Yesterday, the U.S. Department of Justice announced a coordinated international operation to disrupt four of the world's largest IoT DDoS botnets — Aisuru, Kimwolf, Jackskid, and Mossad — responsible for record-breaking attacks reaching approximately 30 Tbps.

Together, these botnets had hijacked over three million devices worldwide and launched hundreds of thousands of DDoS attacks against victims across the globe.

This was a massive collaborative effort involving law enforcement agencies in the U.S., Canada, and Europe, alongside many private-sector partners. We're proud that Nokia was among the companies that contributed — our Deepfield Emergency Response Team helped map botnet infrastructure and supported the takedown efforts.

Full DOJ press release: https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks

#operationpoweroff

New, breaking: Feds Disrupt IoT Botnets Behind Huge DDoS Attacks

The U.S. Justice Department joined authorities in Canada and Germany in dismantling the online infrastructure behind four highly disruptive botnets that compromised more than three million Internet of Things (IoT) devices, such as routers and web cameras. The feds say the four botnets — named Aisuru, Kimwolf, JackSkid and Mossad — are responsible for a series of recent record-smashing distributed denial-of-service (DDoS) attacks capable of knocking nearly any target offline.

No word yet on which botmasters got a visit from feds, but the DOJ statement references law enforcement actions against against botmasters in Canada and Germany. Last month, I reported on a likely identity behind Dort, the main individual behind the Kimwolf botnet. The other suspect was a 15 y/o from Germany.

https://krebsonsecurity.com/2026/03/feds-disrupt-iot-botnets-behind-huge-ddos-attacks/

In 2025 botnets started using residential proxy networks (like IPIDEA which Google disrupted in Jan) to spread to vulnerable IoT within home networks. DDoS quadrupled in size, a step change in the expected exponential growth trend (here shown on a log scale).

To diffuse the attack power, I convinced industry peers that we should publish the infection method. https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/ This led to a fragmentation of the bots across several botnets, reducing the largest attacks from 30 Tbps to 10 Tbps.

Today a multinational law enforcement action disrupted 4 of those botnets: Aisuru, KimWolf, JackSkid, and Mossad. https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks It will be interesting to watch how the peak attack sizes grow or decrease in the coming weeks!

New GreyNoise At The Edge brief: The internet's scanning infrastructure is reorganizing.

UCLOUD (HK) surged +578% to become the #1 scanning ASN — now 15.6% of all observed traffic. Western providers declining simultaneously.

301.8M sessions. 439K IPs. Here's what we found.

🔗 https://www.greynoise.io/resources/at-the-edge-clear-031626

📣 In case you missed it: last week the FBI released a Public Service Announcement on residential proxy networks. The notice explains, at a high level:

- What residential proxy networks are
- How they work
- How your device can become part of a residential proxy network
- How criminals are exploiting them
- Best practices to help protect yourself

Read the announcement here 👉 https://www.ic3.gov/PSA/2026/PSA260312

It’s encouraging to see residential proxies - an often overlooked security threat... ⤵️