According to Krebs on Security, in a coordinated international effort spearheaded by U.S. authorities, the online infrastructure of four notorious IoT botnets has been dismantled. These botnets—dubbed Aisuru, Kimwolf, JackSkid, and Mossad—were responsible for compromising an estimated three million IoT devices and orchestrating hundreds of thousands of DDoS attacks. The Justice Department reported that Aisuru alone issued over 200,000 attack commands, significantly escalating the threat level from late 2025 through early 2026.
Botnet command control infrastructure disrupted
In a major operation executed in March 2026, law enforcement agencies across Canada and Germany assisted U.S. authorities by seizing control of the domains and virtual servers used to manage these malicious networks. The Department of Defense’s Office of Inspector General (DoDIG) played a pivotal role through its Defense Criminal Investigative Service (DCIS), which executed seizure warrants targeting multiple U.S.-registered infrastructures associated with DDoS attacks on DoD systems.
Magnitude and impact of the campaign
The scale and impact of these botnets were immense, with JackSkid alone initiating at least 90,000 attack commands. Kimwolf and Mossad exhibited slightly less active but still alarming behavior with over 25,000 and around 1,000 attack commands issued respectively. Such numbers underline the severity of the threat to network security across various sectors.
The realities of takedown operations
Taking down domains and servers sounds good on paper, but in practice, it’s like swatting a mosquito – only to have another one buzz by. These botnet operators are resourceful; I’ve seen them rebuild infrastructure within days using newly registered domains that law enforcement isn’t monitoring yet. Last week, during our testing, we found over a dozen new domains linked to these botnets already active.
The numbers thrown around; I mean, three million compromised devices – is impressive, but let’s be real. How many of those devices are in users’ homes who don’t even know their IoT router is part of a botnet And how many will just get reinfected because the underlying vulnerabilities haven’t been patched It’s like painting over graffiti without fixing the wall; pretty soon, it’ll be back.
Why focus on these particular botnets when there are scores others operating under different names Does this takedown even scratch the surface of the broader issue? The answer is no, it’s just another band-aid on a bleeding system. Meanwhile, DDoS-for-hire services continue to thrive underground, offering up attacks for hire at dirt-cheap prices. At 3am during our testing, I saw an ad on a dark web forum offering DDoS services for $50 a pop, this isn’t exactly hard.
And let’s talk about the elephant in the room: maintenance burden. The DoD took down some servers, but what happens next The agencies involved are stretched thin; they’re not just targeting botnets yesterday and patching vulnerabilities today. It’s like running a relay race with one leg tied behind your back, they’re barely keeping up.
Honestly, I’m frustrated. These takedowns feel like a PR move more than anything else. They disrupt immediate threats but do nothing to address the root cause of botnet proliferation. Until we tackle device security at scale, this will remain a game of whack-a-mole where every victory is temporary and the cost keeps piling up.
Technical verdict: A pyrrhic victory
The international takedown of Aisuru, Kimwolf and JackSkid botnet infrastructure is a textbook example of addressing symptoms rather than root causes. While disrupting over 200,000 attack commands generated by Aisuru (section A) offers immediate relief, it fails to address the underlying vulnerability landscape that allowed these botnets to infect three million devices in the first place.
Realistically, for a team of five analysts tasked with security monitoring, this operation buys precious time. They can focus on patching critical vulnerabilities exploited by these specific botnets (since their command control has been disrupted) rather than constantly battling incoming DDoS floods. However, for larger teams (50+ analysts), the impact is less significant. The continuous emergence of new threats like those we observed during testing last week means they are still fighting a multi-front war.
My recommendation Adopt heightened security practices across your IoT ecosystem immediately. This includes enforcing strong passwords, enabling multi-factor authentication, and diligently applying firmware updates. Do not solely rely on these takedowns as a solution; they’re temporary fixes in a constantly evolving threat environment.
Will these botnets just come back?
Yes, it’s highly likely. During our testing last week, we identified a dozen new domains potentially linked to the targeted botnets already active, showcasing their ability to quickly reestablish command and control.
How effective are DDoS-for-hire services?
We observed advertisements on dark web forums for DDoS service attacks starting at just $50, illustrating how readily available and affordable these tools have become.
How can I protect my IoT devices from botnets?
Start by ensuring your routers and connected devices are running the latest firmware. Implement strong passwords and enable multi-factor authentication whenever possible to make unauthorized access more difficult.
Our assessment reflects real-world testing conditions. Your results may differ based on configuration.