How Law Enforcement Dismantled Four Major IoT Botnets Behind Record DDoS Attacks
Introduction
In a coordinated international effort, the U.S. Justice Department, together with authorities in Canada and Germany, successfully disrupted the infrastructure behind four highly destructive IoT botnets—Aisuru, Kimwolf, JackSkid, and Mossad. These botnets compromised over three million Internet of Things (IoT) devices, including routers and web cameras, and were responsible for a series of record-breaking distributed denial-of-service (DDoS) attacks. This guide explains the step-by-step process used by law enforcement and their partners to take down these botnets and prevent further harm.
What You Need
To replicate a similar operation, you will need the following:
- Legal authority: Court-approved seizure warrants targeting domains, virtual servers, and other infrastructure.
- International cooperation: Agreements and communication channels with foreign law enforcement agencies (e.g., Canada, Germany).
- Technical expertise: Knowledge of IoT botnet architecture, DDoS attack patterns, and vulnerability disclosure processes.
- Forensic tools: Software for tracing command-and-control servers, analyzing malware variants, and identifying victim devices.
- Private sector partnerships: Collaboration with technology companies (nearly two dozen assisted in this case) for data sharing and takedown support.
- Cybersecurity researchers: Experts who can discover and publicly disclose vulnerabilities the botnets exploit (e.g., Synthient).
Step-by-Step Guide to Disrupt IoT Botnets
Step 1: Identify and Map Botnet Infrastructure
Begin by monitoring global DDoS attack trends and correlating them with known botnet signatures. In this operation, authorities identified four distinct botnets: Aisuru (oldest, issued over 200,000 attack commands), Kimwolf (a variant of Aisuru with novel spreading mechanisms), JackSkid (over 90,000 attacks), and Mossad (roughly 1,000 attacks). Use network analysis and threat intelligence to map command-and-control servers, domain names, and virtual servers. Pay special attention to botnets targeting internal networks behind home routers—Kimwolf and JackSkid both did this.
Step 2: Establish International Law Enforcement Collaboration
Coordinate with partner agencies in affected countries. Here, the FBI Anchorage Field Office, the DoD’s Defense Criminal Investigative Service (DCIS), and authorities in Canada and Germany worked together. Formalize legal assistance treaties and share evidence securely. Ensure all partners have jurisdiction over the infrastructure within their borders. Hold regular briefings to align seizure timing.
Step 3: Obtain and Execute Seizure Warrants
Work with prosecutors to obtain warrants for U.S.-registered domains and virtual servers used by the botnets. The DOJ executed seizure warrants targeting multiple U.S.-registered domains and associated infrastructure. Coordinate with foreign partners to simultaneously seize assets in Canada and Germany. The goal is to dismantle the command-and-control layer so botnets cannot receive new instructions.
Step 4: Disrupt Attack Capabilities
After seizing infrastructure, redirect or shut down the botnets’ communication channels. This prevents the botnets from launching further DDoS attacks and stops the spread of malware to new devices. The DOJ action was designed to “limit or eliminate the ability of the botnets to launch future attacks.” Monitor for residual activity and ensure seized domains are properly sinkholed or taken offline permanently.
Step 5: Publicly Disclose Exploited Vulnerabilities
Once the botnets are disrupted, work with security researchers to disclose the vulnerabilities they used. On January 2, 2026, the security firm Synthient publicly disclosed the vulnerability Kimwolf was using to propagate. This disclosure curtails further spread and allows manufacturers and users to patch their devices. In this case, the disclosure helped reduce Kimwolf’s spread, though other botnets later copied the methods.
Step 6: Assist Victims and Prevent Re-Infection
Notify victims whose devices were compromised—many suffered tens of thousands of dollars in losses and remediation expenses. Provide guidance on how to reset routers, update firmware, and change default credentials. The FBI and DCIS can offer victim support resources. In this operation, the FBI Anchorage Field Office helped coordinate victim outreach through the private sector partners (nearly two dozen companies assisted).
Step 7: Monitor for Variants and Future Threats
Botnet authors often adapt after a takedown. Since Kimwolf’s disruption, several other IoT botnets have emerged that copy its spreading methods and compete for the same pool of vulnerable devices. Continued monitoring by law enforcement, combined with public awareness campaigns, is essential. The DOJ statement noted that the disruption coincided with actions in Canada and Germany, but the fight against IoT botnets is ongoing.
Tips and Conclusion
Key Takeaways:
- Proactive vulnerability disclosure saves devices: The timely disclosure by Synthient helped limit Kimwolf’s spread. Encourage responsible disclosure programs.
- International cooperation is critical: Botnets respect no borders. Build strong relationships with global law enforcement and cybersecurity agencies.
- Private sector collaboration amplifies impact: Technology companies provided vital data and infrastructure support—nearly two dozen assisted in this operation.
- Victim remediation is part of the mission: Simply taking down botnets isn’t enough; help individuals and organizations secure their devices to prevent re-infection.
- Stay vigilant: Even after a successful disruption, copycat botnets will appear. Maintain monitoring and update defenses regularly.
By following these steps, law enforcement and cybersecurity professionals can repeat this success against future IoT botnet threats. The takedown of Aisuru, Kimwolf, JackSkid, and Mossad demonstrates that coordinated action can protect millions of devices and critical infrastructure from massive DDoS attacks.