In a single coordinated move, US law enforcement and defense investigators dismantled four large botnets that had been used to launch enormous distributed denial-of-service attacks. The operation removed the command-and-control infrastructure for botnets known as JackSkid, Mossad, Aisuru, and Kimwolf.

What was taken down

Who: The US Department of Justice and the Defense Criminal Investigative Service led the action, with cooperation from Canadian and German authorities. No arrests were announced immediately.

Targets: The takedown cut off the servers used to control these botnets, which together had more than 3 million compromised devices. Operators often rented access to those devices to other criminals or used them directly to flood targets with traffic to make websites and services stop working.

Why Aisuru and Kimwolf mattered

  • Aisuru and its related Kimwolf offshoot together controlled over a million devices, according to DDoS defense firm Cloudflare.
  • Aisuru infected devices such as DVRs, network appliances, and webcams. Kimwolf focused on Android-based gadgets including smart TVs and set-top boxes.
  • In November, the two working together produced an attack that peaked at about 31.4 terabits per second and lasted roughly 35 seconds. That peak was close to three times larger than previous top attacks.
  • These botnets were frequently offered for hire, and their victims included gaming services and independent security researchers who track botnet activity.

How they operated

All four botnets were descendants of the original Mirai family, the internet-of-things malware that first surfaced in 2016 and changed the DDoS landscape. Over the years Mirai's code was modified and improved, and those changes show up in the recent botnets.

Researchers found that the new variants had developed techniques to reach devices Mirai could not. Kimwolf in particular used cheap internet-connected devices that acted as residential proxies, allowing attackers to move from those gadgets into home networks and then compromise other devices behind a router. That shift challenged assumptions about how secure a home network could be, according to Chad Seaman, a principal security researcher at Akamai.

Operators also deployed evasive tricks. At times they moved parts of their infrastructure onto blockchain systems to make it harder for defenders to take control of their command servers.

Official response and cooperation

The Justice Department emphasized its commitment to protecting internet infrastructure. US attorney Michael J. Heyman said, "The United States is steadfast in our commitment to safeguarding critical internet infrastructure and fighting the cybercriminals who jeopardize its security, wherever they might live."

Authorities noted they worked with international partners, and that Canada and Germany took actions aimed at people who ran these botnets.

What comes next

Experts expect this will not be the last time huge botnets appear. Researchers and law enforcement have been contesting these operators for months, and although dismantling these four networks is a major win, the techniques and code are widely available. New botnets are likely to emerge that reuse lessons learned from these operations.

For regular users, the takeaway is practical: keep devices updated when possible, change default passwords on internet-connected gadgets, and be aware that inexpensive smart devices can be vectors into a home network.

Short version: The US and partners disabled four massive Mirai-derived botnets controlling millions of devices and used in record DDoS attacks. It is a big technical victory, but not a final solution.