SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
Iot botnets disrupted ddos us eu cop control room router cameras
#
Firewalls
#
DDoS
#
Hyperscale

US disrupts four IoT botnets in record DDoS attacks

Sun, 22nd Mar 2026
Author image
By Sofiah Nichole Salivio, News Editor

The US Justice Department said it had disrupted four internet of things botnets used in distributed denial-of-service attacks, with support from industry groups including Okta.

According to court documents and officials involved in the case, the operation targeted command-and-control infrastructure linked to Aisuru, KimWolf, JackSkid and Mossad. Authorities in Canada and Germany also took related action against people and infrastructure tied to the botnets.

Investigators said the four botnets had infected millions of devices worldwide, most of them internet-connected products such as digital video recorders, web cameras and WiFi routers. Hundreds of thousands of infected devices were in the US, while victims were targeted around the world.

Some attacks reached roughly 30 terabits per second, which officials described as record-breaking in scale. The disruption also covered infrastructure allegedly used in attacks on internet protocol addresses owned by the Department of Defence Information Network.

Court filings say the operators sold access to infected devices through a cybercrime-as-a-service model. Customers then used those devices to launch attacks against computers and servers, sometimes while demanding extortion payments from victims.

Victims reported tens of thousands of dollars in losses and remediation costs, according to the documents. The filings also allege that Aisuru alone issued more than 200,000 DDoS attack commands, while KimWolf issued more than 25,000, JackSkid more than 90,000 and Mossad more than 1,000.

Industry support

The Justice Department named a broad group of companies and organisations that helped with the investigation and operation. They included Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, Sony Interactive Entertainment, and several cyber threat and internet infrastructure groups.

Okta's inclusion is notable because identity and access management providers are increasingly being drawn into broader cyber investigations as criminal groups rely on distributed infrastructure and compromised online services. The operation also reflects how heavily law enforcement now depends on cloud providers, network operators and security specialists to map and disrupt botnet activity.

The coordinated action aimed to cut communications used by the four botnets, stop further infections and limit their ability to launch new attacks. The case was investigated by the Defence Criminal Investigative Service, with assistance from the FBI Anchorage Field Office.

Officials said KimWolf and JackSkid were accused of targeting devices normally shielded from the wider internet by firewalls. The detail underlines how botnet operators continue to seek out poorly secured or misconfigured devices that can be remotely absorbed into large attack networks.

Global reach

The international aspect of the case highlights the cross-border nature of DDoS operations. While the US action focused on domains, servers and other infrastructure registered in the country, partner agencies in Canada and Germany pursued their own measures against botnet administrators and related systems.

"Today, the United States joined international law enforcement partners in coordinated enforcement actions to disrupt DDoS threats impacting Alaskans and victims around the world," said Michael J. Heyman, U.S. Attorney, District of Alaska.

Another official said the case showed the risks faced by military and civilian networks alike.

"Today's disruption of four powerful botnets highlights our commitment to eliminate emerging cyber threats to the Department of Defence and its warfighters," said Kenneth DeChellis, Special Agent in Charge, Department of Defence Office of Inspector General, Defence Criminal Investigative Service, Cyber Field Office.

The FBI said the action followed joint work with domestic and international partners to identify and disrupt infrastructure used in large-scale DDoS attacks. "By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks," said Day.

Related stories
NTT Research launches Scale Academy with SaltGrain
Appdome launches identity-first mobile API protection
Sentra & Wiz add data classification to cloud risks
AI use widespread among IT service providers, GTIA finds
OpenAI broadens AI cyber tools as arms race heats up

Top stories

OpenAI says weekly users top 900 million as AI reshapes work
GitLab 18.11 adds AI agents for security & pipelines
11:11 Systems named Cohesity's MSP Strategic Partner
Rubrik survey warns of AI agents outpacing security
TeamViewer adds AI maintenance & secure industrial gateway