{"id":330,"date":"2026-03-20T06:47:54","date_gmt":"2026-03-20T06:47:54","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=330"},"modified":"2026-03-20T06:47:54","modified_gmt":"2026-03-20T06:47:54","slug":"doj-disrupts-3-million-device-iot-botnets-behind-record-31-4-tbps-global-ddos-attacks","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=330","title":{"rendered":"DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Mar 20, 2026<\/span><\/span>Botnet \/ Network Security<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

The U.S. Department of Justice (DoJ) on Thursday announced the disruption of command-and-control (C2) infrastructure used by several Internet of Things (IoT) botnets like AISURU, Kimwolf, JackSkid<\/a>, and Mossad as part of a court-authorized law enforcement operation.<\/p>\n

The effort also saw authorities from Canada and Germany targeting the operators behind these botnets, with a number of private sector firms, including Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab assisting in the investigation efforts.<\/p>\n

\u00abThe four botnets launched distributed denial-of-service (DDoS) attacks targeting victims around the world,\u00bb the DoJ said<\/a>. \u00abSome of these attacks measured approximately 30 Terabits per second, which were record-breaking attacks.\u00bb<\/p>\n

In a report last month, Cloudflare attributed AISURU\/Kimwolf to a massive 31.4 Tbps DDoS attack that occurred in November 2025 and lasted only 35 seconds. Towards the end of last year, the botnet is also assessed to have engaged in hyper-volumetric DDoS attacks that had an average size of 3 billion packets per second (Bpps), 4 Tbps, and 54 million requests per second (Mrps).<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

Independent security journalist Brian Krebs also traced<\/a> the administrator of Kimwolf to a 23-year-old Jacob Butler (aka Dort) from Ottawa, Canada. Butler told Krebs he has not used the Dort persona since 2021 and claimed someone is impersonating him after compromising his old account.<\/p>\n

<\/p>\n

Butler also said, \u00abhe mostly stays home and helps his mom around the house because he struggles with autism and social interaction.\u00bb According to Krebs<\/a>, the other prime suspect is a 15-year-old residing in Germany. No arrests have been announced.<\/p>\n

The botnet has conscripted more than 2 million Android devices into its network, most of which are compromised, off-brand Android TVs. In all, the four botnets are estimated to have infected no less than 3 million devices worldwide, such as digital video recorders, web cameras, or Wi-Fi routers, of which hundreds of thousands are located in the U.S.<\/p>\n

\u00abThe Kimwolf and JackSkid botnets are accused of targeting and infecting devices which are traditionally ‘firewalled’ from the rest of the internet. The infected devices were enslaved by the botnet operators,\u00bb the DoJ said. \u00abThe operators then used a ‘cybercrime as a service’ model to sell access to the infected devices to other cyber criminals.\u00bb<\/p>\n

These infected devices were then used to conduct DDoS attacks against targets of interest across the world. Court documents allege that the four Mirai botnet variants have issued hundreds of thousands of DDoS attack commands –<\/p>\n