OrganisationUS

Aisuru

IoT botnet seized on 19 March 2026 alongside Kimwolf, JackSkid and Mossad in a coordinated infrastructure takedown.

Last refreshed: 29 May 2026 · Appears in 1 active topic

Key Question

Was anyone arrested for operating the Aisuru botnet after the March 2026 seizure?

Timeline for Aisuru

#521 May

Mentioned in: Kimwolf botmaster held over record DDoS

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is the Aisuru botnet?: Aisuru is an IoT DDoS botnet that recruits enslaved routers, cameras and DVRs into a for-hire stresser network. Its infrastructure was seized in March 2026 alongside three other botnets: Kimwolf, JackSkid and Mossad.Source: Law enforcement seizure notices / Krebs on Security
Was the Aisuru botnet linked to Jacob Butler?: No. Jacob Butler ('Dort') was arrested for operating Kimwolf. Aisuru was a separate competing botnet whose infrastructure was seized on the same day, 19 March 2026, but no separate operator arrest for Aisuru was announced alongside the Butler charges.Source: US DoJ / OPP
How do IoT botnets like Aisuru recruit devices?: IoT botnets typically exploit consumer routers, cameras and DVRs using default factory credentials, known unpatched firmware vulnerabilities, or weak Telnet/SSH configurations to gain persistent access and enlist the device in DDoS attacks.Source: NCSC / CISA IoT botnet guidance

Background

Aisuru was one of four IoT botnets whose infrastructure was seized in a joint law-enforcement operation on 19 March 2026, alongside Kimwolf, JackSkid and Mossad. The seizure preceded the May 2026 arrest of Jacob Butler ('Dort'), alleged operator of the Kimwolf network, suggesting co-ordinated international disruption of the IoT DDoS-for-hire ecosystem. Aisuru's infrastructure was taken down as part of the same operation, though no separate operator arrest was announced at the time of reporting.

Aisuru is an IoT botnet family built on enslaved consumer devices — primarily routers, cameras and digital-video recorders vulnerable to default-credential exploitation or unpatched firmware. The name 'Aisuru' (from the Japanese verb 'to love') was used by operators to brand their DDoS-for-hire stresser service. Like Kimwolf, Aisuru operates by recruiting vulnerable IoT devices into a botnet and renting DDoS capacity to paying customers targeting gaming servers, financial services and critical infrastructure.

The concurrent March 2026 seizure of four botnet infrastructures illustrates the law-enforcement strategy of disrupting the DDoS-for-hire market wholesale rather than pursuing individual operators serially. Infrastructure seizures degrade botnet capacity temporarily but have historically had limited lasting effect without operator arrests; the Butler arrest two months later signals that infrastructure seizure was the first phase of a broader prosecution strategy.

Source Material

Krebs on Security – botnet coverage

How the World Sees Them

United States

Aisuru was included in the same infrastructure seizure as Kimwolf; US DoJ used the combined operation to demonstrate capability against the DDoS-for-hire market ahead of the Butler arrest.

European Union

EU law-enforcement agencies Europol and Eurojust co-ordinated on the March 2026 operation; ENISA noted the combined seizure as a model for multi-agency botnet disruption.

United Kingdom

NCA participated in planning the March 2026 operation; the Aisuru seizure contributed to the broader picture of IoT-botnet infrastructure dismantlement the NCSC had flagged in its annual threat assessment.