Smart Home Botnet Takedowns: 3 Million Devices Compromised in March 2026

Smart Home Botnet Takedowns: 3 Million Devices Compromised in March 2026 Four botnets dismantled in March 2026 had already conscripted 3+ million smart home devices into attacking internet infrastructure. Your device may have been one of them. The Botnets Botnet / Size / Primary Function ———— / ——— / ————————- Aisuru / 1.2M devices / DDoS attacks, credential stuffing Kimwolf / 890K devices / Cryptocurrency mining, proxy networks JackSkid / 650K devices / DDoS, spam distribution Mossad / 480K devices / Data exfiltration, network recon A joint operation by the U.S. Department of Justice, German authorities (BKA, ZAC NRW), and Canadian law enforcement seized C2 infrastructure, virtual servers, and domains used by all four botnets. The Aisuru botnet alone had issued more than 200,000 DDoS attack commands, hitting targets including IP addresses on the Department of Defense Information Network (DoDIN). KimWolf issued over 25,000 commands, JackSkid over 90,000, and Mossad over 1,000. Common infection vectors: Default credentials unchanged from factory settings Unpatched firmware vulnerabilities Telnet/SSH exposed to the internet UPnP misconfigurations allowing remote access Historical Context This is the largest IoT botnet takedown since the early 2020s, and the numbers put earlier botnets in perspective: Mirai (2016): The original IoT botnet reached 600K infected devices at its peak. It brought down Krebs on Security with 620 Gbps, then Dyn DNS with an attack that crippled much of the U.S. East coast. Mirai spread by scanning for open telnet ports and trying 61 default username/password combinations. Most of its victims were DVRs and IP cameras running XiongMai Technologies firmware. The source code was released publicly, spawning hundreds of variants. VPNFilter (2018): Attributed to Russian state-sponsored actors (linked to BlackEnergy APT), VPNFilter infected 500,000+ devices across 54 countries. It targeted SOHO routers from Linksys, MikroTik, Netgear, TP-Link, and QNAP NAS devices. Unlike Mirai, VPNFilter was modular — it could sniff traffic, steal credentials, monitor SCADA protocols, and brick infected devices on command. The FBI sinkholed its backup C2 domain (toknowall.com) to disrupt operations. Meris (2021): Composed almost entirely of MikroTik routers compromised via CVE-2018-14847 (a Winbox vulnerability patched in 2018). Qrator Labs estimated 250K infected devices, used to launch record-breaking 21.8 million request-per-second HTTP floods against Yandex. Many routers remained compromised years after the patch because operators never changed passwords or removed backdoor configurations. The four botnets disrupted in March 2026 — Aisuru, KimWolf, JackSkid, and Mossad — collectively controlled 3 million devices, dwarfing each of those earlier threats. Their peak attack of 31.4 Tbps (recorded by Cloudflare in December 2025) was 50 times larger than Mirai's Dyn attack in 2016. Infection Vectors The botnets weaponized a combination of known CVEs and basic security failures: CVE-2023-30799 (MikroTik RouterOS): A privilege escalation vulnerability in RouterOS versions before 6.49.7 stable and 6.48.6 long-term. An authenticated attacker can elevate from admin to super-admin, gaining a root shell on the underlying OS. Detection is nearly impossible — the Winbox and web interfaces implement custom encryption that neither Snort nor Suricata can inspect. VulnCheck estimated 500,000-900,000 RouterOS systems exposed on Shodan were vulnerable. MikroTik had fixed this in late 2022, but as the Mris botnet saga proved, devices running old firmware with unchanged default passwords remain compromised permanently. CVE-2023-1389 (TP-Link Archer AX21): A command injection vulnerability in the endpoint. The parameter was passed unsanitized to , allowing unauthenticated attackers to execute commands as root via a single POST request. TP-Link confirmed the exploit had been incorporated into Mirai botnet arsenal. CISA added this to its Known Exploited Vulnerabilities catalog in May 2023, giving federal agencies 21 days to patch. Daily exploitation attempts exceeded 40,000 by March 2024. Default credentials on Dahua and Hikvision devices: The single largest attack surface. IP cameras, DVRs, and NVRs from Dahua, Hikvision, and their OEM clones ship with well-known default credentials (admin/admin, root/root, 666666/666666, etc.). These credentials are documented in Mirai's source code. Shodan searches reveal hundreds of thousands of these devices accessible on the public internet with telnet (port 23) or SSH (port 22) still enabled. A 2025 Bitdefender/NETGEAR study of 6.1 million smart homes found the average household absorbed 29 IoT attack attempts per day. Impact These botnets were not idle. Court documents and threat intelligence reports reveal three primary monetization models: Record-Breaking DDoS Attacks. Cloudflare's 2025 