Global law enforcement operation takes down massive 3 million device Botnet empire

Authorities from the United States, Germany, and Canada have successfully dismantled the command-and-control infrastructure of four major botnets that had hijacked more than three million devices worldwide. The operation, finalized on March 19, 2026, targeted the Aisuru, KimWolf, JackSkid, and Mossad networks, which were responsible for some of the most destructive cyberattacks in internet history.

The U.S. Department of Justice (DOJ) revealed that the botnets were primarily composed of compromised Internet of Things (IoT) devices, including Wi-Fi routers, digital video recorders (DVRs), and web cameras.

Hundreds of thousands of the infected devices were located within the United States, including IP addresses belonging to the Department of Defense Information Network.

"Today’s disruption of four powerful botnets highlights our commitment to eliminate emerging cyber threats to our national infrastructure," said Kenneth DeChellis, a special agent in charge at the Defense Criminal Investigative Service (DCIS).

The rise of "residential proxy" cybercrime

The targeted botnets operated under a "cybercrime-as-a-service" model, where the operators rented out access to their "zombie army" of infected devices to other criminals. This allowed bad actors to mask their true locations by routing malicious traffic through the home IP addresses of unsuspecting citizens.

Security researchers highlighted a particularly dangerous evolution in the KimWolf and JackSkid botnets. Unlike older networks that scanned the open internet for victims, these variants specifically targeted residential proxy networks to infiltrate devices hidden behind home firewalls.

By January 2026, KimWolf had reportedly compromised over two million Android-based streaming boxes and smart TVs alone.

Record-breaking attacks and extortion

The scale of these networks allowed for "hyper-volumetric" Distributed Denial-of-Service (DDoS) attacks. In late January 2026, these botnets were linked to a record-breaking attack that peaked at 31.4 Terabits per second (Tbps) - a volume of traffic capable of crippling the digital infrastructure of entire countries.

Beyond sheer disruption, the operators used the botnets for financial gain. Victims, ranging from small businesses to major telecommunications firms, reported tens of thousands of dollars in remediation costs. In many cases, the botnet administrators demanded cryptocurrency ransom payments to stop the digital sieges.

International coordination and future risks

The operation involved the seizure of dozens of U.S.-registered domains and virtual servers. While no domestic arrests were immediately announced by the DOJ, law enforcement in Germany and Canada conducted simultaneous "actions" targeting the suspected administrators.

German police confirmed they have identified two key individuals and seized evidence from their residences - a 22-year-old Canadian and a 15-year-old living in Germany.

Despite the victory, cybersecurity experts at firms like Cloudflare and Akamai warn that the threat remains persistent. Because the underlying vulnerabilities in many IoT devices remain unpatched, new botnets are expected to emerge and compete for the same pool of "zombie" hardware.

The DOJ was assisted by a coalition of more than 20 technology companies, including Google, Amazon Web Services, and Oracle, underlining the necessity of public-private partnerships in modern cyber defense.