Log In Get Started
Stock Markets March 19, 2026

U.S., Germany and Canada Disrupt Four Botnets That Infected Over 3 Million Devices

Joint operation targeted infrastructure used for DDoS attacks that affected hundreds of thousands of devices in the United States and Department of Defense networks

By Nina Shah
U.S., Germany and Canada Disrupt Four Botnets That Infected Over 3 Million Devices

Authorities in the United States, Germany and Canada coordinated a takedown of infrastructure tied to four large botnets - Aisuru, KimWolf, JackSkid and Mossad - which had infected more than 3 million devices worldwide, including hundreds of thousands in the U.S. The botnets were used to launch hundreds of thousands of distributed denial-of-service attacks and in some cases to extort victims. The operation involved major technology firms and Europol partners and focused on individuals running the networks and the supporting infrastructure.

Key Points

  • A coordinated operation by the U.S., Germany and Canada disrupted infrastructure for four botnets - Aisuru, KimWolf, JackSkid and Mossad - that had infected more than 3 million devices globally.
  • Hundreds of thousands of infected devices were in the United States, with many being Internet of Things products such as webcams, digital video recorders and Wi-Fi routers; Department of Defense IP addresses were among the targets of the DDoS attacks.
  • The operation involved assistance from nearly two dozen major tech companies, including Amazon Web Services, Google, PayPal and Nokia, and included Europol's PowerOff team which has been working against DDoS-focused cybercriminals since 2017.

Law enforcement agencies in the United States, Germany and Canada announced a coordinated disruption of the command-and-control infrastructure for four significant botnets that collectively had compromised over 3 million devices around the world. The Justice Department said the networks - identified as Aisuru, KimWolf, JackSkid and Mossad - were harnessed to carry out distributed denial-of-service, or DDoS, attacks against a wide range of targets.

According to the Justice Department, hundreds of thousands of the infected machines were located in the United States. Most of the exploited devices were part of the Internet of Things - web-connected appliances such as webcams, digital video recorders and Wi-Fi routers - which the botnet operators had recruited into their malicious networks.

The agencies said operators used the botnets to launch hundreds of thousands of DDoS attacks, directing disruptive traffic at computers and servers across the globe. Some of the attacks targeted Internet Protocol addresses owned by the Department of Defense Information Network. In addition, the Justice Department statement said that in some instances the botnet controllers demanded payments from their victims.

The multinational operation was executed simultaneously in the three countries and focused on identifying and targeting the individuals behind the botnets as well as the infrastructure that enabled their activity. The Justice Department credited the assistance of nearly two dozen major technology companies in the action, naming among them Amazon Web Services, Google, PayPal and Nokia. The statement also cited the PowerOff team from Europol - a law enforcement effort addressing DDoS-focused cybercriminals that has been active since 2017.

"Today’s disruption of four powerful botnets highlights our commitment to eliminate emerging cyber threats to the Department of Defense and its warfighters," said Kenneth DeChellis, a special agent in charge at the Department of Defense Investigative Service.

The Justice Department emphasized that the operation was aimed at both the infrastructure and the people operating the networks. Beyond the named technology firms and Europol partners, the statement indicated that additional corporate assistance was provided, though it listed only a subset of the participating companies.

The public notice did not quantify how many individual operators were identified or arrested, nor did it specify the exact technical means used to sever control over the infected devices. It also did not state whether all compromised devices were cleaned as part of the disruption, leaving some questions about the long-term remediation and potential residual infection levels.

Still, the coordinated action illustrates a cross-border law enforcement approach that brings together government investigative resources and private sector infrastructure providers to disrupt large-scale malicious networks that exploit Internet-connected consumer devices and can affect critical networks, including those associated with national defense.

Risks

  • The statement notes that in some cases botnet operators demanded payments from victims - a continued risk for organizations and individuals affected by such attacks, including sectors handling online transactions and digital services.
  • The Justice Department did not specify whether all compromised devices were disinfected or how many operators were apprehended, leaving uncertainty about the completeness of the disruption and potential for reconstitution of malicious infrastructure.
  • Targets included IP addresses owned by the Department of Defense Information Network, underscoring persistent cyber risk to defense networks and related suppliers and service providers.

More from Stock Markets

World Economic Forum Weighs Smaller Board as Leadership Turmoil Lingers Mar 20, 2026 Xiaomi Shares Drop Nearly 7% After SU7 Update and Pricing Revealed Mar 20, 2026 OCBC: Asian Defence Stocks at Start of Structural Upcycle as Regional Spending Rises Mar 20, 2026 Kremlin Tightens Online Controls as Service Outages and App Bans Spread Across Cities Mar 20, 2026 Alibaba Hong Kong Shares Plunge After Disappointing Q3 Results Despite Cloud and AI Gains Mar 19, 2026