Full Report
Authorities from the United States, Germany, and Canada have taken down Command and Control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid, and Mossad botnets to infect Internet of Things (IoT) devices. [...]
Analysis Summary
# Incident Report: International Joint Action Against Major IoT DDoS Botnets
## Executive Summary
In March 2026, an international law enforcement coalition involving the U.S., Germany, and Canada successfully dismantled the Command and Control (C2) infrastructure of four major botnets: Aisuru, KimWolf, JackSkid, and Mossad. These botnets combined to ensnare over three million IoT devices, launching record-breaking Distributed Denial of Service (DDoS) attacks that peaked at 31.4 Tbps. The operation effectively disrupted the botnets' ability to communicate with infected devices and halted a "DDoS-as-a-Service" model used for extortion and infrastructure sabotage.
## Incident Details
- **Discovery Date:** Ongoing monitoring; major peaks noted November – December 2025
- **Incident Date:** Takedown confirmed March 20, 2026
- **Affected Organization:** Department of Defense Information Network (DoDIN), Telecommunications sector, ISPs, and various global enterprises.
- **Sector:** Technology, Government, Telecommunications
- **Geography:** Global (Infrastructure seized in US, Germany, and Canada; 3 million+ devices worldwide)
## Timeline of Events
### Initial Access
- **Date/Time:** Late 2025 (Ongoing infection cycles)
- **Vector:** Exploitation of vulnerable IoT devices.
- **Details:** Botnets targeted web cameras, DVRs, and WiFi routers, often utilizing default credentials or unpatched vulnerabilities to gain a foothold.
### Lateral Movement
- **Details:** Automated propagation across the internet, scanning for similar vulnerable IoT devices to expand the botnet pool (ensnaring over 3 million devices).
### Data Exfiltration/Impact
- **Impact:** Record-breaking DDoS attacks.
- **November:** 15.72 Tbps attack originating from 500,000 IPs.
- **December:** Record-breaking 31.4 Tbps attack (200 million requests per second).
- **Extortion:** Botnet operators demanded payments from victims to cease attacks.
### Detection & Response
- **Detection:** Monitoring by Microsoft, Akamai, and US government agencies following attacks on the DoDIN and Azure infrastructure.
- **Response Actions:** Joint law enforcement seizure of virtual servers, C2 domains, and infrastructure across three countries.
## Attack Methodology
- **Initial Access:** Exploitation of IoT vulnerabilities and weak/default credentials.
- **Persistence:** Firmware-based or memory-resident infection on IoT devices.
- **Defense Evasion:** Use of massive distributed IP pools (up to 500,000 per attack) to circumvent rate-limiting and traditional IP-based blacklisting.
- **Discovery:** Automated port scanning and vulnerability probing of consumer and enterprise IoT hardware.
- **Impact:** Service degradation, total network outages, and extortion. Attacks reached 31.4 Tbps, capable of overwhelming high-capacity cloud mitigation.
## Impact Assessment
- **Financial:** Tens of thousands of dollars per victim in remediation costs; unknown total in extortion payments.
- **Data Breach:** None reported; primary impact was availability (Denial of Service).
- **Operational:** Massive disruption to ISPs and telecommunications providers; targeting of US Department of Defense networks.
- **Reputational:** Botnets operated as "Cybercrime-as-a-service," lowering the barrier to entry for attackers.
## Indicators of Compromise
- **Network Indicators:**
- High-volume traffic originating from IoT devices (UDP/TCP/HTTP floods).
- Communication with known C2 infrastructure (Domains seized by authorities).
- **Behavioral Indicators:**
- IoT devices attempting to scan port 23 (Telnet), 22 (SSH), or 80/443 (HTTP/S) at high frequencies.
- Unusual outbound spikes from localized consumer gear (DVRs/Cameras).
## Response Actions
- **Containment:** Infrastructure seizure (Domains/Servers) to orphan the infected bots.
- **Eradication:** Disruption of the C2 communication channels prevents botnet operators from issuing new attack commands.
- **Recovery:** Ongoing efforts by ISPs to identify and notify customers with compromised home devices.
## Lessons Learned
- **IoT Vulnerability:** The sheer scale (3 million devices) highlights the persistent lack of security in consumer IoT hardware.
- **Collaboration is Key:** Private-sector intelligence (Microsoft/Akamai) combined with international law enforcement was necessary to address cross-border infrastructure.
- **Mitigation Limits:** DDoS attacks have reached a scale (31+ Tbps) where even sophisticated cloud-based mitigation services can be overwhelmed without infrastructure-level intervention.
## Recommendations
- **Device Hardening:** Change default passwords on all IoT devices and disable unused services (UPnP, Telnet, SSH).
- **Network Segmentation:** Place IoT devices on isolated "guest" networks to prevent them from becoming beachheads for internal network intrusion.
- **Firmware Management:** Regularly update IoT firmware to patch known vulnerabilities exploited by Aisuru and similar botnets.
- **DDoS Protection:** Implement "always-on" DDoS mitigation and ensure ISP-level scrubbing is available for massive volumetric attacks.