of thousands of attacks, in some cases demanding extortion payments from victims.

DDoS attack is a malicious attempt to disrupt the normal traffic of a targeted server or network by overwhelming it with a flood of internet traffic. Attackers use multiple compromised computer systems as sources of attack traffic subsequently leveraging botnets

Conclusion:

For better security best practices, it is essential network operators should monitor all edges, customer and large endpoint networks, for inbound and outbound DDoS traffic.

Organization can have thorough detection, classification and traceback systems in active mode and integrated into defenses and testing.

In scenario of any DDoS attack by Botnet it is essential to identify compromised devices for threat mitigation. Any Intelligent DDoS mitigation systems (IDMSs) or network infrastructure work’s best for current practices (BCPs) such as infrastructure ACLs and proactive remediation .

Source: District of Alaska | Authorities disrupt world’s largest IoT DDoS botnets responsible for record breaking attacks targeting victims worldwide | United States Department of Justice