Law enforcement officials on March 19 from the United States, Canada, and Germany participated in a takedown of the command-and-control (C2) infrastructure of the Aisuru, KimWolf, JackSkid and Mossad botnets.These botnets launched a series of distributed-denial-of-service (DDoS) attacks that infected millions of Internet-of-Things (IoT) devices worldwide. As part of the takedown, law enforcement issued seizure warrants that targeted the virtual servers, internet domains, and other infrastructure used in the DDoS attacks.Security pros refer to these attacks as “residential proxy” cybercrime, in which attackers target the Android TV boxes and SOHO routers of employees working from home to act as launchpads for their criminal online activities. By routing traffic through these "residential" IP addresses, cybercriminals make their illicit actions appear as genuine traffic from real households, which lets them bypass security filters, geolocation restrictions, and fraud detection systems.One such attack by Aisuru in December 2025 peaked at 31.4 terabits-per-second (Tbps) and 200 million requests per second as part of a threat campaign primarily aimed at telecom companies.“While this botnet takedown is significant, we must not confuse disruption with victory,” said Crystal Morin, senior cybersecurity strategist at Sysdig. “These botnets show just how easy it is to weaponize poorly maintained IoT devices on a massive scale. This takedown operation removes infrastructure and buys defenders time, but it doesn’t fix the underlying problem.”Morin said botnet operators will likely rebuild and return under new pseudonyms, starting again exactly where they left off. The victimized IoT devices have not been magically secured, and therefore, threat actors can just retarget them.“Rescaling has been simplified by and large with AI,” said Morin. “The reset button was pushed, certainly, but the ecosystem still heavily favors the attackers.”John Gallagher, vice president of Viakoo Labs, said the damage from DDoS attacks has grown to the point where focusing on bot mitigation alone does not cut it — we need to focus on bot eradication. “While 3 million bots might sound like a lot, it’s a fraction of the bots that remain deployed within IoT and OT infrastructure,” said Gallagher. “That's why enterprises need to be vigilant and take action to find and remediate infected devices.” Gallagher explained that the danger of not remediating bots that are "living off the land" is that with AI-driven threats these bots will become both more intelligent and more broad in the types of attacks they can launch. Especially since today’s bots are already inside an organization's network they are capable of being turned inwards for lateral movement, noted Gallagher.Steven Swift, managing director at Suzu Labs, said that security teams have to keep in mind that it was only the communications server that was taken down. Swift said this means the threat actors can't issue new commands to their bots, but these devices are still vulnerable and many will simply be re-compromised, and added to a new botnet.“Large botnets get used for a wide range of illicit activity, the most visible of which is when they're used to coordinate a DDoS attack,” said Swift. “But they're also frequently used for any attack where varying the sending IP is useful, such as to avoid an IP blacklist for malicious activity.Swift also noted that the devices attacked by the botnet are IoT devices, which tend to have poor security by design. Unfortunately, Swift said there's no real incentive for makers of IoT devices to secure their products, because failing to do so hasn't impacted sales, and there haven't been other meaningful consequences after the fact.“Some devices do better than others, and will have patches available, though this is left up to the end user to patch, most of which will not,” said Swift. “So for the time being, we're being left with a huge number of insecure devices, and no real plan to secure them. We're going to continue to see large botnets assembled using these devices. As botnets get taken down, new ones rise up to take their place. At best, campaigns to take down major botnets like this will temporarily disrupt operations.”
Network Security, Firewalls, Routers, OT Security, IoT, Governance, Risk and Compliance, Government Regulations
US, Canada and Germany take down four large DDoS botnets
(Adobe Stock)
An In-Depth Guide to Network Security
Get essential knowledge and practical strategies to fortify your network security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds