Akamai Helps Authorities Disrupt the World’s Largest IoT Botnets

Key Takeaways

• The US DOJ and international partners successfully disrupted the Aisuru and Kimwolf IoT botnets and related DDoS-for-hire services.
• These botnets leveraged between 1 million and 4 million compromised IoT devices to launch hyper-volumetric attacks.
• Attack volumes shattered historical records, exceeding 30 Tbps, 14 billion packets per second, and 300 million HTTP(s) requests per second.
• Aisuru issued over 200,000 DDoS attack commands, and Kimwolf issued over 25,000, often accompanied by extortion demands.
• Akamai and other industry partners assisted in intelligence gathering, monitoring, and C2 disruption starting in late 2025.

Affected Systems

• Internet of Things (IoT) devices
• Core internet infrastructure
• Internet Service Providers (ISPs)
• Cloud-based mitigation services

Attack Chain

Threat actors compromised between 1 and 4 million Internet of Things (IoT) devices globally to construct the Aisuru and Kimwolf botnets. These massive botnets were operationalized as DDoS-for-hire services. Operators issued hundreds of thousands of attack commands to the compromised devices, directing them to flood target networks with up to 30 Tbps of traffic and 300 million HTTP(s) requests per second, often to extort the victims.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article is a high-level takedown announcement and does not provide specific detection rules or queries.

Detection Engineering Assessment

EDR Visibility: None — EDR solutions are typically not deployed on IoT devices, and the primary impact described is network-level volumetric flooding. Network Visibility: High — Volumetric DDoS attacks generating 30 Tbps and 14 billion packets per second are highly visible at the network edge and ISP level. Detection Difficulty: Easy — The sheer volume of traffic (Tbps scale) makes the attacks immediately obvious, though effective mitigation requires specialized infrastructure.

Required Log Sources

• NetFlow/sFlow
• WAF logs
• Web server access logs
• Edge router telemetry

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Unusually high volumes of inbound HTTP(s) requests originating from diverse, globally distributed IP addresses may indicate an application-layer DDoS attack from an IoT botnet.	WAF logs, Web server access logs	Impact	Low
Massive, sudden spikes in inbound network traffic (packets per second) overwhelming edge routers are indicative of a volumetric DDoS attack.	NetFlow, Edge router telemetry	Impact	Low

Control Gaps

• Lack of dedicated DDoS scrubbing services
• Inadequate WAF rate-limiting configurations
• Poor baseline security on consumer IoT devices

Key Behavioral Indicators

• Traffic spikes exceeding historical baselines by orders of magnitude
• High volume of HTTP requests exhibiting IoT device user-agent fingerprints

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Enable rate-limiting on web applications wherever possible.
• Audit and update Access Control Lists (ACLs) to drop unnecessary traffic at the edge.

Infrastructure Hardening

• Subscribe to a dedicated DDoS scrubbing service (e.g., Akamai Prolexic) capable of handling hyper-volumetric attacks.
• Update Web Application Firewalls (WAFs) to the latest versions and ensure optimal rule configurations.

User Protection

• N/A

Security Awareness

• Establish incident response playbooks specifically for handling DDoS extortion demands.

MITRE ATT&CK Mapping

• T1584.005 - Compromise Infrastructure: Botnet
• T1498.001 - Network Denial of Service: Direct Network Flood
• T1499.004 - Endpoint Denial of Service: Application or Service Exhaustion