There’s a version of this story that writes itself: American feds take down a botnet. Press release drops. Indictments unsealed. Everyone moves on.

This isn’t that story.

The takedown of the Aisuru and Kimwolf botnets in early 2026 was led by German authorities — specifically the Bundeskriminalamt (BKA), Germany’s federal criminal police, and ZAC NRW, the Central Office for Combating Cybercrime in North Rhine-Westphalia. The US and Canada were partners. Germany was driving.

That distinction matters. Because the European approach to cybercrime enforcement has quietly become one of the most sophisticated and methodical prosecution machines in the world, and most coverage of these operations misses it entirely.

Two Botnets, Two Different Threat Models

Aisuru and Kimwolf weren’t the same animal. Understanding the difference tells you a lot about where criminal botnet infrastructure is heading.

Aisuru was built on the bones of everyday devices. Compromised routers. Hijacked webcams. The kind of hardware that sits in people’s homes and small businesses, rarely patched, rarely monitored, and almost never considered a security risk by the people who own them. The Aisuru operators aggregated these devices into a network capable of launching massive distributed denial-of-service attacks — flooding targets with traffic until services buckle.

DDoS-as-a-service has existed for years. What made Aisuru notable was the scale and the targeting. Officials described both networks as posing a “significant threat to IT infrastructure” — language that, coming from the BKA, carries specific weight. German federal police don’t invoke that framing for run-of-the-mill script kiddie operations.

Kimwolf was something different, and in some ways more insidious.

The Kimwolf infrastructure was built on compromised Android TV boxes — cheap streaming devices sold in bulk, often running outdated Android firmware with little to no vendor support. The operators didn’t just use Kimwolf for attacks. They rented it out as a proxy network, allowing paying customers to route their traffic through infected household devices.

The pitch to criminal buyers was blunt: make your traffic look like it’s coming from a normal person’s living room.

This is the monetization model that should concern defenders. A botnet that also functions as a residential proxy service gives its operators two revenue streams and dramatically expands the pool of attackers who can use compromised infrastructure to evade detection. IP reputation systems, geographic filtering, and bot detection tools all perform worse when malicious traffic originates from legitimate consumer ISP addresses.

The German Enforcement Machine

Germany’s approach to cybercrime prosecution is worth understanding in depth, because it keeps producing results that US-centric coverage underweights.

ZAC NRW sits inside the public prosecutor’s office in Cologne and specializes in complex cybercrime cases. It has jurisdiction across North Rhine-Westphalia — Germany’s most populous state — but frequently takes on national and international cases due to its technical expertise. It’s the same office that has been involved in previous high-profile takedowns including infrastructure linked to ransomware and dark web markets.

The BKA, meanwhile, operates as Germany’s equivalent of the FBI for cross-border criminal investigations. Its cyber division has invested heavily in long-term infrastructure tracking, and unlike some enforcement agencies that move fast and publicize early, the BKA tends to build cases methodically over months before acting.

That patience pays off. In the Aisuru/Kimwolf operation, the result wasn’t just a server takedown — it was the identification of two suspected administrators, searches conducted in both Germany and Canada, and seizures of data storage devices and cryptocurrency valued at tens of thousands of euros.

The cryptocurrency seizure is worth noting. It suggests investigators weren’t just watching the infrastructure — they traced the money. That’s a fundamentally different kind of investigation than a straightforward server seizure, and it signals that the case will likely result in criminal prosecution rather than just disruption.

Why This Isn’t the US PowerOFF Angle

If you’ve been following US botnet enforcement, you’ve likely seen coverage of Operation PowerOFF — the ongoing multi-agency campaign targeting DDoS-for-hire services. That operation has resulted in domain seizures, arrests, and a steady stream of press releases from DOJ and FBI.

This isn’t that. The Aisuru/Kimwolf operation is structurally different in several ways:

First, the focus was on botnet infrastructure rather than DDoS marketplaces. PowerOFF tends to target the storefronts — the websites where attackers go to buy attack services. The German operation went after the underlying bot networks themselves.

Second, the residential proxy component of Kimwolf puts this operation in a different threat category. Residential proxy abuse sits at the intersection of cybercrime, fraud, and intelligence collection. It’s used not just for DDoS but for credential stuffing, ad fraud, OSINT evasion, and bypassing geo-restrictions on content or services. Taking down a network that serves all those use cases at once has broader impact than a single-purpose DDoS tool.

Third, the cross-border coordination here ran through a different set of channels. US-German law enforcement cooperation on cybercrime operates through formal mutual legal assistance treaty frameworks, and the involvement of ZAC NRW alongside the BKA and Canadian partners suggests a carefully coordinated legal structure that took significant time to build.

What’s Left Unanswered

Enforcement operations like this one tend to generate more questions than they answer publicly, for good reason — ongoing prosecutions limit what agencies can disclose.

What we don’t yet know:

  • How long were Aisuru and Kimwolf operational before investigators moved in?
  • What organizations or industries were targeted by Aisuru’s DDoS campaigns?
  • Who were Kimwolf’s proxy service customers, and what were they using it for?
  • Will the two suspected administrators face charges in Germany, Canada, both, or neither?
  • Were the botnets fully disrupted, or is infrastructure rebuilding underway?

On that last point: experienced botnet operators often have redundant infrastructure and can reconstitute operations in weeks or months. The cryptocurrency seizure and data storage confiscation suggests investigators may have been thorough enough to complicate rebuilding, but the criminal market for DDoS-for-hire and residential proxy services has proven remarkably resilient to enforcement actions.

The Broader Signal

Aisuru and Kimwolf represent two converging trends in criminal botnet infrastructure.

The first is the exploitation of IoT devices at scale. Every unpatched router running EOL firmware, every webcam with default credentials, every Android TV box that never received a security update is potential botnet real estate. The attack surface is enormous and growing, and device manufacturers have limited incentive to maintain software on hardware they’ve already sold.

The second is the dual-use monetization model. Botnets that generate revenue both as attack platforms and as proxy services are more economically durable than single-purpose networks. They’re also harder to categorize legally, since selling proxy access isn’t inherently criminal in the same way that selling DDoS attacks is.

The German prosecutors involved here clearly understood both dynamics. The question, as always with botnet enforcement, is whether the disruption is permanent or just a setback for operators who will rebuild and rename.

Based on the trajectory of previous operations involving ZAC NRW and the BKA, the answer depends heavily on whether those two suspected administrators are extradited and prosecuted. Infrastructure seizures alone rarely end these operations. Criminal accountability does.

Source: DW.com — German authorities dismantle two criminal botnets