Team Cymru Partners with DOJ to Disrupt World’s Largest IoT DDoS Botnets

March 19, 2026 - The U.S. Department of Justice announced the disruption of the world's largest IoT DDoS botnets — Aisuru, KimWolf, JackSkid, and Mossad — responsible for record-breaking attacks measuring approximately 30 terabits per second, infecting over 3 million devices worldwide.

Team Cymru is proud to be named by the DOJ as a contributing partner in this operation. (Link to full DOJ press release)

This is what internet infrastructure intelligence was built for.

What was dismantled:

Four botnets, operating as cybercrime-as-a-service, issued a combined 316K+ DDoS attack commands. These weren't nuisance attacks. They extorted victims, cost organizations tens of thousands of dollars in damages, and targeted the U.S. Department of Defense Information Network. Coordinated law enforcement actions spanned the U.S., Canada, Germany, and the Netherlands, with EUROPOL's PowerOFF team at the center.

What made it possible:

Operations like this don't happen from a single feed or a single tool. They require years of quiet, consistent, trust-based intelligence sharing. The kind that exists outside of contracts and flows through communities.

Team Cymru's passive visibility into internet infrastructure — spanning 700+ ISP partnerships and petabytes of NetFlow telemetry — provides the type of longitudinal, protocol-level insight that helps investigators trace botnet command-and-control (C2) infrastructure to its source. Not just what is happening on the internet. Why. And who.

But intelligence alone isn't enough. Community is the force multiplier.

Our RISE conferences — gatherings purpose-built for the defenders who do this work — exist because attribution and disruption at this scale require trust that precedes crisis. Relationships between law enforcement, ISPs, security researchers, and infrastructure intelligence providers like Team Cymru aren't forged during an incident. They're forged long before one. RISE is where those relationships are built. 

We're grateful to operate alongside the partners named in today's action — Akamai, Amazon Web Services, Cloudflare, Lumen, Nokia, The Shadowserver Foundation, Unit 221B, XLAB, and others whose combined visibility contributed to dismantling infrastructure that caused real harm to real people.

This is the work.

Not a product launch. Not a marketing story. A 3-million-device botnet is offline today because defenders — across governments, across borders, across organizations — shared what they saw.

Team Cymru will keep building the intelligence infrastructure and the community conditions that make operations like this possible.

The internet is a little safer today. We don't take that lightly.