my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

The 31.4 Tbps Botnet Crackdown Signals a New DDoS Enforcement Phase

John Z Black Mar 21, 2026 Ransomware & Cybercrime #ddos #botnet #iot #law-enforcement #takedown #aisuru #kimwolf #threat-intelligence

Four botnets. Three million compromised IoT devices. Peak attacks hitting 31.4 terabits per second. Coordinated arrests and seizures across the US, Germany, and Canada, with nearly two dozen tech companies involved.

The numbers are big. The structure behind them is more interesting.

Same Business Model, Four Operators

Aisuru, KimWolf, JackSkid, and Mossad were all running the same play: compromise IoT devices at scale, rent the attack capacity, get paid to knock targets offline. Different operators, different volumes – Aisuru issued over 200,000 attack commands, JackSkid ran 90,000-plus, KimWolf 25,000, Mossad about 1,000 – but the same vulnerable, unpatched IoT devices feeding all of them.

The 31.4 Tbps peak isn’t a nuisance number. At that scale, you can take out entire internet service providers, not just individual organizations.

Who Was Actually Running This

One of the more striking details: the suspected core KimWolf operator is a 22-year-old Canadian. A 15-year-old German national is suspected in a separate role. The barrier to running industrial-scale attack infrastructure has fallen significantly. You need a working botnet, a payment processor, and customers who don’t ask questions.

Why the Enforcement Structure Matters

The Defense Criminal Investigative Service – the Pentagon inspector general’s investigative arm – executed the domain seizures in the US. That’s not a typical cybercrime agency. Their involvement suggests DoD infrastructure was on the target list, which gives this a national security dimension beyond ordinary cybercrime.

More importantly: seizing US infrastructure while backup nodes in Germany and Canada stay up accomplishes little. This operation took everything down simultaneously. That’s coordinated enforcement that actually collapses the network’s value instead of just inconveniencing it.

What Takedowns Actually Do

Critics say botnet takedowns are temporary. The code still exists. Operators rebuild. IoT devices stay vulnerable. That’s not wrong. But it misses the point.

Every takedown resets the attacker’s infrastructure investment. Criminal charges raise the personal cost. Evidence gathered feeds future prosecutions. Sustained pressure makes the business less profitable and more legally risky – even if the technical capability to rebuild remains.

The enforcement action is genuinely good news. It’s not a substitute for defense.

Get the full breakdown – what these botnets were, how the enforcement operation worked, and what it means for DDoS resilience planning