Feds Disrupt IoT Botnets Behind Huge DDoS Attacks

Three million compromised devices. Four botnets operating with near impunity. DDoS attacks that paralyzed entire segments of the internet. This is not a scenario from a Hollywood tech thriller, but the reality that global cyber infrastructure has been grappling with for months. Only now, thanks to a coordinated operation by the US Department of Justice, Canadian and German authorities, has it been possible to dismantle the skeleton of this cyber empire — the infrastructure of four botnets that for a long time operated practically unimpeded, treating the internet as their own playground.

This operation represents a breakthrough moment in the fight against cyber threats, but it is also a reminder of the fundamental weakness of the modern Internet of Things. Devices that should make our lives easier — routers, IP cameras, smart sensors — have become weapons of mass destruction in the hands of cybercriminals. The story of the Aisuru, Kimwolf, JackSkid and Mossad botnets is a tale of inadequate security, manufacturer negligence, and the audacity of actors threatening our digital infrastructure.

Anatomy of Four Dangerous Botnets

Each of the four bot networks had its own specific structure and methodology of operation, though all shared a common strategy: seizing IoT devices and transforming them into zombie computers to carry out DDoS attacks. Aisuru, Kimwolf, JackSkid and Mossad were not random projects of amateur hackers — these were well-organized operations that required advanced technical knowledge and determination. American, Canadian and German authorities described them as among the most destructive botnets ever observed in operation.

What is particularly alarming is that each of these networks operated independently, but sometimes cooperated with others. The cybercriminals behind them were smart enough not to create a single monolithic system — instead, they built a diversified infrastructure that was harder to locate and dismantle. Three million compromised devices distributed among four botnets meant that each of them potentially had hundreds of thousands of zombie computers ready to launch an attack on command.

The IoT devices chosen for compromise were not random. Routers and IP cameras are ideal targets because they are always connected to the internet, often run with weak default passwords, and users rarely update them. Manufacturers of these devices have for years neglected security in favor of rapid deployment and low production costs. The result? Millions of devices sitting on the sidelines, ready to be seized by the first cybercriminal who knows how to find default access credentials.

How DDoS Attacks Changed the Scale of Threat

DDoS attacks are not new — we've known about them since the 1990s, when teenage hackers sometimes paralyzed eBay and Amazon servers. But what the Aisuru, Kimwolf, JackSkid and Mossad botnets did was a qualitative leap. Traditional DDoS attacks sent hundreds of thousands of requests per second. These new operations generated terabit-scale data flows — that is, billions of requests per second — capable of overwhelming the infrastructure of even the largest enterprises.

Records fell one after another. These attacks reached a scale that just a few years ago would have seemed impossible. Federal authorities stated that these botnets were responsible for "a series of recent record-breaking DDoS attacks, capable of taking down nearly any target on the internet." This was not an exaggeration — it was mathematics. When you connect three million IoT devices with attack software, and each has the bandwidth of a home connection, the potential power of an attack becomes truly frightening.

The target of an attack could be almost anyone: critical infrastructure, financial servers, government portals, social media platforms. Cybercriminals rented the computing power of botnets as a service — DDoS-as-a-Service, or DaaS. Someone wanted to paralyze a competitor? Pay the hacker, and he would attack with your botnet. Someone wanted to extort ransom from a company? One command was enough, and the infrastructure would fall for hours, sometimes days.

International Operation: When Cooperation Really Works

What distinguishes this operation is its international character. Cyber threats do not respect borders, and therefore the fight against them must be equally global. The US Department of Justice, Canadian RCMP and German BKA worked together to locate control servers, trace financial flows and ultimately shut down the infrastructure. This was not an easy operation — it required cooperation between different legal systems, agencies with different procedures and countries with different security priorities.

The Polish perspective on this operation is significant. Polish cyber infrastructure, while well protected by NASK and other institutions, was not entirely immune to these botnets. Polish IoT devices — routers, cameras, sensors — were among the three million compromised machines. Polish enterprises experienced DDoS attacks whose source was precisely these botnets. Therefore, for Polish decision-makers and security specialists, this operation has a dimension that is not only theoretical but practical.

The coordinated action showed that the cyber world is not a lawless realm where cybercriminals can act without consequences. While much remains to be done, and new threats emerge every day, this operation was a signal that international services are capable of acting quickly and effectively when mobilized.

Botnet Infrastructure: How Control Systems Worked

To understand the scale of this operation, one must understand how these botnets practically functioned. Each had control servers — machines that sent commands to millions of zombie computers. These servers were hidden behind proxy networks, VPNs and other anonymization tools. Cybercriminals rented them from hosting providers, often in countries with less restrictive policies toward cybercrime.

