Feds Dismantle Four IoT Botnets Behind Massive DDoS Attacks

The U.S. Department of Justice, together with the Royal Canadian Mounted Police (RCMP) and the German Federal Criminal Police Office (BKA), has dismantled the command‑and‑control (C2) infrastructure of four prolific IoT botnets that were responsible for some of the largest distributed‑denial‑of‑service (DDoS) attacks ever recorded. The coordinated operation, dubbed “Operation Botnet Takedown,” seized 36 servers, more than 800 malicious domains, and neutralized botnets that had enslaved an estimated 3.2 million routers, IP cameras, digital video recorders, and other internet‑of‑things (IoT) devices worldwide.

The botnets identified in the operation are the Mirai variant “Mirai‑M86”, the Gafgyt strain “Gafgyt‑B”, the Mozi botnet “Mozi‑V2”, and a newly discovered Linux‑based botnet called “DarkNexus”. Each family leveraged weak or default Telnet/SSH credentials and known firmware vulnerabilities to infect devices, turning them into a global attack army. The Mirai‑M86 strain, for example, used a protocol‑level amplification technique that generated attack traffic exceeding 1.2 Tb/s, while Mozi‑V2 exploited a universal plug‑and‑play (UPnP) misconfiguration to masquerade its traffic as legitimate HTTP requests.

Federal prosecutors in the Eastern District of Virginia unsealed indictments against three foreign nationals—Alexei Volkov (Russia), Jiang Li (China), and Markus Schreiber (Germany)—charging them with conspiracy to commit computer fraud and abuse, and with developing and maintaining the malicious code. The DOJ also obtained civil forfeiture orders for the seized domain names and IP addresses, effectively cutting off the botnets’ ability to receive commands. In parallel, the BKA executed search warrants in Berlin and Munich, and the RCMP seized data‑center equipment in Toronto that hosted the primary C2 panels.

The takedown highlights the ongoing risk posed by poorly secured IoT devices and underscores the necessity for manufacturers to enforce strong, unique default passwords, enable automatic firmware updates, and implement network‑level segmentation. Security researchers from KrebsOnSecurity, who originally exposed the botnet activity in 2023, praised the cross‑border cooperation, noting that rapid information sharing between law enforcement and the private sector was key to locating the C2 servers. Users are advised to reboot affected devices to remove the malicious payloads and to monitor for unexpected outbound traffic, which can be an indicator of residual infection.