What happens when you take away cybercriminals’ most expensive toy? They get angry and attack. When courageous security researchers decided to paralyze over 500 command servers of the notorious IoT botnets Kimwolf and Aisuru, the hackers reacted promptly: They launched massive revenge attacks on the researchers, whose data packets were filled to the brim with foul, vulgar insults.

This is the story of the rapid rise of a gigantic cyber threat, a flourishing criminal business model, and the bizarre cat-and-mouse game between researchers and furious hackers.

The invisible Army: What are Kimwolf and Aisuru?

It all began in August 2024, when security experts first identified the Aisuru botnet. Shortly thereafter, its “big brother” Kimwolf stepped onto the scene. Together they formed a highly intertwined, unprecedented cyber threat that kept the internet on edge in 2025 and 2026.

The botnets took advantage of a glaring vulnerability in our modern world: poorly secured Internet of Things (IoT) devices. From standard internet routers in domestic living rooms to insecure surveillance cameras – the malware hijacked everything in sight. In their peak phase, the network of Aisuru, Kimwolf, and related networks like JackSkid comprised more than 3 million infected devices worldwide. Kimwolf alone had brought around 2 million systems under control.

Their primary weapon? So-called hyper-volumetric DDoS attacks. The sheer mass of devices enabled a destructive power of unprecedented scale. While the Aisuru botnet issued over 200,000 DDoS attack commands during its runtime, Kimwolf caused chaos with more than 25,000 commands. In December 2025, they jointly brought a massive Content Delivery Network to its knees, and in February 2026, they deliberately flooded the decentralized anonymization network I2P.

The real Business Model: More than just brute force

However, brute DDoS force was soon no longer lucrative enough for the operators. They realized that a network of millions of hijacked private routers represents a much more valuable resource: inconspicuousness.

The hackers began converting the infected devices into so-called “residential proxies.” The principle is perfidious: When cybercriminals launch attacks, they simply route their data traffic through the router of an unsuspecting private individual. To the security systems of banks or online shops, it then looks as if the request is coming from a harmless household connection.

In the background, this network fueled a massive wave of online fraud, web scraping, and credential stuffing – the mass automated trial of stolen passwords. Security researchers noted that Kimwolf’s systematic scanning and abuse of these proxy networks took on an absolutely unprecedented scale, and the infrastructure was at times the most targeted domain worldwide.

The War in the Shadows: Researchers vs. Hackers

When the botnets reached a critical mass in early 2026, the IT security community had had enough. The experts at Black Lotus Labs (Lumen) decided on an unprecedented, proactive counterstrike.

Within just four months, the researchers identified and blocked (“null-routed”) the data traffic of an astonishing 550 command-and-control (C2) servers. It was like trying to cut off all of an octopus’ brains one by one. Every time the botnet operators tried to mobilize their hijacked devices for an attack or fraud, their commands led nowhere.

This massive disruption made the masterminds break a serious sweat. They were forced to frantically build new server architectures and migrate their infrastructure. But the hackers didn’t just react technically. They took it personally.

In a bizarre act of revenge, they directed the remaining firepower of their botnets straight at the security researchers. The DDoS attacks that now rained down on the experts’ servers contained a special message: the malicious payload was riddled with endless, vulgar insults addressed directly to the researchers. Behind the cold, automated attacks of millions of hijacked machines, the real, furious faces of frustrated criminals suddenly appeared, whose most lucrative business of their lives had just been ruined.

The Endgame: The Global Takedown in March 2026

But the far-reaching efforts of the private security researchers were only the prelude to the ultimate death blow. While the botnet operators were still busy cursing and hiding their servers from the researchers, the noose of international law enforcement agencies was already inevitably tightening.

On March 19, 2026, the terror reign of Kimwolf and Aisuru ended in an unprecedented police strike. The German Federal Criminal Police Office (BKA) and the Central and Contact Point for Cybercrime North Rhine-Westphalia (ZAC NRW) announced that the networks had been definitively dismantled in close, internationally coordinated cooperation with US authorities and Canadian investigators. Authorities successfully managed to seize and take offline the globally distributed attack infrastructure of Aisuru, Kimwolf, and the closely intertwined sister networks JackSkid and Mossad.

Is your Router a Sleeper Agent?

