What happens when you take away cybercriminals’ most expensive toy? They get angry and attack. When courageous security researchers decided to paralyze over 500 command servers of the notorious IoT botnets Kimwolf and Aisuru, the hackers reacted promptly: They launched massive revenge attacks on the researchers, whose data packets were filled to the brim with foul, vulgar insults.
This is the story of the rapid rise of a gigantic cyber threat, a flourishing criminal business model, and the bizarre cat-and-mouse game between researchers and furious hackers.
The invisible Army: What are Kimwolf and Aisuru?
It all began in August 2024, when security experts first identified the Aisuru botnet. Shortly thereafter, its “big brother” Kimwolf stepped onto the scene. Together they formed a highly intertwined, unprecedented cyber threat that kept the internet on edge in 2025 and 2026.
The botnets took advantage of a glaring vulnerability in our modern world: poorly secured Internet of Things (IoT) devices. From standard internet routers in domestic living rooms to insecure surveillance cameras – the malware hijacked everything in sight. In their peak phase, the network of Aisuru, Kimwolf, and related networks like JackSkid comprised more than 3 million infected devices worldwide. Kimwolf alone had brought around 2 million systems under control.
Their primary weapon? So-called hyper-volumetric DDoS attacks. The sheer mass of devices enabled a destructive power of unprecedented scale. While the Aisuru botnet issued over 200,000 DDoS attack commands during its runtime, Kimwolf caused chaos with more than 25,000 commands. In December 2025, they jointly brought a massive Content Delivery Network to its knees, and in February 2026, they deliberately flooded the decentralized anonymization network I2P.
The real Business Model: More than just brute force
However, brute DDoS force was soon no longer lucrative enough for the operators. They realized that a network of millions of hijacked private routers represents a much more valuable resource: inconspicuousness.
The hackers began converting the infected devices into so-called “residential proxies.” The principle is perfidious: When cybercriminals launch attacks, they simply route their data traffic through the router of an unsuspecting private individual. To the security systems of banks or online shops, it then looks as if the request is coming from a harmless household connection.
In the background, this network fueled a massive wave of online fraud, web scraping, and credential stuffing – the mass automated trial of stolen passwords. Security researchers noted that Kimwolf’s systematic scanning and abuse of these proxy networks took on an absolutely unprecedented scale, and the infrastructure was at times the most targeted domain worldwide.
The War in the Shadows: Researchers vs. Hackers
When the botnets reached a critical mass in early 2026, the IT security community had had enough. The experts at Black Lotus Labs (Lumen) decided on an unprecedented, proactive counterstrike.
Within just four months, the researchers identified and blocked (“null-routed”) the data traffic of an astonishing 550 command-and-control (C2) servers. It was like trying to cut off all of an octopus’ brains one by one. Every time the botnet operators tried to mobilize their hijacked devices for an attack or fraud, their commands led nowhere.
This massive disruption made the masterminds break a serious sweat. They were forced to frantically build new server architectures and migrate their infrastructure. But the hackers didn’t just react technically. They took it personally.
In a bizarre act of revenge, they directed the remaining firepower of their botnets straight at the security researchers. The DDoS attacks that now rained down on the experts’ servers contained a special message: the malicious payload was riddled with endless, vulgar insults addressed directly to the researchers. Behind the cold, automated attacks of millions of hijacked machines, the real, furious faces of frustrated criminals suddenly appeared, whose most lucrative business of their lives had just been ruined.
The Endgame: The Global Takedown in March 2026
But the far-reaching efforts of the private security researchers were only the prelude to the ultimate death blow. While the botnet operators were still busy cursing and hiding their servers from the researchers, the noose of international law enforcement agencies was already inevitably tightening.
On March 19, 2026, the terror reign of Kimwolf and Aisuru ended in an unprecedented police strike. The German Federal Criminal Police Office (BKA) and the Central and Contact Point for Cybercrime North Rhine-Westphalia (ZAC NRW) announced that the networks had been definitively dismantled in close, internationally coordinated cooperation with US authorities and Canadian investigators. Authorities successfully managed to seize and take offline the globally distributed attack infrastructure of Aisuru, Kimwolf, and the closely intertwined sister networks JackSkid and Mossad.
Is your Router a Sleeper Agent?
The story of Kimwolf and Aisuru impressively proves: cyber war no longer takes place only on the servers of large corporations. The battlefield has shifted to our living rooms. Every poorly secured device with internet access is a potential weapon in the hands of botnet operators.
The successful takedown by international law enforcement agencies was a brilliant stage victory and a clear signal to cybercriminals. It shows that even the largest and most aggressive networks are not untouchable. But the fight is not over yet – the dismantling of Kimwolf and Aisuru tears open a vacuum that other actors are all too eager to fill.
As long as the Internet of Things is plagued by security vulnerabilities and the barriers to entry for cybercriminals continue to fall thanks to AI tools, the threat remains. It is now up to manufacturers, businesses, and the entire IT security industry to learn from the tactics of the botnets and strengthen the defense shields for the next, inevitably coming storm.
