Four major botnets, responsible for hijacking approximately three million devices and launching over 300,000 distributed denial-of-service (DDoS) attacks, have had their command-and-control infrastructure seized by international law enforcement. The coordinated operation, announced Thursday by the Justice Department, targeted the botnets known as Aisuru, Kimwolf, JackSkid, and Mossad.
These botnets allowed operators to rent out access to infected devices, facilitating a range of cybercrimes including extortion-based DDoS attacks, account abuse, and ad fraud schemes. The disruption involved law enforcement actions in Canada and Germany, crippling the operational capabilities of all four botnets.
Takedown of Major Botnets Disrupts Cybercrime Ecosystem
The Justice Department stated that the seized infrastructure included domains, virtual servers, and other systems essential for the botnets’ operation. This action aims to prevent further infections and cripple the ability of these botnets to launch future attacks. The operation saw significant international cooperation, with assistance from over 20 companies and organizations, including law enforcement agencies from the Netherlands and Europol.
Notable Botnet Operations and Impact
Two of the botnets, Aisuru and Kimwolf, had previously attracted widespread attention from security researchers due to their scale and novel operational methods. The Kimwolf botnet, an Android variant of Aisuru, was particularly notable for its rapid spread, reportedly infecting over two million Android TV devices by January. Security experts identified its ability to abuse residential-proxy networks as a key factor in its growth.
In September, the Aisuru botnet was observed launching a record-breaking DDoS attack, reaching 29.7 terabits per second for 69 seconds, according to Cloudflare. Authorities attributed roughly 200,000 DDoS attacks to Aisuru, 90,000 to JackSkid, and 25,000 to Kimwolf. The Mossad botnet, while smaller, also contributed to the volume of attacks.
Zach Edwards, a threat researcher at Infoblox, explained that DDoS attacks are often used as a form of advertising for botnet operators, showcasing the size and capability of their networks. The primary revenue stream for these operators comes from renting out the infected devices for various criminal activities, such as credential stuffing, password reset attacks, and serving as proxy nodes for other illicit activities.
The devices compromised by these botnets included a wide range of internet-connected devices such as digital video recorders, web cameras, Wi-Fi routers, and TV boxes. A significant number of these compromised devices were located within the United States, according to federal prosecutors.
New Tactics and Growing Threat Landscape
The Kimwolf botnet’s success was attributed to its innovative approach, exploiting residential proxy networks. This method allowed it to compromise devices without traditional vulnerabilities, creating a new vector for botnet expansion. Amazon Web Services, which assisted in the operation, described Kimwolf as the largest DDoS botnet ever detected, highlighting a fundamental shift in how botnets scale.
This development underscores the ongoing challenge posed by the proliferation of internet-connected devices, often referred to as the Internet of Things (IoT). Many of these devices are deployed with inadequate security measures, making them susceptible to compromise. This trend is driven by the increasing demand for convenience and lower costs in consumer electronics.
The takedown is part of a broader, ongoing global effort to combat large-scale cybercrime operations, including botnets, marketplaces for illicit goods, and malware distribution. Previous targets in this crackdown have included botnets like DanaBot and Rapper Bot, as well as infostealers like Lumma Stealer.
Looking ahead, efforts to disrupt and dismantle botnets are expected to continue as cybercriminals adapt and find new avenues for infection and operation. While this coordinated action represents a significant blow to the botnet ecosystem, the underlying challenges of securing the vast and growing number of connected devices remain. Authorities will likely continue to monitor for the emergence of new botnet threats and pursue similar international collaborations.