The story of Kimwolf and Aisuru impressively proves: cyber war no longer takes place only on the servers of large corporations. The battlefield has shifted to our living rooms. Every poorly secured device with internet access is a potential weapon in the hands of botnet operators.

The successful takedown by international law enforcement agencies was a brilliant stage victory and a clear signal to cybercriminals. It shows that even the largest and most aggressive networks are not untouchable. But the fight is not over yet – the dismantling of Kimwolf and Aisuru tears open a vacuum that other actors are all too eager to fill.

As long as the Internet of Things is plagued by security vulnerabilities and the barriers to entry for cybercriminals continue to fall thanks to AI tools, the threat remains. It is now up to manufacturers, businesses, and the entire IT security industry to learn from the tactics of the botnets and strengthen the defense shields for the next, inevitably coming storm.

You might also like:

European Cyber Report 2026

Download

Trends 2026: Web Application Security, Resilience, Digital Sovereignty

Download

3 Learnings every Company should draw from the DDoS Attack on Deutsche Bahn

Read more

Unexplained traffic boom: Why blind spots quickly arise without bot management

Read more

Using lots of security solutions? How fewer tools lead to more control 

Read more

On Wednesday morning, Deutsche Bahn reported what many travelers were already feeling: the booking app DB Navigator and the website bahn.de were down following a massive DDoS attack. The pro-russian hacker group ‘NoName057’ has since claimed responsibility, underscoring the incident’s geopolitical dimension. Although the systems were stabilized, this incident is more than just a fleeting headline. It is a live demonstration of just how vulnerable the lifelines of our modern economy have become.

This attack is not an isolated incident; it is a wake-up call. It demonstrates that the question is no longer if critical systems will be attacked, but how resiliently they react to the inevitable. So, what can business leaders learn from this incident for their own corporate strategy?

Learning 1: The New Dimension of Risk

A DDoS attack is often perceived merely as a technical nuisance. But the strategic logic behind it is far more insidious: modern attacks are frequently geopolitical instruments. They are visible, cost-efficient, and have a calculated signaling effect.

The actual damage goes far beyond technical downtime. The goal is often not to permanently destroy infrastructure but to sow doubt – about a company’s stability, security, and capability to act. However, the damage does not remain abstract. It hits the heart of the value chain hard and immediately:

• Economic Damage: Every blocked booking process and every prevented API query translates directly into lost revenue and productivity.
• Reputational Damage: In an “always-on” society, unavailability is immediately equated with unreliability. Platforms like bahn.de are the public face of the company – an outage erodes the trust of millions of users in seconds.
• Operational Damage: When internal systems fail, logistics, communication, and internal processes often come to a standstill as well.

DDoS is long past being an isolated IT problem for the admin to handle. It is an attack on reputation and a C-Level risk that threatens operational capability.

Learning 2: Availability is an essential Public Service

In the face of growing threats, the benchmark for protection can no longer be “as much as necessary,” but rather “as much resilience as technically possible.” Anyone organizing mobility or services digitally must be able to defend them digitally as well. Availability is no longer just a convenience feature; it is part of the mandate for essential public services.

For critical sectors like transport, energy, or finance, a European partner is therefore more than a political preference, it is a strategic advantage. Digital sovereignty here means control over one’s own security architecture. In an emergency, anyone relying on external escalation chains outside the European legal framework loses valuable time. A local partner guarantees compliance, data protection (GDPR), and short communication lines.

Learning 3: Why Traditional Defense is Blind Today

The most important lesson is technological in nature: manual intervention and classic firewalls stand no chance against the quality of today’s attacks. We are seeing a dangerous evolution of the threat landscape that leverages old protection mechanisms:

1. Targeted Intelligence (Layer 7): It is no longer just about sheer mass (volumetrics). Today, attacks precisely target vulnerabilities such as APIs or login processes. Botnets mimic human behavior so well that static filters cannot distinguish them from legitimate customers.
2. Hyper-Scaling: When attacks reach bandwidths in the terabit range, local firewalls are overrun in fractions of a second.
3. Speed: An attack builds up in seconds. If you only react once the systems are already under pressure, you have lost.

Resilience is not a static state. Anyone still relying on manual reaction today, acting only when the red light flashes, has lost the fight before it began. Defense must take place in real time and be fully automated.

