C2 botnet infrastructure: scope and implications
The dismantling of C2 infrastructures not only adds another blow to the fight against IoT botnets by law enforcement, but also alters, at least temporarily, the balance of power between attackers, network operators, and services that depend on not going down at the worst possible moment. This matters because the problem doesn't end when a panel is shut down; often, it merely changes phase.
International operation against the command and control infrastructure
Authorities from the United States, Germany, and Canada intervened and disabled the command and control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid, and Mossad botnets, networks that compromised Internet of Things (IoT) devices to coordinate large-scale attacks.
The operation didn't stop at isolated virtual servers. It extended to domains, administration panels, and other points in the technical chain that allowed operators to send orders to millions of devices hijacked. From that base, hundreds of thousands of distributed denial-of-service (DDoS) attacks were allegedly launched against global targets, including IP addresses linked to the Department of Defense Information Network (DoDIN). In other words, it wasn't just another troublesome network, but an operational platform capable of exerting real pressure on sensitive infrastructure.
What the court documents say
According to the U.S. Department of Justice, court records attribute more than three million compromised devices to these networks—IP cameras, video recorders, and Wi-Fi routers, among others—and quantify the attack orders issued by each botnet: Aisuru, more than 200,000; KimWolf, more than 25,000; JackSkid, more than 90,000; and Mossad, more than 1,000. The Department of Justice announced it publicly.
That number helps to put things in perspective, but it's important not to interpret it as if all compromised devices are equally valuable. A large but unstable botnet is not the same as a smaller one with persistence, good node rotation, and operators who know when to strike. Sometimes the problem isn't just the number of devices involved, but how usable that network is during specific periods.
Why reported traffic spikes matter
In December, Aisuru reached a peak of 31.4 Tbps and 200 million requests per second; it had previously achieved a record of 29.7 Tbps, and in November, it was linked to another wave that reached 15.72 Tbps from around 500,000 IP addresses. These are striking figures, yes, but the relevant point isn't the technical headline itself. What they truly demonstrate is the necessary defense threshold to absorb or deflect an attack without serious service degradation.
When these spikes occur, the debate shifts from "Is it dangerous?" to "Who can withstand it, for how long, and at what cost?" For mid-sized operators or services with a less distributed architecture, the answer isn't always easy. There are environments where such an attack doesn't bring everything down, but it makes the service intermittent, unpredictable, or very expensive to maintain. And that, operationally, is already a partial victory for the attacker.
When a botnet operates at that scale, the threat ceases to be a one-off event. It becomes a systemic risk: network congestion, prolonged degradation, costly mitigation, and technical teams busy putting out fires instead of addressing the underlying vulnerability.
Technical interpretation of the modus operandi
These botnets exploited a well-known combination in IoT environments: devices with exposed interfaces, default or unpatched credentials, and management software accessible from the internet. The C2 infrastructure functions as the "brain" of the network: it receives commands from the operator and translates them into actions distributed to the agents residing on each compromised device.
That seems basic on paper, but in practice the real problem is usually the persistence of the clutter. A forgotten router, a camera deployed years ago, a recorder that no one updates because "it still works." That's where these networks find continuity. They don't need flawless sophistication at every node; they're satisfied with numerous weak points maintained by routine, neglect, or lack of inventory.
Furthermore, the access market—the “cybercrime-as-a-service” model mentioned in the statements—amplifies the damage. Operators other than the developer of the malware They can rent access to these networks to launch extortion or saturation campaigns. That significantly changes the landscape: you're no longer dependent on a single group wanting to intensively exploit the botnet, because the network becomes a service and circulates. More profitable for them, harder to anticipate for everyone else.
Operational implications and limits of police intervention
The elimination Intervening in C2 servers and domains disrupts coordination, reduces the issuance of new commands, and provides a buffer for containing active attacks. That's valuable, very valuable. But it's important not to overinterpret it: intervening in the control layer doesn't automatically clean infected devices or correct the practices that allowed the infection.
This is one of the most common mistakes when interpreting these types of operations. It's assumed that because the central command has fallen, the ecosystem is now clean. It doesn't work that way. If the owners don't update firmware, change credentials, or aren't even aware they have exposed devices, the underlying problem remains. And a botnet without this C2 command can reappear later under a different name, with a different network of devices.
Akamai—one of the companies in the sector that participated in the transaction—emphasized the operational impact of these networks on critical infrastructure: they can collapse core services, degrade user experience, and overload cloud mitigation solutions. This point deserves attention because not everything can be solved by simply purchasing more perimeter defense. There are cases where mitigation helps, but if the environment is fragile, poorly segmented, or relies on a few bottlenecks, the real margin for improvement remains limited.
When does it make sense to intervene, and what can you expect afterward?
Judicial and technical interventions make sense when they disrupt central coordination, reduce ongoing attacks, and increase the cost of operations for actors who rely on that control. They are especially useful when the botnet is already causing sustained damage or has a mature enough infrastructure to serve multiple criminal clients.
What's not advisable is treating them as a self-sufficient solution. If an organization only focuses on the idea that "the authorities have already acted," it's late to the game when it comes to the parts it actually controls: inventory, network segmentation, credential management, remote exposure, and realistic patching. Because not all equipment can be updated at the same pace, and not all legacy devices support a clean defense. Sometimes the right move isn't "business as usual," but rather to isolate, replace, or outright retire the affected systems.
For vendors and organizations, the useful criteria here are not abstract. If they manage IoT on an ad-hoc basis, the focus might be on reducing exposure and verifying credentials. If they rely on IoT continuously—video surveillance, gateways, distributed sensors, edge networking—minimal controls are no longer enough: they need to accept that some risk is recurring and design responses, not just prevention. What is unnecessary, however, is to continue treating this equipment as minor peripherals. That practice usually proves costly when a botnet gains traction.
This operation reduces the immediate capacity of Aisuru, KimWolf, JackSkid, and Mossad to launch campaigns. Good. But the operational learning lies elsewhere: as long as poorly managed devices exist, botnets don't disappear; they merely rotate infrastructure, change operators, or return with a different command surface. And that forces us to focus less on the immediate strike and more on the discipline that follows.