Communication between control servers and botnets was encrypted and camouflaged to avoid detection by monitoring systems. Cybercriminals used IRC protocols, DNS-over-HTTPS and other channels to send instructions. Each IoT device in a botnet received commands: "Attack this server", "Change configuration", "Update malware". The system was distributed, redundant and extremely difficult to completely dismantle.

Financing this operation proceeded through complicated money laundering chains. Cybercriminals collected money from clients who wanted to rent botnet power, then passed it on through cryptocurrencies, bank transfers and other channels. The US Department of Justice and its partners had to trace these financial flows to identify the operators and their sources of income.

Weak Security of IoT Devices: A Problem That Remains

While the operation dismantled the infrastructure of four botnets, the fundamental problem remains unsolved: IoT devices are tragically poorly secured. Routers sold by well-known brands, IP cameras installed in homes and offices, smart sensors in factories — most of them still have default passwords, lack regular security updates, and their software contains unpatched vulnerabilities.

Equipment manufacturers have for years ignored security, focusing on functionality and price. Why spend money on security if consumers choose the cheapest router on the market? The result is millions of devices that are like open doors for cybercriminals. Each new IoT device that hits the market without proper security is a potential new soldier in a future botnet.

The Polish technology industry must pay attention to this. Companies producing IoT devices, whether operating locally or globally, should treat security as a priority, not an add-on. Regulations such as the NIST Cybersecurity Framework or new EU guidelines on IoT security must be implemented not as a formality, but as a real standard.

Four Botnets in Practice: What We Know About Each

While official information on the technical details of each botnet is limited — authorities carefully disclose information to avoid helping imitators — it is known that each had its own specific methodology. Aisuru was known for exploiting vulnerabilities in routers from specific manufacturers. Kimwolf specialized in IP cameras. JackSkid attacked devices with older software installed. Mossad (a name modeled after the Israeli agency, intended as a kind of mockery) was the most technically advanced.

Each botnet had its own "clientele" — cybercriminals who rented its power. Sometimes the same players rented services from multiple botnets simultaneously to increase attack power. Botnet operators charged fees depending on the size and duration of the attack. An hour-long attack cost less, but an attack lasting a day or week was more expensive. It was business — the business of cyber terrorism, but business nonetheless.

Federal authorities, working to dismantle these networks, had to identify not only botnet operators but also their clients. This was a more complicated operation than simply shutting down a few servers. It required tracking financial transactions, analyzing access logs, cooperating with hosting providers and, most importantly, coordinating between three countries with different legal systems.

Implications for the Future of Cyber Security

This operation has profound implications for the future of cyber security. First, it shows that international cooperation is possible and effective. Second, it demonstrates that even very advanced and well-hidden cyber operations can ultimately be detected and dismantled. Third, it is a warning to IoT equipment manufacturers that they must take security seriously, or they will be held accountable for the damage caused by their poorly secured devices.

For Polish companies and institutions, the lesson is clear: cyber security is not an option, it is an imperative. Every IoT device on a corporate or home network should be regularly updated, monitored and tested for security vulnerabilities. Every employee should understand the threats associated with IoT and know how to minimize them.

However, this operation is just one battle in a much larger war. New botnets will emerge — perhaps more advanced, more distributed, harder to locate. Cybercriminals learn and adapt quickly. If Aisuru, Kimwolf, JackSkid and Mossad are dismantled, their successors will emerge. The question is not "will new threats emerge," but "how quickly will we locate and dismantle them."

Challenges for Polish Infrastructure and the Private Sector

Poland, as a member of the European Union and NATO, has a special responsibility for cyber security. Polish critical infrastructure — power grids, telecommunications systems, financial institutions — must be protected against DDoS attacks and other threats. The Polish technology industry, including IoT equipment manufacturers, must mobilize to raise security standards.

The private sector in Poland has access to the same tools and knowledge as its counterparts in the West. Polish companies can produce secure IoT devices if they treat it as a priority. Polish research institutions and universities can conduct research on new methods of defense against botnets. Poland can be a leader in IoT security in Central Europe, rather than a passive observer.

The operation to dismantle four botnets is a signal that the cyber world is changing. The years when cybercriminals could act with virtually no consequences are slowly coming to an end. International services are increasingly better equipped, increasingly coordinated and increasingly determined. For the Polish technology sector and government institutions, this is a moment to take full responsibility for cyber security — not waiting for the next disaster, but acting proactively now.