Europe

Authorities dismantle Aisuru and Kimwolf botnets

German US and Canadian operation targets millions of compromised routers webcams and Android TV boxes, DDoS-for-hire market survives each takedown

Images

Two of world's largest bot networks behind major attacks shut down Two of world's largest bot networks behind major attacks shut down euronews.com

German, US and Canadian authorities said they have dismantled two of the world’s largest botnets, Aisuru and Kimwolf, in a coordinated operation targeting infrastructure used for major distributed denial-of-service attacks. According to Euronews, the networks comprised several million compromised devices—routers and webcams in Aisuru’s case, and Android TV boxes for Kimwolf—and were linked to “record-breaking” attacks cited by the US Department of Justice.

The official description is familiar: infected consumer devices are quietly “enslaved,” then used to flood targets with traffic until websites, services or corporate networks slow to a crawl. What matters for victims is not the technical novelty but the business model. Botnet operators do not need to pick targets themselves; they sell access to capacity, turning household electronics into rentable attack infrastructure. The DOJ said the access was used by other criminals to extort victims, with losses in some cases reaching tens of thousands of dollars.

This market is sustained by three practical conditions that are hard to regulate away. First, insecure mass-market hardware is shipped with weak defaults and rarely patched, leaving millions of nodes available at low marginal cost. Second, payments for criminal “stress testing” services can be routed through anonymous or hard-to-reverse channels, letting operators price attacks like a commodity. Third, enforcement is fragmented: the devices are distributed across jurisdictions, the administrators may be elsewhere, and the victims are often in yet another country.

That is why takedowns tend to be theatrical and temporary. Authorities seize servers, sinkhole domains, and name suspected administrators, but the underlying supply—cheap, poorly maintained devices—remains. The same incentives that created Aisuru and Kimwolf can recreate them with new malware and new command-and-control nodes.

Europe’s stake is not only cybercrime statistics but critical infrastructure exposure. As more public services, payments, logistics and media distribution depend on always-on connectivity, DDoS becomes a lever for disruption that is cheaper than physical sabotage and easier to outsource.

The operation removed two brand names from the market. It did not remove the millions of devices that made them profitable.