Authorities Dismantle IoT Botnet Behind Massive 30 Tbps DDoS Attacks

Authorities across multiple countries have dismantled the command-and-control (C2) infrastructure behind four of the most powerful IoT-based botnets ever observed, effectively halting a wave of record-breaking Distributed Denial-of-Service (DDoS) attacks that peaked at an unprecedented 30 Tbps.

The coordinated operation targeted the Aisuru, KimWolf, JackSkid, and Mossad botnets, large-scale malicious networks that collectively compromised more than three million internet-connected devices globally by March 2026.

These botnets primarily exploited insecure, internet-exposed IoT hardware, including digital video recorders (DVRs), IP cameras, and consumer-grade routers, many of which lacked proper authentication or firmware updates.

What distinguished this campaign was the scale and sophistication of infection techniques.

Investigators found that operators behind KimWolf and JackSkid deployed advanced exploitation methods capable of compromising devices located behind traditional firewalls, effectively bypassing perimeter defenses.

This marked a significant evolution in IoT botnet capabilities, as attackers increasingly target internal network assets rather than relying solely on exposed endpoints.

Cybercrime-as-a-Service Model

According to the U.S. Department of Justice, the botnet operators monetized their infrastructure through a “cybercrime-as-a-service” model.

compromising devices, they leased access to their botnets to other threat actors, who used them to launch large-scale DDoS attacks.

These attacks were often tied to extortion campaigns, where victims were pressured to pay in exchange for halting traffic floods.

Targets ranged from private enterprises to government infrastructure, including systems associated with the U.S. Department of Defense Information Network (DoDIN).

For businesses, the financial impact included operational downtime, incident response costs, and reputational damage, often totaling tens of thousands of dollars per incident.

Before the takedown, the botnets were heavily utilized, with attack command volumes highlighting their operational scale:

Botnet Name | Attack Commands Issued | Notable Capability
Aisuru | 200,000+ | High-volume traffic generation
JackSkid | 90,000+ | Firewall evasion techniques
KimWolf | 25,000+ | Targeting internal IoT devices
Mossad | 1,000+ | Precision disruption attacks

The sheer number of issued commands underscores how these botnets functioned as on-demand attack platforms, capable of launching simultaneous, high-bandwidth assaults across multiple targets.

The disruption was the result of a synchronized international effort involving law enforcement agencies and private-sector partners.

In the United States, the FBI and the Defense Criminal Investigative Service (DCIS) executed seizure warrants to take control of domains and virtual servers used for botnet management.

Parallel operations were conducted in Germany by the Federal Criminal Police Office (BKA) and the Central Office for Combating Cybercrime in North Rhine-Westphalia (ZAC NRW), while Canadian authorities, including the Royal Canadian Mounted Police (RCMP), Ontario Provincial Police (OPP), and Sûreté du Québec (SQ), targeted individuals believed to be operating or supporting the botnets.

The operation also relied heavily on collaboration with industry partners such as Cloudflare, Akamai, Amazon Web Services, and The Shadowserver Foundation.

These organizations provided critical threat intelligence, infrastructure analysis, and mitigation support, enabling authorities to map and dismantle the botnet ecosystems effectively.

By seizing the C2 infrastructure, authorities have effectively severed communication between attackers and millions of compromised devices, neutralizing the immediate threat posed by these botnets.

This action prevents further abuse of the infected devices and significantly reduces the likelihood of future 30 Tbps-scale attacks originating from these specific networks.

However, the incident highlights ongoing systemic weaknesses in IoT security. Poor device hardening, lack of firmware updates, and default credentials continue to provide fertile ground for botnet operators.

The ability to bypass firewalls and compromise internal devices further signals a shift toward more advanced, persistent IoT threats.

Security experts emphasize the need for stronger device-level protections, network segmentation, and continuous monitoring to mitigate similar threats in the future, as adversaries continue to refine their tactics in the rapidly expanding IoT landscape.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Authorities Dismantle IoT Botnet Behind Massive 30 Tbps DDoS Attacks appeared first on Cyber Security News.