Europe’s Answer to Complex Threats

This is exactly where Link11 comes in – bridging the gap between constantly shifting attack patterns and traditional protection. As a provider qualified by the BSI (Federal Office for Information Security) for the DDoS protection of critical infrastructure, we offer a platform that combines technological superiority with digital sovereignty.

This is how we protect critical infrastructures and enterprises:

• AI-Supported Precision: Our technology analyzes data traffic around the clock. It detects new attack patterns (zero-day) using Artificial Intelligence in real-time and filters out malicious traffic without blocking legitimate users.
• Layer 7 Protection: Link11 distinguishes precisely between bots and humans, even during complex web attacks on APIs and web applications.
• Certified Security: Link11 meets the highest standards with PCI-DSS, SOC2 Type 2, C5, and ISO 27001. Data does not leave the European legal area.
• Maximum Scalability: We routinely ward off attacks that would immediately cripple local infrastructures – fully automatically and without service interruption.

Resilience is a Strategic Decision

The incidents at Deutsche Bahn are a stark reminder that every attack on digital infrastructure tests the resilience of our entire economy. Cybersecurity is therefore no longer a technical detail but a strategic prerequisite for stability and growth. Because the future is digital, and it requires protection at the highest level.

We are at a historic turning point for the internet. What was already becoming apparent in 2024 is now a reality: Automated traffic has overtaken human traffic and now accounts for over 51% of all data traffic. 

The driving force behind this development is no longer just classic search engine bots or malicious attackers but a new, explosive category: AI crawlers. Services like ChatGPT, Claude, Perplexity, and Google Gemini are scanning the web with an intensity that pushes conventional infrastructures to their limits. In the last year alone, traffic from some AI crawlers has surged up by 300%. 

This surge is not just a statistic; it is a direct strain on your servers, driving up costs and creating a larger attack surface. This unintentional exposure increases the risk of performance issues and outages, making AI traffic a critical factor for business continuity.  

For companies, this shift represents far more than just a technical challenge. Managing AI traffic has become a strategic necessity that directly impacts security, cost control, and overall corporate governance. Yet, this is exactly where the problem lies: most security tools still hide this new reality within general “bot noise.” If you cannot see which AI crawlers are accessing your content, it can have grave repercussions e.g. your intellectual property may be copied to train AI without your knowledge.  

With the launch of the AI Management Dashboard for Link11 WAAP, we are changing this. We are turning a blind spot into a steerable strategy. 

Transparency Instead of “Bot Noise” 

Previous analyses often grouped AI crawlers under “Generic Bots.” Today, that is no longer sufficient. A crawler that scrapes your content en masse to train an LLM (Large Language Model) requires a different assessment than a DDoS bot. 

The new AI Management Dashboard, therefore, separates AI traffic from general bot traffic. It establishes AI as a dedicated analytics category. Instead of vague statistics, security and web teams receive forensic-level insights: 

• Identification by Name: See immediately whether OpenAI, Anthropic, Google, or Microsoft is accessing your site. 

• Crawler Category: Differentiate between search bots, LLM training bots, and AI assistants. 

• Time-Based Analysis: Identify trends early. Is a specific crawler suddenly scaling up its requests? 

 What felt uncertain becomes measurable and defensible for security and governance. 

The AI Dilemma: Data Taker or Traffic Driver? 

Not every AI access is harmful. The current debate between media houses and AI search engines shows how fluid the boundary is between data theft and valuable traffic sources. Without clear insight you cannot tell them apart. 

• Scenario A: A crawler copies your intellectual property to train a competitor’s model. I this case traffic should be blocked. 

• Scenario B: An AI tool processes your content to provide an answer to a user and links to your website in the process. In this case, you want to allow the traffic. 

Link11 AI Management Dashboard specifically tracks AI traffic and separates is from general bot traffic. The dashboard shows you not only who is reading (“scraping”) but also who is sending users to you (“referrals”). This enables nuanced governance: traffic that creates value stays, traffic that only consumes resources is stopped.  

Control without Compromise

Knowledge is the first step; enforcement is the second. Many companies still rely on robots.txt entries, but these are often merely requests that can be ignored by aggressive crawlers. 

With the AI Management Dashboard, you set the rules. You can control each type of AI crawler individually and decide: Monitor, Allow, or Block. 

