Back to News
Cyber Attack

DoJ Disrupts Record 31.4 Tbps IoT Botnets Behind Global DDoS Attacks

CyberSecurityWaala 1 week ago Mar 20, 2026
DoJ Disrupts Record 31.4 Tbps IoT Botnets Behind Global DDoS Attacks

What the Justice Department Said

The U.S. Department of Justice said Thursday that it disrupted command and control infrastructure used by four major Internet of Things botnets known as AISURU, Kimwolf, JackSkid, and Mossad.

The action was carried out under a court authorized law enforcement operation, with help from authorities in Canada and Germany, and support from companies including Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.

The Justice Department said the four botnets launched distributed denial of service attacks against victims around the world. Some of those attacks, the department said, measured about 30 terabits per second and were record breaking.

This is not a small cleanup. The DoJ said the botnets had infected at least 3 million devices worldwide. Those devices included digital video recorders, web cameras, Wi Fi routers, and other connected gadgets. Hundreds of thousands of the infected devices were in the United States, according to the department.

How the Botnets Worked

One of the biggest concerns is scale. Cloudflare said last month that AISURU and Kimwolf were behind a 31.4 Tbps attack in November 2025 that lasted just 35 seconds. Cloudflare also said the botnet had earlier produced hyper volumetric attacks averaging 3 billion packets per second, 4 Tbps, and 54 million requests per second.

In plain terms, that means a flood of traffic so large it can overwhelm even high capacity defenses.

Akamai described the attacks in similar terms. The company said the hyper volumetric botnets generated traffic above 30 Tbps, 14 billion packets per second, and 300 million requests per second.

Akamai said cybercriminals used the botnets to launch hundreds of thousands of attacks and, in some cases, demand extortion payments from victims.

Tom Scholl, vice president and distinguished engineer at AWS, said in a LinkedIn post that Kimwolf marked a major shift in botnet behavior. He said it did not rely only on scanning the open internet for weak devices.

Instead, Scholl said, it used residential proxy networks. He wrote that by slipping into home networks through compromised streaming TV boxes and other IoT devices, the botnet gained access to local networks that are usually protected by home routers.

The Justice Department said the operators treated the infected devices like a criminal service. It said Kimwolf and JackSkid targeted devices that are often considered protected, then sold access to the compromised machines to other cybercriminals.

Court documents cited by the department say the four Mirai variants issued hundreds of thousands of DDoS attack commands, including more than 200,000 for AISURU, more than 25,000 for Kimwolf, more than 90,000 for JackSkid, and more than 1,000 for Mossad.

What Researchers and Officials Said

Independent security journalist Brian Krebs reported that he traced the administrator of Kimwolf to a 23-year-old man in Ottawa, Canada, identified as Jacob Butler, also known as Dort. Krebs said Butler denied still using that persona and claimed someone else was impersonating him after compromising his old account.

Krebs also said another prime suspect is a 15-year-old in Germany. No arrests have been announced.

The takedown matters because these botnets were not only big. They were also aggressive. Akamai said the attacks could cripple core internet infrastructure, cause major service degradation for internet service providers and their customers, and even overwhelm cloud-based mitigation services.

Cloudflare compared the traffic volume from the Aisuru and Kimwolf attack to the combined populations of the UK, Germany, and Spain all typing a website address and pressing enter at the same time.

US attorney Michael J. Heyman said, “The United States is steadfast in our commitment to safeguarding critical internet infrastructure and fighting the cybercriminals who jeopardize its security, wherever they might live.”

The botnets were all variants of Mirai, the infamous internet of things malware that first appeared in 2016 and later helped power the attack on Dyn that knocked 175,000 websites offline for much of the United States.

Even if this takedown holds, researchers expect more botnets to appear. As Akamai researcher Chad Seaman put it, “The cat and mouse game continues.”

#Cybersecurity #DDoS #IoT #Botnet #Mirai #cyberattack

#Botnet #Cybercrime #DDoS Attack