DOJ Disrupts 3M-Device Botnets Behind 31 Tbps DDoS Attacks

The Department of Justice announced the disruption of command-and-control infrastructure behind four massive IoT botnets responsible for some of the largest DDoS attacks ever recorded—including one that peaked at 31.4 terabits per second.

The coordinated operation with German and Canadian authorities targeted AISURU, Kimwolf, JackSkid, and Mossad, which collectively infected more than three million devices worldwide. Hundreds of thousands of those compromised devices are located in the United States.

Scale of the Threat

The numbers are staggering. According to court documents, the botnets were capable of generating:

• 31.4 Tbps peak attack volume (November 2025, lasting 35 seconds)
• 14 billion packets per second combined throughput
• 300 million requests per second for application-layer attacks
• Over 316,000 DDoS commands issued across all four networks

The November attack briefly set a new record for volumetric DDoS, though the 35-second duration suggests it may have been a capability test rather than a sustained assault.

High-Value Targets

These weren't just botnets-for-hire hitting gaming servers. Court filings reveal attacks against US Department of Defense systems and other high-value targets, though specifics remain sealed. The targeting profile suggests either nation-state interest or customers willing to pay premium rates for attacks on hardened infrastructure.

Kimwolf in particular represented what researchers called "a fundamental shift in how botnets operate." Rather than simply recruiting vulnerable IoT devices, Kimwolf operators infiltrated residential proxy networks through compromised streaming devices. This gave them access to home networks typically protected by firewalls—via Android Debug Bridge exposure on streaming boxes.

Suspects Identified

Two primary suspects have been named:

• Jacob Butler, 23, of Ottawa, Canada (administrator alias: "Dort")
• A 15-year-old in Germany

No arrests have been announced. The operation focused on seizing domains and backend systems used to coordinate the botnets, effectively severing the command channel that tells infected devices when and where to attack.

Infected Devices Remain Compromised

Here's the catch: the takedown disrupted command infrastructure, but millions of devices remain infected. DVRs, IP cameras, routers, and streaming boxes that were recruited into these botnets are still running malware—they just can't receive instructions from the seized C2 servers.

This is a recurring limitation of botnet takedowns. The operators often rebuild using new infrastructure, and the underlying vulnerable devices continue to exist. Without coordinated remediation efforts, these same devices could be re-recruited into successor botnets within months.

For organizations wondering if their IoT infrastructure was part of these networks, look for devices with:

• Default or weak credentials
• Exposed management interfaces
• Unpatched firmware from 2023 or earlier
• Unusual outbound traffic patterns

Broader Context

This operation continues a pattern of law enforcement focus on DDoS-for-hire infrastructure. Finland recently arrested the crew behind Baltic submarine cable sabotage, and Interpol's Operation Synergia III dismantled thousands of malicious IPs globally.

The Kimwolf technique of leveraging residential proxy networks deserves particular attention. As more organizations deploy IoT devices without proper network segmentation, attackers are finding creative ways to weaponize that footprint. A compromised smart TV becomes a beachhead into corporate VPNs when employees work from home.

Why This Matters

DDoS attacks at this scale can overwhelm even well-defended infrastructure. A 31 Tbps attack saturates most enterprise and even some carrier-grade network links before mitigation can engage. The fact that these botnets targeted DOD systems suggests either testing defenses for future operations or providing services to adversarial nation-states.

The involvement of a 15-year-old administrator also highlights ongoing concerns about young threat actors in cybercrime. The barrier to entry for botnet operation has dropped significantly, with tutorials and tooling readily available on underground forums.

For defenders, the takeaway is straightforward: audit your IoT footprint, segment networks properly, and monitor for C2 beaconing behavior. The next botnet will likely use similar recruitment techniques—and some of those three million devices will be available for re-infection.