US Disrupts Massive IoT Botnets Behind Record 30 Tbps DDoS Attacks
The U.S. DoJ disrupted four IoT botnets that infected 3 million devices and launched record-breaking 30 Tbps DDoS attacks. Akamai, Cloudflare and other tech firms assisted the takedown.
The U.S. Department of Justice announced the disruption of four IoT botnets responsible for record-breaking DDoS attacks peaking at 30 Tbps. The operation targeted the command-and-control infrastructure behind AISURU, Kimwolf, JackSkid and Mossad, with help from Akamai, Cloudflare, AWS, Google, Lumen and a dozen other tech companies.
Scale of the Problem
These botnets had infected at least 3 million devices worldwide, including smart TVs, set-top boxes, cameras and Wi-Fi routers. Hundreds of thousands were located in the U.S. alone. The combined attack capacity hit 31.4 Tbps in a single incident last November, a new record that Cloudflare described as equivalent to the populations of the UK, Germany and Spain all hitting enter on a URL at the same second.
The operators ran a cybercrime-as-a-service model, selling access to the infected device network to other criminals. AISURU alone issued over 200,000 DDoS attack commands. Kimwolf added another 25,000 and JackSkid contributed 90,000.
A New Attack Vector
Kimwolf stood out because it did not rely on scanning the open internet for vulnerable devices. Instead, it exploited residential proxy networks to infiltrate home networks through compromised Android streaming boxes and IoT devices. Once inside a local network, it accessed devices that were normally protected behind home routers. AWS VP Tom Scholl called it "a fundamental shift in how botnets operate and scale."
Lumen's Black Lotus Labs null-routed nearly 1,000 C2 servers and reported that JackSkid was still averaging 150,000 daily victims in early March, with peaks of 250,000.
WAF and DDoS Protection Implications
Attacks at 30 Tbps and 14 billion packets per second can overwhelm even cloud-based mitigation services. Akamai noted these hyper-volumetric attacks "can cripple core internet infrastructure and cause significant service degradation for ISPs." Cloudflare has been tracking AISURU since 2024 and contributed to the takedown effort.
For organizations relying on WAF and DDoS protection services, this is a reminder that attack volumes keep setting new records. Mitigation capacity that seemed sufficient a year ago may not hold up against the next botnet generation.
WAFplanet Take
The takedown is good news but the underlying problem remains. Three million compromised IoT devices did not appear overnight and the operators behind these botnets are still at large (no arrests have been announced). The residential proxy attack vector is particularly concerning because it bypasses network-level protections that most home users assume are keeping them safe. On the defensive side, if your DDoS mitigation provider cannot handle multi-terabit attacks, it is time to re-evaluate. The 30 Tbps mark will not stand as a record for long.
