Introduction
In early 2026, a coordinated operation led by the U.S. Department of Justice, alongside Canadian and German authorities, dismantled four notorious Internet of Things (IoT) botnets—Aisuru, Kimwolf, JackSkid, and Mossad—that had compromised over three million devices and launched catastrophic distributed denial-of-service (DDoS) attacks. This guide walks you through the exact steps law enforcement took to identify, infiltrate, and neutralize these threats. Whether you're a cybersecurity professional, a student, or just curious, understanding this process reveals how global collaboration and technical forensics can stop digital armies. Each numbered step below mirrors the real-world sequence used by the FBI, the Defense Criminal Investigative Service (DCIS), and their partners.
What You Need
- Legal authority: Court-approved seizure warrants (e.g., from a U.S. federal judge).
- Technical forensics team: Experts in malware analysis, network traffic, and IoT device exploitation.
- International cooperation: Memoranda of understanding or real-time liaison with foreign law enforcement (e.g., Canada, Germany).
- Private-sector partners: Technology companies (approximately two dozen in this case) for data, infrastructure, and device telemetry.
- Server and domain logs: Access to virtual server providers and domain registrars.
- Victim reports: Complaints from DDoS targets detailing extortion demands and network damage.
Step-by-Step Guide
Step 1: Identify the Botnets and Their Attack Vectors
Begin by monitoring global DDoS attack waves. In late 2024, security researchers noticed record-breaking traffic spikes originating from compromised routers and IP cameras. The oldest botnet, Aisuru, issued over 200,000 attack commands by mid-2025. Use network telescopes, honeypots, and public threat intelligence feeds to map infected IPs and command-and-control (C2) servers. For example, Aisuru leveraged weak default credentials on IoT devices. Document each distinct malware family: Kimwolf (a variant), JackSkid, and Mossad. Categorize their propagation methods—Kimwolf introduced a novel technique to infect devices hidden behind internal networks, as disclosed by Synthient on January 2, 2026.
Step 2: Map the Infrastructure
Once botnets are named, trace their command structure. Use reverse-engineering of malware binaries to uncover hardcoded C2 domains, IP addresses, and DNS records. The DOJ found that these four botnets used multiple U.S.-registered domains and virtual servers. Engage with domain registrars and cloud hosts to confirm ownership and gather logs. For instance, JackSkid targeted internal network devices just like Kimwolf, suggesting shared tactics. Cross-reference infrastructure details with Canadian and German counterparts—this operation involved “law enforcement actions” in Canada. Create a comprehensive map of every server, domain, and registrar involved.
Step 3: Obtain Legal Warrants
Approach the relevant federal court for seizure warrants. The DCIS executed warrants targeting U.S.-registered domains, virtual servers, and “other infrastructure” used in DDoS attacks against Department of Defense IP addresses. Include probable cause affidavits citing victim losses (some reported tens of thousands of dollars) and the botnets’ extortion demands. In this case, the warrants were specific to domains and servers linked to the four botnets. Ensure warrants also cover international data—work with Canada and Germany to obtain equivalent legal orders.
Step 4: Coordinate International Simultaneous Actions
With warrants in hand, synchronize takedown operations across borders. The FBI Anchorage Field Office, led by Special Agent in Charge Rebecca Day, provided the U.S. hub. Set a precise date and time for domain registrars to pull domains, for hosting providers to shut down virtual servers, and for Canadian and German teams to conduct their actions. This prevents botnet operators from migrating infrastructure. The DOJ noted that the disruption coincided with actions in Canada—timing is critical to maximize impact.
Step 5: Execute Seizure and Neutralize Infrastructure
On the operation day, law enforcement serves the warrants. Domain registrars transfer the botnet domains to government-controlled DNS servers, or take them offline. Virtual servers are seized and imaged for evidence. In this case, the DOJ “executed seizure warrants” against multiple U.S.-registered domains and servers. For botnets like Aisuru and Kimwolf, this cut their ability to send attack commands. The operation also targeted infrastructure that allowed Kimwolf to spread—after Synthient’s disclosure, law enforcement knew precisely which vulnerability to block. Ensure all seized assets are preserved for forensic analysis.
Step 6: Notify and Clean Up Victim Devices
After disabling C2 infrastructure, the next priority is to prevent reinfection and help victims. The DOJ action was designed to “prevent further infection to victim devices.” Work with ISP partners and technology companies to identify IP addresses of compromised routers and cameras—over three million devices were affected. Send notifications through ISPs, offering remediation instructions (factory reset, firmware updates). In some cases, the botnets’ propagation scripts would stop working once C2 was gone. Publicize the takedown to raise awareness and encourage device owners to change passwords.
Step 7: Analyze Intelligence and Pursue Operators
The mission isn’t over after the takedown. Use seized data to trace the unnamed operators behind the botnets. The government alleges they launched “hundreds of thousands of DDoS attacks” and demanded extortion. Forensic analysis of the seized servers can reveal logs of extortion communications, cryptocurrency wallets, and personal identifiers. This step may lead to criminal charges. The case is being investigated by DCIS with FBI assistance—further actions may be publicized later.
Tips for Effective Botnet Disruption
- Leverage private sector expertise: The operation credited nearly two dozen technology companies. Build relationships with cloud providers, CDNs, and cybersecurity firms before incidents occur.
- Use public vulnerability disclosures: Synthient’s January 2026 disclosure helped curtail Kimwolf’s spread. Monitor and incorporate such disclosures into your takedown planning.
- Prepare for copycats: After Kimwolf’s methods became known, “several other IoT botnets emerged” copying its spread. Prepare contingency plans for mutant variants.
- Focus on internal network protection: The JackSkid and Kimwolf botnets targeted devices behind NAT/firewalls. Advise network administrators to segment IoT devices and use VPN-based access.
- International coordination avoids safe havens: Canada and Germany’s involvement ensured the botnets couldn’t simply re-establish offshore. Bilateral agreements accelerate seizure warrant execution.
- Document everything for prosecution: Keep chain-of-custody logs for all digital evidence. Victim loss statements were key to DOJ’s case—encourage reporting.