DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks

The United States Department of Justice has just conducted an operation that might seem like a scenario from a spy thriller if it weren't completely real. The scale is impressive: over 3 million IoT devices involved in botnet networks that generated a record 31.4 terabits of data per second in DDoS attacks. This is not just ordinary cybersecurity news — it's a watershed moment that shows how seriously authorities are treating infrastructure threats in the age of digitalization.

The operation, conducted jointly by Poland, Canada, and Germany, focused on dismantling the command-and-control (C2) infrastructure serving botnet networks such as AISURU, Kimwolf, JackSkid, and Mossad. These names may sound like spy code, but they represent concrete threats to digital security worldwide. Each of these botnets operated as a distributed arsenal, using infected devices to send waves of network traffic capable of paralyzing even the largest online infrastructures.

The scale of this problem cannot be overstated. In an era when every piece of equipment — from security cameras through routers to smart home devices — is a potential entry point for cybercriminals, IoT botnets have become a weapon of mass cyber destruction. The DoJ operation shows that finally, global services have realized the urgency of the situation.

Anatomy of the threat: how millions of devices became a weapon

To understand the significance of the DoJ operation, one must first understand how IoT botnets actually function. These are not advanced systems requiring special skills — quite the opposite. Most IoT devices end up in botnets through weak or default passwords, unpatched zero-day vulnerabilities, or simply insufficient protection. A manufacturer sells an IP camera for 50 zlotys, the user never changes the default password, and voilà — we have another soldier in the botnet army.

Botnets such as AISURU and Kimwolf operated on the basis of a classical network model. Hundreds of thousands of infected devices waited for commands from a central C2 server. When attackers issued an order, all these devices simultaneously sent enormous amounts of traffic to the selected target. Imagine: 3 million devices, each generating a few kilobits per second — together they create a tsunami of data that no traditional infrastructure can handle.

The record 31.4 terabits per second is a number that should concern anyone involved in infrastructure security. For comparison: average global internet bandwidth is around 400 terabits per second. This means that one attack using these botnets could block approximately 8 percent of global internet traffic. This is not a marginal problem — it's a threat to the stability of the entire network.

Botnet operators made enormous sums of money by renting access to their networks to cybercriminals. The price for a DDoS attack ranged from tens to tens of thousands of dollars, depending on the scale and duration. This is a multi-billion dollar business that operated practically with impunity for years.

C2 infrastructure: the heart of the beast

The key to dismantling these botnets was the command-and-control infrastructure. Botnets are only worth as much as the servers that control them. Without a central control point, millions of infected devices are useless pieces of plastic and metal. This is why the DoJ operation focused on seizing, shutting down, and dismantling these servers.

The C2 infrastructure of botnets such as JackSkid and Mossad was distributed worldwide, with servers hidden behind anonymous hosting providers, Tor networks, and intermediary services. The operation required international coordination to simultaneously strike all key network nodes. One server left running, and attackers could quickly restore control over the botnet.

Particularly interesting is that the operation included cooperation with private cybersecurity firms. Large technology corporations such as Microsoft, Cloudflare, or Akamai possess enormous resources for monitoring network traffic and identifying botnets. Without their support, the DoJ operation would have been impossible. This shows that in today's cybersecurity era, governments cannot act alone — they need support from the private sector.

The role of Zero Trust Network Access in protecting against botnets

The DoJ operation sheds light on a fundamental problem in cybersecurity: traditional infrastructure protection models are outdated. For decades, we have relied on the concept of security perimeter — the idea that if you only secure the edge of the network, everything inside is safe. This assumption proved to be a fatal error.

IoT botnets thrived precisely because device manufacturers assumed that if a device is inside the network, it is safe. An IP camera in an office, a router at home — all these devices had access to the entire network without any additional controls. When one of them was infected, attackers gained access to the entire infrastructure.

This is where the concept of Zero Trust Network Access (ZTNA) comes in, which represents a radical departure from the traditional approach. Instead of assuming that everything inside the perimeter is trusted, ZTNA requires verification of every device, every user, and every application. No access is granted by default — everything must be explicitly authorized.

