The U.S. Department of Justice announced on Thursday that it has taken down the command‑and‑control infrastructure used by several Internet‑of‑Things (IoT) botnets, including AISURU, Kimwolf, JackSkid and Mossad. The operation was carried out alongside law‑enforcement agencies in Canada and Germany and involved a range of private‑sector partners such as Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B and QiAnXin XLab.
The botnets were linked to a series of distributed denial‑of‑service (DDoS) attacks that targeted victims worldwide. One of the attacks, attributed to the AISURU/Kimwolf network, reached a peak of 314 terabits per second in November 2025 and lasted only 35 seconds. Earlier that year the same network generated multiple high‑volume attacks averaging 3 billion packets per second, 4 Tbps and 54 million requests per second.
Security journalist Brian Krebs identified a 23‑year‑old Canadian, Jacob Butler (also known as Dort), as the administrator of Kimwolf. Butler told Krebs that his former online persona had been compromised and that he now spends most of his time at home caring for his family. A second suspect, a 15‑year‑old residing in Germany, has also been mentioned in investigations, though no arrests have been reported.
According to XLab, which first documented Kimwolf in December 2025, the botnet has recruited more than two million Android devices, primarily off‑brand smart TVs and set‑top boxes. The recent disruption is expected to significantly reduce the capacity of these networks to launch large‑scale attacks.
Authorities emphasized that the coordinated effort demonstrates the importance of cross‑border collaboration in confronting cyber threats that affect critical infrastructure and internet users worldwide.