OrganisationUS

JackSkid

IoT botnet seized on 19 March 2026 alongside Kimwolf, Aisuru and Mossad in a coordinated infrastructure takedown.

Last refreshed: 29 May 2026 · Appears in 1 active topic

Key Question

Was a JackSkid operator arrested alongside the Kimwolf botmaster in May 2026?

Timeline for JackSkid

#521 May

Mentioned in: Kimwolf botmaster held over record DDoS

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is the JackSkid botnet?: JackSkid is an IoT DDoS botnet and stresser-for-hire service built on enslaved home routers and IP cameras. Its infrastructure was seized on 19 March 2026 alongside Kimwolf, Aisuru and Mossad.Source: US DoJ / law enforcement seizure notices
Was the JackSkid operator arrested?: No JackSkid operator arrest was publicly announced as of May 2026. Only Jacob Butler, the alleged Kimwolf operator, was charged. The JackSkid infrastructure seizure on 19 March 2026 was part of the same operation.Source: US DoJ / OPP

Background

JackSkid was among four IoT botnets whose infrastructure was seized on 19 March 2026 in a joint international law-enforcement operation targeting the DDoS-for-hire market. The four botnets seized simultaneously were Kimwolf, Aisuru, JackSkid and Mossad. The operation preceded the arrest of Jacob Butler ('Dort'), alleged Kimwolf operator, by two months, indicating a sequenced strategy of infrastructure disruption followed by operator prosecution.

JackSkid is an IoT-based DDoS botnet and stresser service built on enslaved consumer devices, primarily vulnerable home routers and IP cameras. The JackSkid name has been associated with underground DDoS-for-hire forums where capacity was rented to customers wishing to attack gaming infrastructure, financial services and other targets. Like other botnets in its peer group, JackSkid used credential-stuffing and known firmware exploits to enlist devices without user knowledge.

The bundling of JackSkid with three other botnets in a single seizure operation reflects law-enforcement awareness that the DDoS-for-hire market is fluid: operators collaborate, share infrastructure, and migrate capacity between named services. Dismantling multiple services simultaneously limits the ability of surviving operators to absorb displaced capacity.

Source Material

Krebs on Security – botnet coverage

How the World Sees Them

United States

JackSkid's seizure was part of a DoJ-coordinated operation against the DDoS-for-hire market; no separate JackSkid operator arrest has been publicly announced.

European Union

Europol contributed to the March 2026 operation; ENISA noted the combined seizure in its 2026 mid-year threat landscape update as evidence of maturing cross-border botnet enforcement.

United Kingdom

NCA's involvement in the March seizure complemented NCSC guidance on IoT device hardening published in early 2026 as part of the Connected Places Cyber Security programme.