What Happened
The US Department of Justice, working with law enforcement partners in Canada and Germany, seized command-and-control infrastructure behind four IoT botnets: Aisuru, Kimwolf, JackSkid, and Mossad. Together, these botnets compromised more than three million internet-connected devices — primarily home routers and IP cameras — and were responsible for some of the largest distributed denial-of-service attacks ever recorded, with traffic bursts peaking at 31.4 terabits per second.
Aisuru was the most prolific, issuing more than 200,000 attack commands over its operational lifetime. JackSkid issued at least 90,000. Kimwolf, introduced in October 2025 as an Aisuru variant, added a novel propagation mechanism allowing it to reach devices protected behind network address translation, extending its reach into enterprise and institutional networks. Mossad focused its roughly 1,000 attacks on high-profile government and critical infrastructure targets.
Krebs on Security identified a 22-year-old Canadian man as a core operator of the Kimwolf botnet. A 15-year-old in Germany was identified as a second suspect. Charges and proceedings are ongoing in both countries.
Why This Matters for Canadian Organizations
This operation carries direct Canadian dimensions on two fronts. A Canadian national operated one of the most destructive botnets in this cluster, and Canadian law enforcement participated in the takedown alongside US and German partners. The involvement of domestic suspects in global DDoS infrastructure at this scale represents a significant escalation in what Canadian-based threat actors have contributed to international cybercriminal operations.
For Canadian organizations, the operational threat remains active even with these botnets disrupted. IoT-based DDoS infrastructure of this type is widely available for hire. Internet service providers, financial institutions, gaming platforms, and municipal governments appeared in the targeting profiles of Aisuru and Kimwolf. The devices recruited into these botnets include unpatched consumer routers and cameras deployed widely across Canadian homes and small businesses — hardware that most owners have never updated and many will not replace.
The Kimwolf variant’s ability to propagate behind NAT is a specific operational concern. Traditional IP-based blocklisting is less effective against compromised devices already inside the network perimeter, and Kimwolf demonstrated exactly this kind of lateral reach before the disruption operation.
What to Do
Security teams should audit internet-connected devices across their networks and identify any models listed in known Aisuru and Kimwolf infection profiles, particularly older consumer-grade routers and IP cameras. Devices receiving no firmware updates should be replaced or placed in isolated network segments with remote administration disabled. For organizations with distributed or remote workforces with VPN access, extend device audits to cover home networking equipment. Internet service providers serving Canadian subscribers should cross-reference the DOJ’s released infected IP lists against their subscriber pools and notify affected customers. Review network traffic logs from the past three months for unexplained volumetric spikes or latency anomalies — this window aligns with peak Kimwolf and JackSkid operational activity.
Source: Krebs on Security | The Hacker News
