US Takes Down Botnets Used in Record-Breaking Cyberattacks | WIREDSkip to main contentMenuSECURITYPOLITICSTHE BIG STORYBUSINESSSCIENCECULTUREREVIEWSMenuAccountAccountNewslettersSecurityPoliticsThe Big StoryBusinessScienceCultureReviewsChevronMoreExpandThe Big InterviewMagazineEventsWIRED InsiderWIRED ConsultingNewslettersPodcastsVideoLivestreamsMerchSearchSearchAndy GreenbergSecurityMar 19, 2026 8:07 PMUS Takes Down Botnets Used in Record-Breaking CyberattacksThe Aisuru, Kimwolf, JackSkid, and Mossad botnets had infected more than 3 million devices in total, many inside home networks, according to the US Justice Department.Photographer: BRENDAN SMIALOWSKI/Getty ImagesCommentLoaderSave StorySave this storyCommentLoaderSave StorySave this storyThe collection of millions of hacked computers known as Aisuru and Kimwolf have been used to launch some of the biggest distributed denial-of-service (DDoS) attacks ever seen. Now United States law enforcement agencies have wiped both of them off the internet, along with two of the other hordes of hijacked computers—known as botnets—in a single broad takedown.On Thursday, the US Department of Justice, working with the cybercrime-fighting agency within the US Department of Defense known as the Defense Criminal Investigative Service, announced that it had dismantled four massive botnets in a single operation, removing the command-and-control servers used to commandeer the hacker-run armies of compromised devices known by the names JackSkid, Mossad, Aisuru, and Kimwolf. Together, operators of the four botnets had amassed more than 3 million devices, the Justice Department said, and often sold access to those devices to other criminal hackers as well as using them to target victims with overwhelming floods of attack traffic to knock websites and internet services offline.Aisuru and Kimwolf, a distinct but Aisuru-related botnet, had together comprised more than a million devices, according to DDoS defense firm Cloudflare, with Aisuru infecting a variety of devices ranging from DVRs to network appliances to webcams, and its Kimwolf offshoot infecting Android devices including smart TVs and set-top boxes. Cloudflare says the two botnets, working in conjunction, carried out a cyberattack against a Cloudflare customer last November that reached more than 30 terabits of data per second, nearly three times the size of the previous biggest such attack.No arrests were immediately announced along with the takedowns, but a Justice Department statement noted that the US government was collaborating with Canadian and German authorities, “which targeted individuals who operated these botnets.”“The United States is steadfast in our commitment to safeguarding critical internet infrastructure and fighting the cybercriminals who jeopardize its security, wherever they might live,” US attorney Michael J. Heyman wrote in a statement.Of the four botnets taken out in the operation, Aisuru had gained the most notoriety, thanks to a series of record-breaking or near-record cyberattacks it carried out last fall. The botnet, whose use was rented out like many such “booter” services offering their brute-force disruptive capabilities to anyone willing to pay, has been most visibly against gaming services like Minecraft and independent cybersecurity journalist Brian Krebs. Krebs, who has extensively investigated the botnet underground and Aisuru in particular, came under repeated attack from the botnet last year.Then in November, Cloudflare absorbed a recording-breaking combined attack from Aisuru and Kimwolf that lasted only 35 seconds but reached 31.4 terabits per second, a volume of attack traffic close to triple the size of any seen before. (The company hasn't revealed which of its customers was hit with that attack.)In a report on the state of the DDoS ecosystem, Cloudflare described the maximum attack traffic of the combined Aisuru and Kimwolf botnets as equivalent to “the combined populations of the UK, Germany, and Spain all simultaneously typing a website address and then hitting ‘enter’ at the same second.” The botnet was capable, Cloudflare’s analysts wrote, of “launching DDoS attacks that can cripple critical infrastructure, crash most legacy cloud-based DDoS protection solutions, and even disrupt the connectivity of entire nations.”In fact, all