The country’s Department of Justice Department and global partners seize command‑and‑control infrastructure for botnets that have hijacked 3mn devices worldwide.

US authorities announced have dismantled the infrastructure behind four major Internet‑of‑Things (IoT) botnets responsible for some of the largest‑ever distributed‑denial‑of‑service (DDoS) attacks worldwide.

The court-authorized operation, carried out by the Justice Department and the Defense Criminal Investigative Service, with global partners invited to help seize critical command‑and‑control systems, targeted networks known as Aisuru, KimWolf, JackSkid, and Mossad, which together had hijacked more than 3m internet‑connected devices worldwide as of March 2026.

These botnets have infected mostly consumer‑grade IoT hardware such as digital video recorders, webcams, and Wi‑Fi routers — often tucked behind home firewalls yet still exposed to the public internet. Once compromised, the devices had become part of a “cybercrime‑as‑a‑service” model, where operators sold access to other attackers for waves of DDoS attacks that at times reached roughly 30–31.4tb per second, setting new records for scale. Targets have included commercial services, cloud providers, and IP addresses on the Department of Defense Information Network, escalating risks to both private‑sector platforms and US government infrastructure.

Under court‑authorized warrants, US agents from the Department of Justice seized US‑registered domains, virtual servers, and other infrastructure used to orchestrate these attacks, while law‑enforcement counterparts in Germany and Canada conducted parallel actions against individuals believed to control the botnets.

In terms of international cooperation, the operation involved EUROPOL’s PowerOFF team, the Netherlands Politie, as well as cybersecurity firms, major internet operators and other companies that had provided technical support — with some null‑routing or blocking thousands of infected command‑and‑control servers linked to Aisuru and KimWolf alone.

Officials have emphasized that the takedown does not fully eliminate the underlying code or malware, and many of the affected devices remain vulnerable unless owners patch or replace them. However, disrupting the centralized control layer has temporarily crippled the four botnets’ ability to mount large‑scale DDoS campaigns, giving defenders more time to harden exposed IoT ecosystems and pressure manufacturers to improve built‑in security.