In a significant operation, U.S. authorities have succeeded in dismantling critical infrastructure that was behind the largest distributed denial of service (DDoS) attack ever documented. This operation targeted several botnets, leading to the seizure of virtual servers associated with the infamous KimWolf and Aisuru botnets, among others. The actions were coordinated as part of an international effort aimed at combating cybercrime.

The KimWolf botnet gained notoriety after launching a record-breaking assault against Cloudflare in December 2025, delivering a staggering 31.4 terabits per second of attack traffic, a feat that has raised alarms in cybersecurity circles. Federal authorities successfully obtained a search warrant on March 16 to seize not only the infrastructure employed by KimWolf and Aisuru but also those connected to smaller botnets named JackSkid and Mossad, which intriguingly has no affiliation with the renowned Israeli intelligence agency.

These botnets are variations of the notorious Mirai botnet, known for its capability to compromise vulnerable connected devices, turning them into a collective of bots for attacks and cryptojacking. The genesis of many editions of the Mirai botnet dates back to the leak of its source code, which originated from anonymous developers following the arrests of the original creators in 2017.

Cybercriminals operating these four targeted botnets had been offering their infrastructure as a service on various cybercrime forums, allowing customers to execute DDoS attacks or utilize infected devices as local proxies on demand. Alongside U.S. authorities, German and Canadian law enforcement participated in the operation, conducting residential searches and seizing cryptocurrencies linked to these activities. According to an affidavit issued by investigators, connections to the KimWolf administration have been traced back to British Columbia and Quebec in Canada, as well as to Hanover, Germany. Though significant infrastructure was seized, authorities reported no arrests as of yet.

The emergence of the KimWolf botnet has drawn particular scrutiny, primarily due to its innovative tactics, which involve hijacking purportedly compromised Android TV set-top boxes. These devices were then employed as launch points to commandeer additional devices within the same network and recruit them into the botnet. Industry experts disclosed that KimWolf is believed to have infected between 3 to 5 million devices—an alarming statistic that emphasizes the sheer scale of this threat. This information was relayed to federal investigator Elliott Peterson, who has previously worked on cases involving the original Mirai botnet.

Cybersecurity firm Xlab conducted an analysis suggesting that KimWolf and Aisuru are likely part of a unified cybercrime group. Insight into this group’s operations points to a young German hacker known by the aliases “Snow” or “Lucy,” potentially named Philip, as having played a crucial role in the creation of these botnets. The Mossad botnet appears to be an independent project attributed to this same hacker, who reportedly expressed feelings of betrayal by two Canadian associates in a DDoS service-oriented Telegram channel in early 2025.

Peterson, an agent working for the Defense Criminal Investigative Service (DCIS), which falls under the Department of Defense, voiced concerns about the reach and implications of the KimWolf botnet. While the Aisuru botnet has made headlines for its ability to convert digital video recorders into components of its network, both botnets have participated in a series of high-profile DDoS attacks since their inception. Cloudflare attributed an extraordinary series of attacks in late December, dubbed “The Night Before Christmas,” to a combined effort of Aisuru and KimWolf. Despite Peterson’s uncertainties regarding the origins of these attacks, the evidence points toward an amalgamation of botnet activities.

The peak request rate during these attacks reached an astonishing 205 million requests per second, drawing a comparison to the simultaneous action of entire populations from the U.K., Germany, and Spain entering a web address at once. Although operators of Aisuru and KimWolf appear to steer clear of targeting government and military installations—an evident strategy to evade law enforcement scrutiny—Peterson’s affidavit indicated that all four suspected botnets had indiscriminately undertaken DDoS attacks that impacted IP addresses associated with the U.S. Department of Defense Information Network.

Despite the apparent effort to avoid triggering law enforcement action through selective targeting, history indicates that such tactics may not prove effective in the long run, as demonstrated by various past enforcement initiatives. While the takedown of significant cybercriminal networks remains a central focus of agencies worldwide, the ongoing battle with cybercrime continues as new players arise, vying to profit from the illicit sale of proxies and DDoS services.

With reporting by Information Security Media Group’s Rashmi Ramesh in Bengaluru, India.