US, Canada, Germany Dismantle Four IoT Botnets Behind Record DDoS Campaigns

A joint operation across three countries seized infrastructure supporting four interconnected IoT botnets — Aisuru, Kimwolf, JackSkid, and Mossad — collectively responsible for compromising over three million routers, cameras, and other devices. The botnets launched hundreds of thousands of DDoS attacks, extorting victims for payments while causing tens of thousands of dollars in damages per target. DoD-owned IP ranges were among those attacked, which brought the Defense Criminal Investigative Service into the investigation alongside the FBI.

Aisuru, the oldest of the four, emerged in late 2024 and by mid-2025 was breaking DDoS volume records. It later spawned Kimwolf, a variant with a novel lateral movement technique capable of reaching devices behind NAT on internal networks. A public vulnerability disclosure in January 2026 slowed Kimwolf’s spread, but the propagation method has since been copied by competing botnets — a textbook example of capability proliferation after partial disclosure.

Law enforcement actions in Canada and Germany targeted alleged operators in parallel with the US infrastructure seizures. KrebsOnSecurity identified one suspected Kimwolf operator as a 22-year-old Canadian; a second suspect is reportedly a 15-year-old in Germany. Nearly two dozen private-sector firms assisted the operation.