This post covers the DoJ’s March 20, 2026 disruption of four IoT botnets. Facts are sourced from the DoJ press release, Cloudflare’s Q4 2025 DDoS Threat Report, Hacker News, and Brian Krebs. No arrests have been announced; the suspects named are alleged operators, not convicted criminals.
What’s New This Week
Today the US Department of Justice, coordinating with Canadian and German authorities and a coalition of 15 private sector companies, disrupted the C2 infrastructure behind AISURU, Kimwolf, JackSkid, and Mossad – the four Mirai-variant botnets responsible for the 31.4 Tbps record DDoS attack in November 2025. No arrests announced. The bots are still infected.
Changelog
| Date | Summary |
|---|---|
| 20 Mar 2026 | Initial publication following DoJ announcement. |
On Thursday, the US Department of Justice disrupted the command-and-control infrastructure behind four IoT botnets: AISURU, Kimwolf, JackSkid, and Mossad. Together they infected roughly 3 million devices worldwide and launched DDoS attacks peaking at 31.4 Tbps – a world record, confirmed by Cloudflare. Most of those 3 million devices are off-brand Android smart TVs and set-top boxes sitting in people’s living rooms. The owners have no idea.
The operation involved authorities in Canada and Germany alongside 15 private sector partners – Akamai, AWS, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab. It is the most significant coordinated botnet takedown in years. It is also, by itself, not enough.
What 31.4 Tbps Actually Requires
Let’s do the per-device math. 31.4 Tbps across 3 million devices is roughly 10.5 Mbps per device. That’s a perfectly ordinary number. A home internet connection with 100 Mbps download typically supports 10-20 Mbps of upload. Each infected Android TV box, contributing 10 Mbps, is doing nothing unusual by itself.
The architecture is brute arithmetic: each bot is individually modest; the aggregate is catastrophic. This isn’t about finding 31 Tbps of bandwidth in one place. It’s about finding 3 million devices with reliable, always-on internet connections and coordinating them to fire simultaneously. Cloudflare described the peak as equivalent to “the combined populations of the UK, Germany, and Spain all simultaneously typing a website address and hitting enter at the same second.” That framing makes it visceral, but the engineering framing is more useful: this is distributed computing applied to attack traffic.
Akamai’s data extends the picture beyond the single 35-second peak. The same botnet infrastructure generated attacks averaging 3 billion packets per second, 4 Tbps, and 54 million requests per second. Akamai observed peaks exceeding 30 Tbps, 14 billion packets per second, and 300 million requests per second across the campaign. These are numbers that can overwhelm ISP infrastructure before a target even sees the traffic.
The question for defenders isn’t “how do we absorb 31 Tbps?” – nobody absorbs that at the edge. The question is “how do we route and scrub it fast enough that the origin never sees it?” Anycast and upstream scrubbing are the only viable answers at this scale.
Why Android TVs Are the Perfect Botnet Substrate
Off-brand Android smart TVs and set-top boxes check every box a botmaster needs.
They run outdated Android versions – typically Android 7 through 10 – with no update path. The manufacturer shipped the device, collected the money, and moved on. Security patches stopped the day the product launched. The device is frozen in time, with every known Android vulnerability from its era permanently available for exploitation.
They sit behind the home firewall, which means they’re trusted by default. The home router treats them as internal devices – not external threats. Kimwolf and JackSkid specifically targeted this position, exploiting Android Debug Bridge (ADB) exposed on these devices to gain access to the local network and pivot to other connected systems. AWS’s Tom Scholl described this as “a novel attack vector: residential proxy networks” – the botnet wasn’t just using these TVs as attack nodes, it was using them as footholds inside home networks.
They’re always on. Plugged in, connected, processing overnight firmware that never comes. A compromised Android TV box runs its botnet client silently in the background. The owner sees no performance difference. There’s no visual indicator. The device plays Netflix fine. Meanwhile it’s contributing 10 Mbps to a DDoS attack on the other side of the world.
Kimwolf alone conscripted more than 2 million Android devices. AISURU – Kimwolf’s predecessor, active since at least August 2024 – built the initial infrastructure that Kimwolf was spun out from in October 2025. The combined four botnets reached 3 million devices across DVRs, webcams, routers, and Android TV hardware.
This is the same pattern described in the DarkSword iOS exploit coverage – devices compromised in ways their owners cannot detect. The difference here is scale and vector: not a sophisticated zero-day chain targeting high-value individuals, but mass exploitation of abandoned devices that were never going to be patched.
Mirai’s Lasting Legacy
All four botnets are Mirai variants. That sentence deserves a moment.
Mirai’s source code was published publicly in October 2016, after the original attack that took down Dyn’s DNS infrastructure and knocked Twitter, Netflix, and GitHub offline for hours. The author released the code as a way to avoid being the only person holding it. It became the foundational blueprint for IoT DDoS infrastructure.