In the context of IoT botnets, ZTNA means that every device connected to the network must first be identified, authenticated, and authorized. An IP camera cannot simply send data to the internet — it must pass through a security check that verifies whether it actually has the right to do so. This makes it much harder for botnet operators to take control of devices and use them in attacks.

From replacing VPN to comprehensive access security

Traditionally, VPN (Virtual Private Network) was the standard tool for securing access to network resources. Employees connected to the VPN, and voilà — they were inside the corporate network with access to all resources. The problem is that VPN is a tool from the 1990s, designed for a different world — a world where most users worked from offices and the network was relatively static.

Today, in the era of remote work, cloud, IoT, and mobility, VPN is an anachronism. An employee working from a café, an IoT device in a factory, an application in the cloud — all these elements need access, but traditional VPN cannot provide granular control over each of them. This is precisely the gap that botnets exploit.

ZTNA represents an evolution from VPN. Instead of granting access to the entire network upon login, ZTNA grants access only to specific applications and resources. An employee needs access to a database? ZTNA verifies their identity, device status, and permissions, then grants access only to that database — nothing more. An IoT device needs to send data? ZTNA checks whether the device is authorized, whether it is infected, and whether it actually has the right to send data to that specific server.

This approach eliminates so-called lateral movement — the ability of attackers to move around the network after gaining access to one device. In the traditional model, if attackers compromised an IP camera, they could move around the entire network looking for more valuable targets. In ZTNA, the IP camera has access only to what it should — nothing more.

Polish perspective: how the DoJ operation affects Polish companies

The DoJ operation may sound like a purely American matter, but its consequences for Polish companies and organizations are significant. Poland is one of the countries that actively participated in the operation — this shows that Polish cybersecurity is taken seriously on the international stage. Agencies such as CERT Poland and the Central Anti-Corruption Bureau cooperated with the DoJ and Canadian and German services.

For Polish companies, especially those operating in the critical infrastructure, energy, or financial sectors, this operation should be an alarm signal. If your infrastructure contains unprotected IoT devices, you are a potential target. Every IP camera with an unchanged password, every router without security updates, every smart device without proper configuration — these are potential entry points for botnets.

Polish cybersecurity regulations, including the personal data protection law and the NIS directive, require organizations to implement appropriate security measures. However, many Polish companies treat this as a checkbox to tick rather than a real problem to solve. The DoJ operation shows that cybercriminals do not wait for Polish companies — they operate globally and effectively.

Implementing ZTNA in Polish organizations

For Polish CIOs and IT security managers, the lesson from the DoJ operation is clear: traditional security models are insufficient. The transition from VPN to comprehensive ZTNA is no longer optional — it is a necessity.

Implementing ZTNA in a Polish organization requires several steps. First, you need to conduct an inventory of the entire infrastructure — every device, every application, every user. Second, you need to define who and what should have access to what. Third, you need to implement technology that will enforce these rules — platforms such as Cloudflare Zero Trust, Microsoft Entra, or Okta offer such solutions.

It is particularly important to secure IoT devices. Every device should be identified, authenticated, and monitored. If a device sends unexpected data or tries to connect to a suspicious server, the system should immediately block it. This is not complicated — it is a matter of proper configuration and monitoring.

The future of botnets and the cybersecurity arms race

The DoJ operation will dismantle three million devices infected with botnets, but this is not the end of the story. The reality of cybersecurity is that this is a game without end. When one botnet is dismantled, the next one appears. When one security vulnerability is patched, attackers find another.

What changes, however, is the pace and scale. The DoJ operation shows that international services can act quickly and effectively. This raises the cost of operations for cybercriminals. Instead of operating peacefully for years, they now must reckon with the fact that their infrastructure could be seized within weeks. This will not stop cybercrime, but it may slow it down.

However, without changes in the way we design and secure our systems, botnets will return. IoT device manufacturers must start taking security seriously — not as an add-on, but as a fundamental part of the design. Organizations must implement ZTNA and other modern security models. Users must change default passwords and update software.

The DoJ operation is a victory, but a victory in one battle, not the entire war. Real progress will be visible when we stop looking at cybersecurity as something we add to a system after the fact and start building security from the ground up. ZTNA and similar approaches show that this is possible — all it takes is political will and commitment from the industry.