Feds disrupt monster IoT botnets behind record-breaking DDoS attacks

Millions of hijacked devices powered traffic floods targeting defense systems and beyond

by · The Register

The US government has moved to disrupt a cluster of IoT botnets behind some of the largest DDoS attacks ever recorded, including traffic bursts topping 30 terabits per second.

In a coordinated operation with authorities in Germany and Canada, the Department of Justice said it disrupted the command-and-control infrastructure behind four botnets – Aisuru, KimWolf, JackSkid, and Mossad – that together compromised more than three million internet-connected devices worldwide.

The botnets largely spread across the usual soft underbelly of the internet, including routers, IP cameras, and digital video recorders that are often shipped with weak credentials and rarely patched.

According to the DOJ, the botnets were responsible for hundreds of thousands of DDoS attacks, some of which targeted US Department of Defense systems and other high-value targets. Their scale, however, is what sets them apart. Officials said the networks were capable of generating traffic volumes exceeding 30 Tbps, with one attack peaking at roughly 31.4 Tbps.

Like many modern botnets, these weren't just used for vandalism. Prosecutors said the operators monetized access to the networks by offering DDoS-for-hire services and, in some cases, extorting victims by threatening to sustain attacks unless payments were made. That model – essentially turning compromised consumer electronics into rentable attack infrastructure – has become a staple of the cybercrime economy, lowering the barrier to entry for anyone looking to knock a rival offline.

Aisuru's name will be familiar to anyone tracking large-scale DDoS activity. The botnet has been behind a string of recent high-volume attacks, with Cloudflare previously warning it could fire off multi-terabit traffic floods.

The disruption itself focused on seizing domains and backend systems used to coordinate the botnets, effectively cutting off the instructions that tell infected devices where and when to send traffic. As with similar operations, the devices themselves remain infected, but without functioning command infrastructure, they are far less useful to their operators.

Officials billed the operation as a blow against some of the most powerful botnets, but the usual problem persists. Millions of insecure devices are still online, many running outdated firmware or stuck with default passwords, providing a ready-made recruitment pool for the next wave of botnet builders.

For now, at least, some of the internet's loudest sources of junk traffic have been dialed down – but the conditions that allowed them to thrive haven't gone anywhere. ®

Cybercrime has skyrocketed 245% since the start of the Iran war: Hacktivists use proxy services from Russia, China for 'billions of designed-for-abuse connection attempts'Jessica Lyons, 16 Mar 2026DDoS deluge: Brit biz battered as botnet blitzes break records: UK leaps to sixth in global flood charts as mega-swarm unleashes 31.4 Tbps Yuletide pummelingCarly Page, 06 Feb 2026Polish cops bail 20-year-old bedroom botnet operator: DDoSer of 'strategically important' websites admitted to most chargesConnor Jones, 03 Feb 2026RondoDox botnet linked to large-scale exploit of critical HPE OneView bug: Check Point observes 40K+ attack attempts in 4 hours, with government organizations under fireCarly Page, 16 Jan 2026