Q4 DDoS report documented a 31.4 Tbps UDP flood from the Aisuru botnet targeting telecommunications providers. The attack peaked at 200 million requests per second and lasted 35 seconds — too short for manual mitigation to engage. A separate attack on Microsoft Azure reached 15.72 Tbps from 500,000 source IPs. Overall, DDoS attacks doubled in 2025 to 47.1 million, with network-layer attacks tripling year-over-year. Credential Stuffing and Account Takeover. Botnet operators sold residential proxy access to credential stuffing services. Legitimate-looking traffic originating from real home IP addresses bypassed geo-fencing and reputation-based blocking. Twenty major platforms in fintech, e-commerce, and social media were targeted in campaigns lasting 6-18 months. Cryptocurrency Mining. The KimWolf botnet's cryptomining module generated an estimated $4 million in illicit revenue before the takedown. Mining payloads were deployed on devices with sufficient CPU headroom — primarily Android TV boxes and router models with ARM processors. The electricity and bandwidth costs were absorbed by the device owners. Geographic Distribution Infected devices were concentrated in regions with high IoT adoption and weak default security postures. Based on sinkhole telemetry and Shodan census data: Country / Share of Infected Devices ————- / ————————————— United States / 28% Brazil / 12% India / 11% Vietnam / 8% Mexico / 6% Indonesia / 5% Russia / 4% Turkey / 4% Other / 22% The U.S. Proportion is consistent with broader botnet C2 hosting trends. The Spamhaus Botnet Threat Update (July-December 2025) found the United States now hosts more botnet controllers than any other country — 5,040 at last count — having surpassed China in late 2024. The ISP Blind Spot Internet service providers were in a position to detect these botnets months before the takedown. The traffic signatures are not subtle: Sustained outbound connections to foreign C2 servers on non-standard ports HTTP request rates from a single residential IP exceeding hundreds of thousands per second Telnet/SSH brute-force scans propagating to neighboring IPs on the same ISP Yet most ISPs did not notify customers. This mirrors the APT28 router hijack pattern of 2024-2025, where Russian military intelligence (GRU) used compromised SOHO routers for anonymous proxy traffic, and ISPs detected anomalous routing patterns but failed to alert subscribers. In both cases, the economic incentive is aligned against notification: identifying and contacting affected customers costs the ISP money, and the customer may blame the ISP for the breach. Some European providers have started implementing automated quarantine for devices exhibiting botnet behavior, modeled on the German BSI (Federal Office for Information Security) router security guidelines. No equivalent mandate exists in the United States. How to Check Router audit: Log in to your router's admin panel and check the DHCP client list for unknown MAC addresses. Cross-reference manufacturer OUIs using a MAC lookup tool. DNS check: Verify your router is not using unexpected DNS servers. Compare against your ISP's published DNS addresses. Traffic monitoring: Unusual upload activity during idle hours may indicate botnet participation. Most consumer routers have rudimentary traffic graphs in the admin interface. Firmware update: Check your router model against the manufacturer's support page. Known-vulnerable models include: - MikroTik RouterOS versions below 6.49.7 (stable) or 6.48.6 (long-term) - TP-Link Archer AX21 firmware below 1.1.4 Build 20230219 - Linksys Smart WiFi routers running firmware dated before 2022 - Netgear Nighthawk series with factory firmware older than 12 months - Any Dahua or Hikvision IP camera or DVR accessible from the WAN side - Off-brand Android TV boxes (common KimWolf vector) Shodan search: Search your public IP at Shodan.io to see which ports are exposed. If port 23 (telnet), 22 (SSH), 80/443 (web admin), or 5678 (MikroTik) are open, an attacker can probe them. Prevention Change default passwords immediately. Use a password manager to generate and store unique credentials per device. Disable remote administration (WAN-side access) on your router unless you have a specific, time-limited need. Disable UPnP unless specifically needed. Most IoT devices do not require it. Segment IoT devices to a separate VLAN or guest network that cannot initiate outbound connections to the internet without passing through a firewall. Replace end-of-life devices that no longer receive security updates. If your router's manufacturer has not issued a firmware update in the last 18 months, replace it. Use the site's DNS Inspector tool to verify your DNS resolvers are not pointing to rogue servers. Run the VPN Leak Test to confirm your VPN tunnel is not leaking traffic that could expose you to C2 communication. Inspect your DNS with our DNS Inspector. Test for network leaks with our VPN Leak Test.