International Coalition Dismantles Four Record-Breaking IoT Botnets That Hijacked 3 Million Devices

A Landmark Win for the Defenders

In one of the most significant botnet takedowns in recent years, the U.S. Department of Justice announced on March 19 that a coordinated international operation has dismantled the infrastructure behind four massive IoT botnets — Aisuru, Kimwolf, JackSkid, and Mossad. Working with authorities in Canada and Germany, federal investigators disrupted networks that had compromised over 3 million Internet of Things devices and powered DDoS-for-hire services capable of attacks exceeding 30 terabits per second.

The scale of these botnets was staggering. Thirty terabits per second of attack capacity is enough to overwhelm virtually any target on the internet, and these networks had been used against hundreds of thousands of victims, including U.S. Department of Defense systems. The DDoS-for-hire model meant that anyone willing to pay could rent this destructive capacity — lowering the barrier to launching devastating attacks to near zero.

Following the Trail to Ottawa

Investigative journalist Brian Krebs reported that federal investigators traced one of the primary operators to a 23-year-old in Ottawa, Canada, underscoring that the people behind massive cybercrime infrastructure are not always the shadowy nation-state operatives of popular imagination. The investigation required years of persistent work across multiple jurisdictions, combining technical analysis of the botnet command-and-control infrastructure with traditional law enforcement techniques.

The takedown disrupted not just the botnets themselves but the commercial services built on top of them. DDoS-for-hire platforms — sometimes euphemistically marketed as "stress testing" services — represent one of the most accessible entry points into cybercrime. By dismantling the underlying infrastructure, law enforcement has temporarily removed significant attack capacity from the market.

Why IoT Botnets Keep Growing

The 3-million-device footprint highlights a persistent challenge in cybersecurity: the vast majority of IoT devices — routers, cameras, smart home gadgets, and industrial sensors — ship with minimal security and rarely receive firmware updates. Botnet operators exploit this by scanning the internet for vulnerable devices, compromising them with automated tools, and enrolling them into attack networks without their owners ever knowing.

The takedown is a significant victory, but security experts caution that IoT botnets are resilient by nature. As long as millions of poorly secured devices remain connected to the internet, new botnet infrastructure will emerge to exploit them. The real long-term solution lies in improving IoT security standards at the manufacturing level — a goal that regulatory efforts in the EU and proposed legislation in the U.S. are beginning to address. In the meantime, operations like this one demonstrate that international law enforcement cooperation can meaningfully disrupt even the largest attack networks.

Sources: Krebs on Security (March 19, 2026), The Hacker News (March 20, 2026), The Register (March 20, 2026), DOJ Press Release (March 19, 2026)