Authorities Disrupt Massive IoT Botnets Behind Global DDoS Attacks
The U.S. Department of Justice has announced a major operation targeting several large botnets responsible for some of the most powerful distributed denial-of-service (DDoS) attacks ever recorded.
The operation focused on disrupting the command-and-control (C2) systems used by botnets such as AISURU, Kimwolf, JackSkid, and Mossad, which have been linked to widespread attacks across the globe.
Law enforcement agencies in Canada and Germany also took part, while major tech companies including AWS, Cloudflare, Google, and others supported the investigation.
Record-Breaking Attack Power
These botnets were capable of launching extremely large-scale attacks, with some reaching 30 terabits per second (Tbps), enough to overwhelm even high-capacity infrastructure.
One notable incident involved a 31.4 Tbps attack that lasted just seconds but demonstrated the sheer power of these networks. Other attacks pushed billions of packets per second and tens of millions of requests at targets in a very short time.
To put it into perspective, the traffic generated by these botnets has been compared to entire countries hitting a website at the same moment.
Millions of Devices Turned Into Attack Tools
Investigations revealed that these botnets infected millions of internet-connected devices, including:
- Smart TVs
- Set-top boxes
- Web cameras
- Wi-Fi routers
- Digital video recorders
Many of these devices were low-cost or poorly secured, making them easy targets for compromise.
In total, more than 3 million devices worldwide are believed to have been hijacked, with a significant number located in the United States.
How the Botnets Operated
Unlike older botnets that scan the internet for vulnerable systems, newer variants like Kimwolf used a more advanced approach.
They exploited weaknesses in residential networks by targeting devices inside homes, often through exposed services like Android Debug Bridge (ADB). This allowed attackers to quietly take control of devices behind routers, which are normally protected from outside access.
Once infected, these devices were controlled remotely and used as part of a larger attack network.
Cybercrime-as-a-Service Model
The operators behind these botnets didn’t just use them for their own attacks. They also rented access to other criminals, turning the operation into a business.
This model allowed attackers to:
- Launch DDoS attacks on demand
- Target specific organizations
- Carry out extortion campaigns
Court records show that these botnets executed hundreds of thousands of attack commands, making them highly active and dangerous.
Growing Threat and Copycat Activity
Security researchers have warned that these botnets are not only powerful but also highly adaptable.
Even as authorities shut down parts of the infrastructure, new botnets are emerging using similar techniques. Some have already started copying the same methods to grow quickly and avoid detection.
Researchers also found that certain vulnerabilities in proxy services allowed attackers to gain access to internal networks, further expanding their reach.
Impact on Businesses and Infrastructure
These types of attacks can cause serious damage, including:
- Website outages
- Disrupted online services
- Financial losses
- Strain on internet infrastructure
In extreme cases, even advanced cloud-based defenses can struggle to absorb traffic at this scale.
Final Take
The takedown of these botnets is a major step forward, but it also highlights a bigger issue. Millions of insecure devices are still connected to the internet, providing attackers with an ongoing opportunity to rebuild similar networks.
As DDoS attacks continue to grow in size and sophistication, both organizations and individuals need to take device security more seriously.
Simple steps like updating firmware, changing default passwords, and disabling unnecessary services can make a big difference.