Overview
- The Justice Department and Defense Criminal Investigative Service led a court‑authorized operation on March 19–20 that seized U.S.-registered domains, virtual servers and other systems tied to the four Mirai‑derived botnets.
- More than 3 million devices were infected worldwide, largely IoT gear such as DVRs, cameras and routers, with Kimwolf spreading through residential‑proxy networks and compromised Android TV boxes to reach home networks.
- Cloudflare linked Aisuru and Kimwolf to a November 2025 DDoS burst peaking at about 31.4 Tbps, while court filings attribute over 200,000 attack commands to Aisuru, 90,000 to JackSkid, 25,000 to Kimwolf and roughly 1,000 to Mossad.
- Parallel actions in Canada and Germany targeted suspected operators; officials reported searches and seizures of data storage devices and cryptocurrency, with no arrests announced.
- The takedown cuts operational control of the botnets, including activity that struck Department of Defense IP ranges, yet infected devices remain online as private-sector partners such as Cloudflare, Akamai and AWS continue to assist.