Feds disrupt monster IoT botnets behind record-breaking DDoS attacks
(2026/03/20)
- Reference: 1774012046
- News link: https://www.theregister.co.uk/2026/03/20/botnet_disruption/
- Source link:
The US government has moved to disrupt a cluster of IoT botnets behind some of the largest DDoS attacks ever recorded, including traffic bursts topping 30 terabits per second.
In a coordinated operation with authorities in Germany and Canada, [1]the Department of Justice said it disrupted the command-and-control infrastructure behind four botnets – Aisuru, KimWolf, JackSkid, and Mossad – that together compromised more than three million internet-connected devices worldwide.
The botnets largely spread across the usual soft underbelly of the internet, including routers, IP cameras, and digital video recorders that are often shipped with weak credentials and rarely patched.
[2]
According to the DOJ, the botnets were responsible for hundreds of thousands of DDoS attacks, some of which targeted US Department of Defense systems and other high-value targets. Their scale, however, is what sets them apart. Officials said the networks were capable of generating traffic volumes exceeding 30 Tbps, with one attack peaking at roughly [3]31.4 Tbps .
[4]
[5]
Like many modern botnets, these weren't just used for vandalism. Prosecutors said the operators monetized access to the networks by offering DDoS-for-hire services and, in some cases, extorting victims by threatening to sustain attacks unless payments were made. That model – essentially turning compromised consumer electronics into rentable attack infrastructure – has become a staple of the cybercrime economy, lowering the barrier to entry for anyone looking to knock a rival offline.
[6]Cybercrime has skyrocketed 245% since the start of the Iran war
[7]DDoS deluge: Brit biz battered as botnet blitzes break records
[8]Polish cops bail 20-year-old bedroom botnet operator
[9]RondoDox botnet linked to large-scale exploit of critical HPE OneView bug
Aisuru's name will be familiar to anyone tracking large-scale DDoS activity. The botnet has been behind a string of recent high-volume attacks, with [10]Cloudflare previously warning it could fire off multi-terabit traffic floods .
The disruption itself focused on seizing domains and backend systems used to coordinate the botnets, effectively cutting off the instructions that tell infected devices where and when to send traffic. As with similar operations, the devices themselves remain infected, but without functioning command infrastructure, they are far less useful to their operators.
Officials billed the operation as a blow against some of the most powerful botnets, but the usual problem persists. Millions of insecure devices are still online, many running outdated firmware or stuck with default passwords, providing a ready-made recruitment pool for the next wave of botnet builders.
[11]
For now, at least, some of the internet's loudest sources of junk traffic have been dialed down – but the conditions that allowed them to thrive haven't gone anywhere. ®
Get our [12]Tech Resources
[1] https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ab19MrFIoWExEnS4KYPniAAAARY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2026/02/06/uk_climbs_up_ddos_hit/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ab19MrFIoWExEnS4KYPniAAAARY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ab19MrFIoWExEnS4KYPniAAAARY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2026/03/16/cybercrime_iran_war_245_percent_rise/
[7] https://www.theregister.com/2026/02/06/uk_climbs_up_ddos_hit/
[8] https://www.theregister.com/2026/02/03/polish_cops_ddos_arrest/
[9] https://www.theregister.com/2026/01/16/rondodox_botnet_hpe_oneview/
[10] https://www.theregister.com/2025/12/04/cloudflare_aisuru_botnet/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ab19MrFIoWExEnS4KYPniAAAARY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/
In a coordinated operation with authorities in Germany and Canada, [1]the Department of Justice said it disrupted the command-and-control infrastructure behind four botnets – Aisuru, KimWolf, JackSkid, and Mossad – that together compromised more than three million internet-connected devices worldwide.
The botnets largely spread across the usual soft underbelly of the internet, including routers, IP cameras, and digital video recorders that are often shipped with weak credentials and rarely patched.
[2]
According to the DOJ, the botnets were responsible for hundreds of thousands of DDoS attacks, some of which targeted US Department of Defense systems and other high-value targets. Their scale, however, is what sets them apart. Officials said the networks were capable of generating traffic volumes exceeding 30 Tbps, with one attack peaking at roughly [3]31.4 Tbps .
[4]
[5]
Like many modern botnets, these weren't just used for vandalism. Prosecutors said the operators monetized access to the networks by offering DDoS-for-hire services and, in some cases, extorting victims by threatening to sustain attacks unless payments were made. That model – essentially turning compromised consumer electronics into rentable attack infrastructure – has become a staple of the cybercrime economy, lowering the barrier to entry for anyone looking to knock a rival offline.
[6]Cybercrime has skyrocketed 245% since the start of the Iran war
[7]DDoS deluge: Brit biz battered as botnet blitzes break records
[8]Polish cops bail 20-year-old bedroom botnet operator
[9]RondoDox botnet linked to large-scale exploit of critical HPE OneView bug
Aisuru's name will be familiar to anyone tracking large-scale DDoS activity. The botnet has been behind a string of recent high-volume attacks, with [10]Cloudflare previously warning it could fire off multi-terabit traffic floods .
The disruption itself focused on seizing domains and backend systems used to coordinate the botnets, effectively cutting off the instructions that tell infected devices where and when to send traffic. As with similar operations, the devices themselves remain infected, but without functioning command infrastructure, they are far less useful to their operators.
Officials billed the operation as a blow against some of the most powerful botnets, but the usual problem persists. Millions of insecure devices are still online, many running outdated firmware or stuck with default passwords, providing a ready-made recruitment pool for the next wave of botnet builders.
[11]
For now, at least, some of the internet's loudest sources of junk traffic have been dialed down – but the conditions that allowed them to thrive haven't gone anywhere. ®
Get our [12]Tech Resources
[1] https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ab19MrFIoWExEnS4KYPniAAAARY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2026/02/06/uk_climbs_up_ddos_hit/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ab19MrFIoWExEnS4KYPniAAAARY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ab19MrFIoWExEnS4KYPniAAAARY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2026/03/16/cybercrime_iran_war_245_percent_rise/
[7] https://www.theregister.com/2026/02/06/uk_climbs_up_ddos_hit/
[8] https://www.theregister.com/2026/02/03/polish_cops_ddos_arrest/
[9] https://www.theregister.com/2026/01/16/rondodox_botnet_hpe_oneview/
[10] https://www.theregister.com/2025/12/04/cloudflare_aisuru_botnet/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ab19MrFIoWExEnS4KYPniAAAARY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/
C2 using ethereum DNS
I wonder if they have seized the cryptographic keys for the ethereum DNS being used…