Agi: US, Germany and Canada Strike Cripples Botnet Networks That Controlled Over 3 Million Devices

Agi — U. S., German and Canadian authorities carried out a coordinated operation that disabled large, long-active botnet networks controlling more than 3 million devices. The takedown targeted command-and-control servers for the botnets Aisuru, Kimwolf, JackSkid and Mossad and removed those networks’ ability to mount massive distributed denial-of-service attacks. The operation was aimed at stopping high-volume attacks and disrupting criminal use of compromised routers, DVRs and security cameras.

Agi and the takedown: what was hit and how

Updated 23 March 2026, 12: 00 ET. The joint operation by authorities in the United States, Germany and Canada focused on the command centers running multiple interconnected botnet families. More than 3 million compromised devices were taken under control or otherwise neutralized as infrastructure used for global attacks was disabled. The operation specifically shut down control servers tied to Aisuru, Kimwolf, JackSkid and Mossad, reducing the networks’ available attack capacity.

Authorities identified the underlying codebase for many of the disrupted networks as Mirai-derived variants; investigators noted these strains had adapted to infect a broader range of internet-connected equipment. The disrupted botnets had been observed using hijacked consumer devices such as routers, digital video recorders and networked security cameras to build scale. In prior activity, the combined Aisuru and Kimwolf infrastructure produced an attack that reached 31. 4 terabits per second for 35 seconds, one of the largest single DDoS bursts recorded for these networks.

Immediate reactions from authorities and experts

U. S., German and Canadian authorities described the operation as a coordinated effort to remove a direct risk to global IT infrastructure and to protect critical systems from large-scale attacks. Authorities emphasized that the disrupted networks were not only used for denial-of-service operations but were also monetized in the cybercrime economy: access was rented to other actors and, in some cases, used for extortion attempts. Investigators identified two suspects and an international legal process was initiated to address those individuals.

Security researchers characterized the takedown as a significant intervention that materially reduced the capacity of these botnet rings, while cautioning that Mirai-based derivatives can re-emerge and evolve to target additional device classes. Experts highlighted that a large share of device owners remained unaware their equipment had been compromised, underscoring continuing exposure of consumer and small-business internet-connected hardware.

What this means next

The operation removed active command infrastructure and materially degraded a global threat actor capability, but authorities and researchers warned that similar threats can reappear if insecure devices remain exposed. Agencies in the three countries prioritized preventing attacks on critical systems and continuing investigations into operators who ran or monetized the botnets. Follow-up actions will focus on remediation of infected devices, international cooperation on prosecutions, and monitoring for new Mirai-derived activity.

This coverage uses the label agi to mark the subject matter of this dispatch; the takedown marks a notable interruption of large-scale botnet operations while investigators continue legal and technical steps to prevent resurgence and pursue responsibility.