DOJ Disrupts Botnets, But DDoS Threats Remain, Security Pros Warn
None
<p>The U.S. Justice Department’s (DOJ) dismantling of the infrastructure behind four botnets used by range of bad actors should put a dent into the rising numbers of distributed denial-of-service (DDoS) attacks, but security experts are warning that the threat isn’t dissipating.</p><p>The DOJ announced late last week that the command-and-control (C2) infrastructure that was taken down was used for Internet of Things (IoT) botnets – <a href="https://securityboulevard.com/2025/11/microsoft-fends-off-massive-ddos-attack-by-aisuru-botnet-operators/" target="_blank" rel="noopener">Aisuru</a>, KimWolf, JackSkid, and Mossad – that comprised more than 3 million devices and were used in hundreds of thousands of <a href="https://securityboulevard.com/2025/08/digicert-discloses-details-of-two-massive-ddos-attacks/" target="_blank" rel="noopener">DDoS attacks</a>, including some massive attacks that measured more than 30 terabits-per-second.</p><p>The IoT devices that comprise the botnets – hundreds of thousands of which were located in the United States – included digital recorders, web cameras, and WiFi routers, all of which were controlled by the botnet operators that then sold access to the devices to other threat actors via a cybercrime-as-a-service model.</p><p>The U.S. operation was run in parallel with law enforcement efforts in Canada and Germany, which the DOJ said targeted the operators of the botnets. At the same time, a range of private companies and nonprofit organizations – including Amazon Web Services (AWS), Cloudflare, DigitalOcean, Nokia, Okta, and The Shadowserver Foundation – helped with the investigation.</p><p>Rebecca Day, special agent in charge of the FBI’s Anchorage, Alaska, field office, <a href="https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks" target="_blank" rel="noopener">said in a statement</a> that “this operation reflects the strength of that collaboration and our shared commitment to combatting cybercrime and protecting victims worldwide.”</p><h3>Significant Disruption, but Not Victory</h3><p>Security pros applauded the FBI’s operation, with Cequence Security CISO Randolph Barr calling it a “meaningful disruption.”</p><p>That said, Barr added that perspective is important, noting that the botnets are offered through commercial DDoS-as-a-service platforms, which means that the more than 3 million compromised IoT devices that enabled more than 30 Tbps attacks were broadly available and commoditized the high level of disruption they wrought.</p><p>“The key takeaway here is that while infrastructure was disrupted, the devices and business model remain, so reconstitution is likely,” he said.</p><p>That sentiment was echoed by Crystal Morin, senior cybersecurity strategist at Sysdig.</p><p>“While this botnet takedown is significant, we must not confuse disruption with victory,” Morin said. “These botnets show just how easy it is to weaponize poorly maintained IoT devices on a massive scale. This takedown operation removes infrastructure and buys defenders time, but it doesn’t fix the underlying problem.”</p><p>That includes the fact that “botnet operators will also likely rebuild and return under new pseudonyms, starting again exactly where they left off,” she said. “The victimized IoT devices have not been magically secured, and therefore, threat actors can just retarget them. Rescaling has been simplified by and large with AI. The reset button was pushed, certainly, but the ecosystem still heavily favors the attackers.”</p><h3>DDoS a Continuing and Growing Problem</h3><p>DDoS attacks continue to be a problem. In a report late last year focusing on the third quarter, Cloudflare researchers wrote that the company’s autonomous defenses blocked a total of 8.3 million such attacks – an average of almost 3,700 an hour – and that the number of DDoS attacks <a href="https://blog.cloudflare.com/ddos-threat-report-2025-q3/#:~:text=Attack%20characteristics,the%20duration%20of%20the%20attack." target="_blank" rel="noopener">grew 40% year-over-year</a>.</p><p>A key issue is that “IoT devices are generally treated as ‘set-it-and-forget-it’ technology when they should be cared for more like smartphones and laptops, regularly updated and monitored,” Morin said.</p><p>She added that organizations need to shift to an “assume breach” strategy that includes unmanaged and risky endpoints that operation outside of traditional office boundaries, sahing that “a real-time approach to security has to be non-negotiable. That means strictly segmenting corporate access from consumer-grade hardware and prioritizing real-time behavioral detection to catch anomalous signals, such as proxying or identity misuse at the network level.”</p><p>Cequence’s Barr said mitigation efforts should focus on cloud-scale protection against DDoS attacks, with API and application-layer defenses as well as reducing the exposure to IoT and residential proxy abuse.</p><p>“This is less about one botnet and more about DDoS becoming an on-demand attacker utility,’ he said.</p><h3>Defense Operations Targeted</h3><p>As part of the DOJ operation, the U.S. Department of Defense Office of Inspector General’s (DoDIG) Defense Criminal Investigative Service (DCIS) executed seizure warrants of multiple U.S.-registered internet domains, virtual servers, and other infrastructure that the agency suspects were used in DDoS attacks against the Department of Defense Information Network (DoDIN).</p><p>Barr said no evidence linked the DDoS activity to Iran or linked to the rise in DDoS activity during the U.S. and Israeli war against the country, and that the botnets were being investigated as part of a cybercrime ecosystem. That said, he added that any bad actor – including those linked to nation-states – could rent it.</p><p>Sysdig’s Morin called any attribution to the Middle East fighting as “speculative at best.” The Mossad botnet was able to launch about 1,000 commands before becoming part of the law enforcement takedown, so it’s likely a new operation, and that naming a botnet after an enemy like Israel’s intelligence agency is a way that Middle Eastern threat actors jab back at their foes.</p><p>“But naming alone is a weak justification for attribution,” she said.</p><p>Morin pointed out that the Aisuru botnet was identified long before the war in Iran started February 28 and that Aisuru, KimWolf, and JackSkid each are variants of the well-known Mirai botnet.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/doj-disrupts-botnets-but-ddos-threats-remain-security-pros-warn/" data-a2a-title="DOJ Disrupts Botnets, But DDoS Threats Remain, Security Pros Warn"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fdoj-disrupts-botnets-but-ddos-threats-remain-security-pros-warn%2F&linkname=DOJ%20Disrupts%20Botnets%2C%20But%20DDoS%20Threats%20Remain%2C%20Security%20Pros%20Warn" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fdoj-disrupts-botnets-but-ddos-threats-remain-security-pros-warn%2F&linkname=DOJ%20Disrupts%20Botnets%2C%20But%20DDoS%20Threats%20Remain%2C%20Security%20Pros%20Warn" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fdoj-disrupts-botnets-but-ddos-threats-remain-security-pros-warn%2F&linkname=DOJ%20Disrupts%20Botnets%2C%20But%20DDoS%20Threats%20Remain%2C%20Security%20Pros%20Warn" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fdoj-disrupts-botnets-but-ddos-threats-remain-security-pros-warn%2F&linkname=DOJ%20Disrupts%20Botnets%2C%20But%20DDoS%20Threats%20Remain%2C%20Security%20Pros%20Warn" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fdoj-disrupts-botnets-but-ddos-threats-remain-security-pros-warn%2F&linkname=DOJ%20Disrupts%20Botnets%2C%20But%20DDoS%20Threats%20Remain%2C%20Security%20Pros%20Warn" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>