four botnets disrupted by the US operation were variants of Mirai, an internet-of-things botnet that first appeared in 2016, broke records at the time for the size of the cyberattacks it enabled, and eventually was used in an attack on the domain-name service provider Dyn that took down 175,000 websites simultaneously for much of the United States. Mirai's code base has since served as the starting point for a decade of other internet-of-things botnets.The four botnets targeted by the US in Thursday's takedown had all evolved new techniques that let them infect types of devices that even Mirai had never managed to access. Kimwolf in particular took advantage of cheap internet-connected gadgets that acted as “residential proxies” that—often unbeknownst to their owners—let hackers pivot into users' home networks to compromise devices that are typically protected behind a home router, says Chad Seaman, a principal security researcher at networking firm Akamai. “It really shook the foundations of what we considered to be a secure home network,” Seaman says.Seaman notes that cybersecurity researchers and law enforcement had engaged in a monthslong cat-and-mouse game with the botnet operators. At times, he says, the operators used innovative tricks like moving their domain name system to the Ethereum blockchain to prevent the hijacking of their command-and-control servers.Regardless of the results of Thursday's takedown, Seaman says he's seen enough generations of DDoS operators—going back to Mirai itself—to know that even if these four botnets have been permanently dismantled, other hackers will no doubt rebuild new, massive collections of hacked machines to take their place.“The cat-and-mouse game continues. You catch one mouse, and 10 others scurry under the refrigerator,” he says. “The cats will prioritize the fat mice. But it's a long game.”CommentsBack to topTriangleYou Might Also LikeIn your inbox: Will Knight's AI Lab explores advances in AI‘Flying cars’ will take off this summerBig Story: Inside OpenAI’s race to catch up to Claude CodeHow ‘Handala’ became the face of Iran’s hacker counterattacksListen: Nvidia’s ‘Super Bowl of AI,’ and Tesla disappointsAndy Greenberg is a senior writer for WIRED covering hacking, cybersecurity, and surveillance. He’s the author of the books Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency and Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers. His books ... Read MoreSenior WriterXTopicsddosFBICloudFlarecybersecuritysecurityCrimemalwareRead MoreHundreds of Millions of iPhones Can Be Hacked With a New Tool Found in the WildA powerful iPhone-hacking technique known as DarkSword has been discovered in use by Russian hackers. It can take over devices running iOS 18 that simply visit infected websites.Andy GreenbergHow Vulnerable Are Computers to an 80-Year-Old Spy Technique? Congress Wants AnswersA pair of US lawmakers are calling for an investigation into how easily spies can steal information based on devices’ electromagnetic and acoustic leaks—a spying trick the NSA once codenamed TEMPEST.Andy GreenbergAn FBI ‘Asset’ Helped Run a Dark Web Site That Sold Fentanyl-Laced Drugs for YearsA staffer of the Incognito dark web market was secretly controlled by the FBI—and still allegedly approved the sale of fentanyl-tainted pills, including those from a dealer linked to a confirmed death.Andy GreenbergPassword Managers Share a Hidden WeaknessPlus: The cybersecurity community grapples with Epstein files revelations, the US State Department plans an online anti-censorship “portal” for the world, and more.Matt BurgessCBP Used Online Ad Data to Track Phone LocationsPlus: Proton helped the FBI identify a protester, the Leakbase cybercrime forum was busted in an international operation, and more.Matt BurgessA $10K Bounty Awaits Anyone Who Can Hack Ring Cameras to Stop Sharing Data With AmazonThe Fulu Foundation, a nonprofit that pays out bounties for removing user-hostile features, is hunting for a way to keep Ring cameras from sending data to Amazon—without breaking the hardware.Boone AshworthFrom Ukraine to Iran, Hacking Security Cameras Is Now Part of War’s ‘Playbook’New research shows hundreds of attempts by apparent Iranian state hackers to hijack consumer-grade cameras, timed to missile and drone strikes. Israel, Russia, and