Four Botnets, Three Million Devices, One Takedown

The US Justice Department dismantled four botnets this week with names that sound like rejected cyberpunk antagonists: Aisuru, Kimwolf, JackSkid, and Mossad. Together they had corralled over 3 million devices, the majority sitting unnoticed in home networks—routers, security cameras, smart thermostats, the usual suspects. This is not a new story. It is the same story that keeps happening because the economics never change.

Botnets thrive on neglected infrastructure. Your average consumer router receives firmware updates with the frequency of lunar eclipses. The manufacturers have moved on. The ISPs pretend the problem belongs to someone else. And so these devices become permanent beachheads—quiet, obedient, waiting for commands from command-and-control servers that can materialize anywhere. The FBI's previous IoT takedowns followed identical patterns: identify the infrastructure, seize the domains, notify the victims who will mostly ignore the notification.

What distinguishes this operation is scale and naming convention. Three million devices represents serious engineering effort. The "Mossad" label suggests either misplaced bravado or deliberate provocation—cybercriminals have learned that attribution theater generates headlines, and headlines generate recruitment.

The practical impact for actual humans is minimal in the short term. Your router does not suddenly speed up. Your smart doorbell does not stop spying on you for its manufacturer. The takedown simply removes one set of malicious operators from a marketplace where alternatives proliferate. According to CISA, IoT botnet activity has increased 300% since 2020 despite dozens of similar interventions.

For the security industry, these operations serve a different function. They generate case studies, justify budgets, and occasionally produce prosecutions. The Justice Department's announcement was notably thin on attribution—no named individuals, no countries fingered, no explanation of what "record-breaking" actually meant in terms of attack volume or damage. This is standard for ongoing investigations, but it also means the public learns only what authorities choose to disclose.

The uncomfortable truth: your home network is someone else's infrastructure. Every connected device is a potential conscript. The takedowns will continue because the underlying conditions—cheap hardware, weaker security, no liability for manufacturers—remain profitable for everyone except the conscripted devices and their oblivious owners.