Key Takeaway
The U.S. DOJ, alongside Canadian and German authorities, dismantled four major IoT botnets—Aisuru, Kimwolf, JackSkid, and Mossad—that compromised over three million devices and launched hundreds of thousands of DDoS attacks. The disruption targeted infrastructure used to attack Department of Defense IPs and aimed to prevent further infections and attacks. Users should audit and update IoT devices and monitor for suspicious activity.
The U.S. Department of Justice (DOJ), in coordination with Canadian and German authorities, announced the disruption of four substantial Internet of Things (IoT) botnets—Aisuru, Kimwolf, JackSkid, and Mossad—that collectively compromised over three million devices including routers and webcams. These botnets were responsible for numerous record-level distributed denial-of-service (DDoS) attacks against various targets, some involving extortion attempts.
The DOJ revealed that the Defense Criminal Investigative Service (DCIS), part of the Department of Defense Office of Inspector General (DoDIG), executed seizure warrants on multiple U.S.-registered domains, virtual servers, and related infrastructure used to facilitate DDoS attacks primarily targeting Department of Defense IP addresses. This operation aimed to prevent further infection of victim IoT devices and to curtail the botnets' capabilities to launch future attacks.
According to DOJ data, the botnets launched hundreds of thousands of DDoS attack commands: Aisuru issued over 200,000, JackSkid over 90,000, Kimwolf more than 25,000, and Mossad approximately 1,000. Victims reported cumulative losses in the tens of thousands of dollars due to remediation and downtime.
Aisuru, the earliest discovered botnet, surfaced in late 2024 and rapidly scaled by mid-2025 to execute record-breaking DDoS campaigns across U.S. Internet service providers. In October 2025, Aisuru's code was leveraged to spawn Kimwolf, an evolved variant exploiting a novel propagation technique allowing infection of devices behind internal network protections.
Security firm Synthient publicly disclosed the vulnerability exploited by Kimwolf on January 2, 2026, which temporarily slowed its spread. Nonetheless, multiple other IoT botnets employing similar internal network infiltration methods have since emerged, competing for the same vulnerable devices. DOJ reports indicate JackSkid also used internal network scanning to locate targets.
The DOJ's disruption corresponded with simultaneous law enforcement actions in Canada and Germany targeting individuals allegedly operating these botnets. While specific identities were not disclosed by authorities, investigative reporting by KrebsOnSecurity identified a 22-year-old Canadian man as a primary Kimwolf operator and a 15-year-old in Germany as another suspected key actor.
FBI Anchorage Special Agent in Charge Rebecca Day emphasized the collaborative nature of the takedown, crediting DCIS and nearly two dozen technology companies for their roles in identifying and dismantling the criminal infrastructure.
Affected users should immediately audit their IoT devices for compromise indicators, update firmware to the latest versions, and isolate any devices exhibiting suspicious network behavior. Organizations should monitor network traffic for anomalous outbound connections and consider implementing network segmentation to limit internal spread of similar botnets. Continued vigilance and timely patching remain critical to mitigating threats posed by rapidly evolving IoT malware.
Original Source
Krebs on Security
Related Articles
Cisco Talos Links Large-Scale Credential Harvesting Campaign to React2Shell Exploitation
Cisco Talos has attributed a large-scale credential harvesting operation to a tracked threat cluster exploiting the React2Shell vulnerability to steal AWS secrets, SSH keys, GitHub tokens, Stripe API keys, database credentials, and shell history at scale. The campaign used automated post-exploitation tooling to sweep compromised systems for secrets across multiple credential categories simultaneously. Affected organizations should immediately patch React2Shell, rotate all exposed secrets, and review cloud and source control access logs using IOCs published by Talos.
Drift Protocol Loses $280 Million After Attacker Seizes Security Council Admin Controls
Drift Protocol, a Solana-based decentralized perpetuals exchange, lost at least $280 million after an attacker compromised the signing keys of its Security Council multisig and used administrative privileges to drain protocol-controlled vaults. The attack targeted the governance layer rather than a smart contract vulnerability, exploiting insufficient key management practices among Security Council signers. Affected users should withdraw remaining funds, revoke token approvals, and avoid unofficial recovery contracts.
TeamPCP Supply Chain Campaign: Fifth Intelligence Update Confirms Expanded Targeting Through April 1, 2026
TeamPCP, a threat actor group weaponizing security scanning tooling in supply chain attacks, has expanded its campaign through April 1, 2026, with confirmed victims including Databricks and AstraZeneca across dual ransomware and data exfiltration operations. This fifth intelligence update extends coverage from Update 004 and consolidates two days of new developments. Affected organizations should audit CI/CD and scanner tooling, hunt for lateral movement from build infrastructure, and verify backup isolation immediately.
Vacant Property Mail Interception: How Threat Actors Convert Drop Addresses Into Fraud Infrastructure
Flare research documents how threat actors register vacant properties as mail drop addresses by abusing USPS Change of Address mechanisms and synthetic identities to intercept physical mail containing PII, financial credentials, and authentication material. The methodology chains public foreclosure data, dark web identity documents, and reshipping mules into a functional fraud pipeline targeting bank card deliveries, government correspondence, and OTP letters. Individuals should enroll in USPS Informed Delivery and freeze their addresses online; security teams should re-evaluate physical mail as a weak authentication channel.