DDoS Botnets - US, Canada, and Germany Take Down Four
Basically, police from three countries shut down bad computer networks that attack websites.
Law enforcement from the US, Canada, and Germany dismantled four large DDoS botnets. Millions of IoT devices were infected, highlighting ongoing security vulnerabilities. This takedown buys time but doesn't resolve the underlying issues.
What Happened
On March 19, 2026, law enforcement officials from the United States, Canada, and Germany successfully dismantled the command-and-control (C2) infrastructure of four notorious DDoS botnets: Aisuru, KimWolf, JackSkid, and Mossad. These botnets were responsible for launching massive distributed-denial-of-service (DDoS) attacks that exploited millions of Internet-of-Things (IoT) devices worldwide. The operation involved issuing seizure warrants targeting the virtual servers, internet domains, and other infrastructure used in these attacks.
The botnets utilized compromised IoT devices, such as Android TV boxes and home routers, to launch attacks that masked their origin. This tactic, known as “residential proxy” cybercrime, allowed attackers to bypass security measures by routing traffic through legitimate residential IP addresses. One particularly devastating attack by Aisuru in December 2025 peaked at an astonishing 31.4 terabits-per-second (Tbps), showcasing the scale of these operations.
Who's Behind It
The operation's success is a significant step in combating the ongoing threat posed by botnets, but experts warn that it should not be mistaken for a permanent victory. According to Crystal Morin, a senior cybersecurity strategist at Sysdig, while the takedown disrupts operations, it does not address the root causes of the problem. The underlying vulnerabilities in IoT devices remain, and attackers can easily rebuild their networks under new identities.
John Gallagher, vice president of Viakoo Labs, emphasized that merely mitigating bot threats is insufficient. He pointed out that the number of active bots still deployed within IoT and operational technology (OT) infrastructure is staggering. Without proactive measures to find and remediate these infected devices, the threat landscape will continue to evolve.
Tactics & Techniques
The botnets operated by leveraging poorly secured IoT devices, which are often left unpatched due to a lack of incentives for manufacturers to improve security. Steven Swift, managing director at Suzu Labs, highlighted that although the communications servers were taken down, the infected devices remain vulnerable. Many of these devices can be re-compromised and added to new botnets, perpetuating the cycle of attacks.
The tactics used by these botnets are not just limited to DDoS attacks. They are also employed in various illicit activities where changing the sending IP is beneficial, such as evading IP blacklists. Swift noted that the security community must recognize that the problem of insecure IoT devices is systemic and requires a comprehensive strategy to address it.
Defensive Measures
In light of these developments, security teams must remain vigilant. The recent takedown serves as a reminder that while significant progress can be made, the battle against botnets is ongoing. Organizations should prioritize identifying and securing their IoT devices to prevent future exploitation.
As botnets continue to evolve, the integration of AI in cyber threats complicates the landscape further. With AI-driven attacks becoming more sophisticated, defenders must adapt quickly to these new challenges. The key takeaway is that while the takedown operation was a critical disruption, it is only a temporary measure in a much larger fight against cybercrime.
SC Media