Ukraine have also adopted this trick.Andy GreenbergA Possible US Government iPhone-Hacking Toolkit Is Now in the Hands of Foreign Spies and CriminalsA highly sophisticated set of iPhone hijacking techniques has likely infected tens of thousands of phones or more. Clues suggest it was originally built for the US government.Andy GreenbergWhy Free Data Monitoring Services Are Worth ItData breaches are more common than ever. Here are the best ways I've found to protect yourself online.Matthew S. SmithDHS Opens a Billion-Dollar Tab With Palantir“If you are interested in helping shape and deliver the next chapter of Palantir’s work across DHS, please reach out,” a Palantir executive wrote to employees about the massive purchasing agreement.Makena KellyHow to Organize Safely in the Age of SurveillanceFrom threat modeling to encrypted collaboration apps, we’ve collected experts’ tips and tools for safely and effectively building a group—even while being targeted and tracked by the powerful.Andy GreenbergMetadata Exposes Authors of ICE’s ‘Mega’ Detention Center PlansComments and other data left on a PDF detailing Homeland Security’s proposal to build “mega” detention and processing centers reveal the personnel involved in its creation.Maddy VarnerWIRED is obsessed with what comes next. Through rigorous investigations and game-changing reporting, we tell stories that don’t just reflect the moment—they help create it. When you look back in 10, 20, even 50 years, WIRED will be the publication that led the story of the present, mapped the people, products, and ideas defining it, and explained how those forces forged the future. WIRED: For Future Reference.More From WIREDSubscribeNewslettersLivestreamsTravelFAQWIRED StaffWIRED EducationEditorial StandardsArchiveRSSSite MapAccessibility HelpReviews and GuidesReviewsBuying GuidesStreaming GuidesWearablesCouponsGift GuidesAdvertiseContact UsManage AccountJobsPress CenterCondé Nast StoreUser AgreementPrivacy PolicyYour California Privacy Rights© 2026 Condé Nast. All rights reserved. WIRED may earn a portion of sales from products that are purchased through our site as part of our Affiliate Partnerships with retailers. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad ChoicesSelect international siteUnited StatesLargeChevronItaliaJapónCzech Republic & SlovakiaFacebookXPinterestYouTubeInstagramTiktok

The United States Department of Justice, in collaboration with the Defense Criminal Investigative Service, successfully dismantled four significant botnets – Aisuru, Kimwolf, JackSkid, and Mossad – representing a substantial disruption to cybercriminal activity. These botnets, collectively comprised of over 3 million compromised devices, were utilized for distributed denial-of-service (DDoS) attacks, frequently targeting gaming services like Minecraft and cybersecurity journalist Brian Krebs, who had been repeatedly attacked. The operation, spearheaded by US attorney Michael J. Heyman, involved international cooperation with Canadian and German authorities, focusing on individuals operating these botnets. The takedown stemmed from the evolution of Mirai, an initial internet-of-things botnet that emerged in 2016, with these newer botnets adapting and expanding their reach to encompass previously inaccessible device types, including residential proxies utilized by Kimwolf. Specifically, Chad Seaman, a principal security researcher at Akamai, highlighted Kimwolf's exploitation of cheap internet-connected gadgets. A particularly alarming incident involved a combined attack by Aisuru and Kimwolf reaching 31.4 terabits per second—nearly triple the size of any previous attack—which Cloudflare absorbed in November. This demonstrated the botnets’ capacity to cripple critical infrastructure and overwhelm legacy DDoS protection solutions. The core of these botnets resided in command-and-control servers, which were effectively neutralized. Despite the successful takedown, the cat-and-mouse game between cybersecurity professionals and botnet operators continues, as evidenced by operators utilizing techniques like the Ethereum blockchain to evade control. Seaman’s perspective emphasized the persistent nature of these threats, stating that while dismantling these specific botnets is a significant achievement, new collections will inevitably emerge.