In late May 2026, U.S. and European authorities pulled off the largest coordinated strike ever against the commercial market for cyberattacks-on-demand, seizing control of four massive botnets built from more than 3 million hijacked devices and dismantling dozens of online storefronts where anyone with a few dollars could order a crippling flood of internet traffic aimed at a business, school, or government agency.
The operation spanned 21 countries, produced arrests on two continents, and resulted in more than 75,000 warning letters sent to people identified as customers of so-called “booter” and “stresser” services. But the crackdown also exposed an uncomfortable reality: the tools used to overwhelm targets are growing more automated, more powerful, and cheaper to rent, and the infrastructure behind them regenerates fast enough to keep investigators in a permanent game of catch-up.
Four botnets, millions of devices, one coordinated takedown
The U.S. Department of Justice announced that federal agents executed seizure warrants against domains and virtual servers tied to the Aisuru, KimWolf, JackSkid, and Mossad botnets. Together, those four networks controlled more than 3 million infected internet-of-things devices, according to the U.S. Attorney’s Office for the District of Alaska. The compromised hardware included home routers, security cameras, and other consumer electronics whose owners likely had no idea their equipment was being weaponized.
Akamai, the content-delivery and security firm that assisted in the technical disruption, reported that the Aisuru botnet alone issued more than 200,000 DDoS attack commands and that the combined Aisuru and KimWolf infrastructure spanned an estimated 1 to 4 million IoT devices.
In a parallel case, a federal grand jury in the Central District of California charged two defendants, including Ricardo Cesar Colli (known online as “TotemanGames”), in connection with DDoS-for-hire operations. That case also involved the court-authorized seizure of 27 domains tied to major stresser and booter platforms. Prosecutors described these services as turnkey storefronts that let customers with zero technical skill launch high-volume attacks against targets of their choosing.
Europol’s demand-side crackdown
Europol coordinated a parallel action week beginning April 13, 2026, under the ongoing Operation PowerOFF banner. The effort produced four arrests, 25 search warrants, and the takedown of 53 domains linked to DDoS-for-hire services across 21 countries.
The 75,000-plus warning emails and letters sent to identified users represent a deliberate shift in strategy. Rather than focusing solely on the operators who build and run botnets, authorities are now targeting the demand side: the paying customers who treat a $10 attack order as harmless mischief. Europol’s statement emphasized that commissioning an attack carries criminal penalties in most jurisdictions, even when the service markets itself as a legitimate “network testing” tool.
The scale of the problem keeps growing
The takedowns arrive against a backdrop of rapidly escalating attack volume. Cloudflare reported that it blocked roughly 21.3 million DDoS attacks across its network in 2024, a 53 percent increase over the prior year. Among them was a 5.6-terabit-per-second Mirai-variant strike, the largest raw-bandwidth attack ever publicly recorded, which lasted only 80 seconds before automated defenses stopped it without any human intervention.
To put that in perspective, 5.6 Tbps is enough data to transfer more than 230,000 high-definition movies every second. Even a burst that brief can overwhelm upstream network links, trigger cascading outages, and force emergency traffic rerouting that disrupts legitimate users far beyond the original target.
The lineage of these botnets traces back nearly a decade. In 2016, the source code for Mirai, the malware that first demonstrated how armies of cheap IoT devices could be turned into attack weapons, was publicly leaked. That leak seeded an entire ecosystem of copycat and derivative botnets. The Aisuru and KimWolf networks disrupted this month are direct descendants of that code, refined and scaled up over years of iteration.
Where AI fits, and where it doesn’t (yet)
Security researchers have flagged a growing trend: DDoS-for-hire operators incorporating machine-learning techniques to optimize target selection, rotate attack vectors mid-assault, and evade mitigation systems that rely on pattern recognition. Netscout’s 2024 threat intelligence report noted that attackers are increasingly using AI-assisted reconnaissance to identify the weakest points in a target’s infrastructure before launching a flood.
However, the primary evidence available from the DOJ and Europol in this specific operation does not describe artificial intelligence features embedded in the seized Aisuru, KimWolf, JackSkid, or Mossad infrastructure. Court filings detail massive command volumes and highly automated attack orchestration, but “automated” and “AI-enhanced” are not the same thing. Until indictments or independent technical analyses explicitly document machine-learning components in these particular tools, the AI dimension of this story should be understood as the direction the threat is heading rather than a confirmed feature of the networks taken down this month.
What is not in dispute is that the barrier to entry keeps falling. Booter services have long operated as subscription businesses, with tiered pricing that puts basic attack capability within reach of almost anyone. The DOJ and Europol confirm the commercial nature of the seized platforms, though exact pricing structures are not detailed in the court filings.
Why takedowns alone may not be enough
Law enforcement has been here before. In December 2024, authorities shut down 27 booter and stresser sites, including zdstresser.net, orbitalstress.net, and starkstresser.net, in a pre-holiday sweep coordinated through Europol. The UK National Crime Agency also infiltrated and dismantled the DigitalStress DDoS-for-hire service in mid-2024. In each case, new platforms appeared within weeks, often run by the same people under fresh brand names and newly registered domains.
The pattern reflects a structural advantage that botnet operators hold: bulletproof hosting providers willing to ignore abuse complaints, fast-flux DNS techniques that make infrastructure hard to pin down, and a global pool of millions of poorly secured IoT devices that can be re-compromised almost as quickly as they are cleaned. The Alaska and California cases show that investigators can trace and disrupt even very large networks, but no primary source in the current reporting provides longitudinal data on how quickly seized capacity gets replaced.
The Alaska filing identifies the four botnets by name and infrastructure but does not fully map the relationships among their operators, customers, and code developers. It remains unclear whether the same core group of programmers supplied malware to multiple crews or whether overlapping clusters of low-skill operators simply reused leaked Mirai code with minimal modification. Without that attribution detail, measuring how much of the ecosystem has truly been dismantled, versus temporarily disrupted, is difficult.
What organizations should do now
For companies and institutions on the receiving end of DDoS campaigns, the practical implications cut two ways. On one hand, these operations demonstrate that law enforcement is willing to pursue both the supply side (botnet operators) and the demand side (paying customers), which may gradually raise the perceived risk of participating in the market. The 75,000 warning letters are designed to make casual buyers think twice.
On the other hand, the sheer volume and intensity of attacks recorded by firms like Cloudflare make clear that technical defenses remain essential regardless of how many domains get seized. Upstream filtering, rate limiting, anycast routing, and dedicated scrubbing centers are not optional for any organization that depends on internet-facing services. The 5.6 Tbps record strike is a reminder that peak attack capacity now far exceeds what most companies can absorb on their own.
Consumers have a role too. Many of the 3 million devices conscripted into these botnets were home routers and cameras running factory-default passwords or outdated firmware. Changing default credentials, applying manufacturer updates, and replacing end-of-life hardware that no longer receives patches are small steps that collectively shrink the pool of devices available to botnet recruiters.
A significant strike, not a finishing blow
The verified facts point to a major but partial victory: millions of infected devices wrested from criminal control, dozens of domains and storefronts taken offline, charges filed against named defendants, and a clear signal that authorities are coordinating across borders to target the DDoS-for-hire trade at every level. What no one can yet answer is whether this wave of enforcement will meaningfully shrink the overall threat or simply trigger another round of adaptation. The history of botnet takedowns suggests the answer will be some of both, and that the next test will come not in courtrooms but in the weeks ahead, when investigators and security researchers watch to see how fast the vacant storefronts get replaced.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