A decade later, Mirai has spawned hundreds of variants. The original targets were IP cameras and routers. The current generation – AISURU, Kimwolf – targets Android TV hardware specifically, because that’s where the largest pool of unpatched, always-on, internet-connected devices now lives. The attack surface didn’t shrink; it shifted and grew.
The economics explain the persistence. Mirai’s codebase is freely available. Running a Mirai variant requires less sophistication than building from scratch. And the revenue model – DDoS-as-a-service – is reliable. Lumen Black Lotus Labs null-routed nearly 1,000 C2 servers used by AISURU and Kimwolf. JackSkid was averaging over 150,000 daily victims in early March 2026, peaking at 250,000 on March 8. Mossad was averaging over 100,000 daily victims in the same window. The scale is industrial.
The CaaS Business Model
The operators of these botnets weren’t just launching DDoS attacks for personal grievances. They were running a platform.
The DoJ’s court documents describe a “cybercrime as a service” model: the botnet operators infected devices, maintained the infrastructure, and sold access to other criminals who wanted to launch attacks against targets of their choosing. The botmaster is a service provider. The criminals who deployed attacks against specific victims were customers.
AISURU alone issued over 200,000 attack commands. JackSkid issued over 90,000. Kimwolf issued over 25,000. These aren’t random acts – they’re fulfilled orders. Some victims reported extortion demands; others reported tens of thousands of dollars in losses and remediation costs.
This is the industrialisation of DDoS that has been building since Mirai made the codebase public. What was once a niche capability for technically sophisticated actors is now a subscription service. The supply chain for DDoS attacks now looks like any other cloud infrastructure attack surface – abstracted, commoditised, and available to anyone with a credit card.
Why C2 Disruption Is the Right Move, and Its Limits
The DoJ’s action took down the coordination layer. The C2 servers are gone – seized or null-routed. The botnets can no longer receive commands or issue attack traffic. For now.
This is the correct intervention. It requires the level of coordination that only government action can provide: cross-border legal authority, seizure warrants, simultaneous action across multiple jurisdictions. The private sector partners provided the intelligence and technical capability; the government provided the legal mechanism. Lumen null-routed the servers. Cloudflare and Akamai absorbed and characterized the attack traffic. XLab provided sample hashes and C2 configurations. This is what effective takedown looks like.
But the limits are real. No arrests have been announced, despite Brian Krebs identifying the suspected Kimwolf administrator as Jacob Butler, 23, of Ottawa, and reporting that the other prime suspect is a 15-year-old in Germany. The operators are still out there. The 3 million infected devices are still infected – the C2 disruption doesn’t clean them, it just cuts the command channel. And every off-brand Android TV that isn’t patched is still exploitable by the next botnet that copies Kimwolf’s spreading mechanism.
Lumen’s Ryan English put it plainly: “The problem is, there are just so many devices out there that are vulnerable.” Since Synthient publicly disclosed the spreading vulnerability on January 2, 2026, multiple new botnets have emerged copying Kimwolf’s technique. Disrupting one set of operators doesn’t close the vulnerability. It creates a temporary opening that competitors fill.
This is the same dynamic as supply chain attacks via trusted vectors – the attack surface is structural, not individual. Taking down one actor buys time. It doesn’t fix the problem.
What Engineers Should Take From This
If you run anything public-facing: 31 Tbps is now the established threat model for record-breaking DDoS. Your edge cannot absorb this. Anycast-based scrubbing services – Cloudflare, Akamai, AWS Shield Advanced – are the realistic defense. If you’re relying on on-premises DDoS mitigation, reconsider. This week’s attacks exceeded what most cloud-based mitigation services can handle without upstream provider cooperation.
If you sell or deploy IoT hardware: Long-term patch support is a security requirement. Not a differentiator, not a nice-to-have – a requirement. Devices that ship and never receive security updates become botnet substrate by default. The manufacturers of these off-brand Android TV boxes have effectively donated 2 million devices to DDoS infrastructure.
If you manage home or office networks: Treat off-brand Android TV boxes as untrusted devices. They should not be on the same VLAN as anything sensitive. Network segmentation between consumer IoT and production or personal systems is not paranoia at this point – it’s table stakes. These devices are actively exploited to pivot into local networks.
If you’re watching the Mirai family: JackSkid and Mossad variants are already copying Kimwolf’s spreading technique. The vulnerability that Kimwolf used to propagate through residential proxy networks has been public since January 2026. New botnets are using it now. Patch your DVRs. Patch your cameras. If a device hasn’t received a security update in 12 months, assume it’s compromised or exploitable.
The C2 infrastructure is down. The botnet operators haven’t been arrested. The 3 million infected devices are still infected. The off-brand TV boxes that made this possible will never be patched by their manufacturers. And the Mirai source code is still public.
The disruption buys time. What happens with that time – whether regulators mandate security update requirements for consumer IoT, whether ISPs block ADB exposure at the edge, whether prosecutors actually charge the identified operators – will determine whether March 20, 2026 was a meaningful inflection point or just the takedown before the next record.