The US Department of Justice announced the disruption of infrastructure supporting 4 IoT botnets, including Aisuru and KimWolf, in a coordinated operation targeting cybercrime services used to launch large-scale DDoS attacks. The action focused on dismantling command-and-control servers and limiting the operators’ ability to coordinate infected devices.
According to authorities, the botnets were used in a cybercrime-as-a-service model, where operators sold access to attack infrastructure to other threat actors. These services enabled widespread DDoS campaigns impacting businesses and critical infrastructure, often resulting in significant operational disruption and recovery costs.
Botnet capabilities and infection methods
The disrupted botnets relied on large numbers of compromised IoT devices, including routers, cameras, and network-attached storage systems. These devices were typically infected through default credentials, unpatched vulnerabilities, or weak security configurations, allowing attackers to conscript them into coordinated attack networks.
Once infected, devices could be remotely controlled to generate high volumes of malicious traffic, contributing to distributed denial-of-service attacks targeting online services and infrastructure.
Infrastructure design and evasion techniques
Security researchers observed that the botnets employed techniques to maintain resilience against disruption, including distributed command structures and methods to obscure control traffic. These approaches are designed to allow continued operation even when portions of the infrastructure are taken offline.
The scale and organization of the botnets suggest coordinated operations rather than isolated activity, reflecting the continued evolution of structured cybercrime ecosystems.
Disruption impact and ongoing risk
While the takedown disrupts current operations, cybersecurity experts caution that similar threats are likely to re-emerge. The underlying pool of vulnerable IoT devices remains widely available, providing a foundation for new botnets to form.
Millions of internet-connected devices continue to operate with minimal security protections, making them susceptible to compromise. Without broader improvements in device security and patching practices, the conditions that enable large-scale botnet activity are expected to persist.