This is about more than just traffic management; it is about compliance. 
At a time when nearly 80% of news websites have already implemented AI blocks, legal departments and compliance officers need proof. The AI Management Dashboard makes this easy. With only a single click, teams can see logs of every access, simplifying audits and compliance checks.  

Integration Instead of Complexity 

Security teams are busy and often overloaded. The native integration of AI Management Dashboard into the existing Link11 WAAP platform follows a clear principle: fit right into your team’s existing workflow. No new software to learn and no complex setups. You use the familiar search, filter, and tagging mechanisms of your usual working environment to master a completely new class of challenges. You add control without adding effort. 

Return to Data Sovereignty 

AI will continue to change the internet. But that does not mean companies have to surrender control of their infrastructure. With the Link11 AI Management Dashboard, AI access transforms from an invisible risk into something you can measure, manage and evaluate in terms of cost and value. 

It is time for clean traffic and clear rules. It is time to take back control of your data. 

The digital threat landscape is becoming more complex every day, and with it, the pressure on companies to ensure data security and regulatory compliance is growing. But how can you be sure that your cybersecurity partner isn’t just talking about protection, but also demonstrably practicing it? How do you know who you can trust with your most valuable digital assets?

The answer lies in independent, transparent, and globally recognized testing standards. These certifications and attestations should not be trophies in a cabinet, but rather the foundation of daily operations. Each of these badges has meaning, both for us and for you.

A holistic foundation: Why one standard alone is not enough

Modern threats are multi-layered. That’s why a single security standard is not enough to ensure comprehensive protection. An effective security concept is like a fortress with multiple lines of defense. Each of these certifications covers a different critical aspect and demonstrates our commitment to a holistic approach to security.

Security according to the highest national standards: BSI C5 & GDPR

For companies operating in Germany and Europe, local standards are of crucial importance. They create legal and investment security.

• BSI C5 (Cloud Computing Compliance Criteria Catalogue): This criteria catalogue from the German Federal Office for Information Security (BSI) is the de facto standard for secure cloud computing in Germany. It ensures that a cloud provider meets strict information security requirements.
  
  Specifically, a BSI C5 attestation means that the relevant security controls have not only been designed and implemented but also evaluated and validated by an independent external auditor. This confirms that we work with clear security responsibilities, documented processes, and consistent control implementation.
  
  In Germany and in critical or regulated environments, C5 is one of the clearest signals of trust. This attestation reduces friction in your security reviews because requirements can be mapped to a known BSI framework instead of starting from scratch.
  
• GDPR compliance: The General Data Protection Regulation is at the heart of European data protection. Our processes and technical measures are designed to support the principles of the GDPR and help you meet your own data protection obligations.

Globally recognized: International standards for trust without borders

In a globalized world, security standards must be understood and recognized internationally.

• ISO/IEC 27001: This is the global gold standard for information security management systems (ISMS). ISO 27001 certification demonstrates that security is a structured, risk-based, and continuously improved process that is embedded throughout the entire organization.
  
• SOC 2 Type 2: While other standards evaluate the design of controls, the SOC 2 Type 2 report goes a crucial step further. Over a period of several months, external auditors evaluate whether security controls are effective in daily operations in accordance with the Trust Service Criteria (security, availability, processing integrity, confidentiality, data protection). It is the ultimate practical test.
  
• PCI DSS (Payment Card Industry Data Security Standard): This standard was developed by the credit card industry and sets extremely high requirements for the protection of payment card data. It shows that we meet even the most stringent security requirements for highly sensitive data – a strong signal of trust across all industries.

What this means for you in concrete terms: Your benefits at a glance

These certifications are more than just badges on the website. They offer you tangible benefits:

• Simplified compliance: By meeting these standards, we provide you with the necessary evidence and make your own audits and risk assessments much easier.
  
• Verifiable risk minimization: You don’t rely on promises, but on tested and proven security processes that demonstrably reduce your risk of data breaches and outages.
  
• Increased trust: Show your own customers, partners, and insurers that you don’t compromise when choosing your protection solution. Working with a partner certified to the highest standards, such as Link11, strengthens your own position in the market.

Our promise to you

For us at Link11, security is in our DNA. Our certifications are transparent proof of this promise. They give you the certainty that your digital assets are in safe hands with us – today and in the future.

Would you like to learn more about how our certified protection makes your business more resilient? Contact our experts for a personal consultation.