On March 19, 2026, the Department of Justice and an international coalition of law enforcement agencies simultaneously seized the command-and-control infrastructure of four of the world’s most destructive IoT botnets — networks that had infected more than 3 million devices globally and generated DDoS attacks measuring up to 30 terabits per second. That’s not a typo.
Operation PowerOFF just took down the largest IoT DDoS infrastructure ever dismantled in a single coordinated action.
The Four Botnets
The targets were Aisuru, KimWolf, JackSkid, and Mossad — four distinct botnet families operating under a cybercrime-as-a-service model, each renting out their infected device armies to paying criminal customers for DDoS attacks on demand.
The scale of the command infrastructure gives you a sense of the relative size of each operation:
- Aisuru: 200,000+ commands processed
- JackSkid: 90,000+ commands processed
- KimWolf: 25,000+ commands processed
- Mossad: 1,000+ commands processed
Aisuru and JackSkid were the heavyweights. But all four contributed to a combined infected device pool that reached over 3 million devices worldwide — with hundreds of thousands of compromised devices located in the United States alone as of March 2026.
At peak, attacks attributed to these networks were measured at approximately 30 terabits per second — a figure that represents a new ceiling for documented DDoS attack volume. For context: major infrastructure attacks that made headlines in previous years topped out at 3-5 Tbps. This is an order of magnitude larger.
What Was Infected
The device categories targeted by these botnets tell you everything about the current IoT security reality: DVRs, webcams, and WiFi routers — the consumer and small-business devices that line millions of home networks and small offices worldwide.
These are devices that typically run outdated firmware, are exposed to the internet with default or weak credentials, and are never monitored for anomalous behavior. They are, in short, an ideal botnet substrate. A compromised DVR doesn’t slow down noticeably when it’s participating in a terabit-scale attack. The owner never knows.
KimWolf and JackSkid added a specific technical wrinkle: they were engineered to specifically target devices that are traditionally protected by firewalls — expanding the attack surface beyond the usual exposed-interface devices into network segments that operators assumed were protected. The technique varies by botnet family, but the effect is the same: devices operators thought were off-limits to infection turned out not to be.
The botnets operated on a pure cybercrime-as-a-service model. Operators didn’t necessarily use the DDoS capacity themselves. They sold it. Customers paid for access to attack infrastructure — the ability to direct hundreds of thousands of infected devices to flood a target — measured in bandwidth, duration, and intensity. Victims faced tens of thousands of dollars in losses and extortion demands from operators threatening sustained attacks.
Among the targets: systems on the DoDIN — the Department of Defense Information Networks. When federal military infrastructure is getting hit by consumer-grade IoT botnets, the threat model has shifted in ways that matter.
The Operation
The DOJ announcement describes simultaneous actions across three countries. In the United States, the Defense Criminal Investigative Service (DCIS) seized US-registered domains and virtual servers associated with the botnet command-and-control infrastructure. In Germany, federal authorities from BKA (Bundeskriminalamt) and ZAC NRW (Zentralstelle für Cybercrime Nordrhein-Westfalen) executed parallel takedowns. In Canada, RCMP, OPP, and the Sûreté du Québec (SQ) moved simultaneously.
The seized infrastructure is displaying the familiar Operation PowerOFF splash page — a branding choice that law enforcement has used consistently across related operations to signal continuity of enforcement action against the DDoS-for-hire ecosystem.
DCIS Special Agent in Charge Kenneth DeChellis stated: “Today’s disruption of four powerful botnets highlights our commitment to eliminate emerging cyber threats to the Department of Defense and its warfighters.” The inclusion of DCIS — the criminal investigative arm of the DoD — as a lead agency underscores the military infrastructure targeting component of these networks.
The private sector participation in Operation PowerOFF reads like a who’s-who of internet infrastructure: Akamai, AWS, Cloudflare, Google, Lumen, Nokia, Okta, Oracle, PayPal, Sony, SpyCloud, Team Cymru, Unit 221B, and the Europol PowerOFF team. That kind of industry coalition doesn’t assemble for a minor operation. The collective intelligence sharing, sinkholing support, and infrastructure coordination required to take down C2 networks this size demands exactly this level of cross-sector cooperation.
Why This Is Different From Previous Takedowns
Operation PowerOFF has been a running enforcement campaign across multiple years and jurisdictions. Previous iterations took down DDoS-for-hire stresser/booter services — platforms that let anyone pay to DDoS a target. This operation goes a layer deeper, targeting the underlying botnet infrastructure that powers those attacks.
The 30 Tbps figure deserves emphasis. The infrastructure to generate that kind of attack volume requires millions of infected endpoints operating in coordination. This isn’t a data center attack. This is a distributed army of ordinary people’s home devices, conscripted into a weapon they don’t know they’re part of.
The geographic dispersion of infected devices — millions worldwide, hundreds of thousands in the US — also means device cleanup is not something law enforcement can accomplish through seizures alone. Seizure of C2 infrastructure disrupts the command channel, but the infected devices remain infected until owners remediate them or replace them. The botnet nodes are still sitting in living rooms and server closets around the world.
This is the structural problem with IoT botnets that distinguishes them from traditional malware campaigns: you can arrest the operators and seize the servers, but the army is still out there, waiting for new command infrastructure.
What Comes Next
Arrests have not yet been announced in connection with this specific operation, though simultaneous actions in Canada and Germany suggest operator targeting is underway. The DOJ language around “targeting operators” is deliberate — this isn’t just infrastructure disruption, it’s an active investigation into the humans behind the keyboards.
For the security community, the 30 Tbps ceiling established by these networks is the new planning assumption for large-scale DDoS resilience. If the biggest botnets ever documented were capable of this, and were running for hire at commercial rates, the next generation of botnet infrastructure — currently in development by actors who watched this takedown and are already working around it — will be built to exceed it.
For home and small business users with DVRs, webcams, and routers on their networks: the infected device problem didn’t disappear when the C2 servers went dark. Your devices may still be compromised.
Operation PowerOFF continues.
