The world’s largest and most disruptive botnet is now drawing a majority of its firepower from compromised Internet-of-Things (IoT) devices hosted on U.S. Internet providers like AT&T, Comcast and Verizon, new evidence suggests. Experts say the heavy concentration of infected devices at U.S. providers is complicating efforts to limit collateral damage from the botnet’s attacks, which shattered previous records this week with a brief traffic flood that clocked in at nearly 30 trillion bits of data per second.
Since its debut more than a year ago, the Aisuru botnet has steadily outcompeted virtually all other IoT-based botnets in the wild, with recent attacks siphoning Internet bandwidth from an estimated 300,000 compromised hosts worldwide.
The hacked systems that get subsumed into the botnet are mostly consumer-grade routers, security cameras, digital video recorders and other devices operating with insecure and outdated firmware, and/or factory-default settings. Aisuru’s owners are continuously scanning the Internet for these vulnerable devices and enslaving them for use in distributed denial-of-service (DDoS) attacks that can overwhelm targeted servers with crippling amounts of junk traffic.
As Aisuru’s size has mushroomed, so has its punch. In May 2025, KrebsOnSecurity was hit with a near-record 6.35 terabits per second (Tbps) attack from Aisuru, which was then the largest assault that Google’s DDoS protection service Project Shield had ever mitigated. Days later, Aisuru shattered that record with a data blast in excess of 11 Tbps.
By late September, Aisuru was publicly flexing DDoS capabilities topping 22 Tbps. Then on October 6, its operators heaved a whopping 29.6 terabits of junk data packets each second at a targeted host. Hardly anyone noticed because it appears to have been a brief test or demonstration of Aisuru’s capabilities: The traffic flood lasted less only a few seconds and was pointed at an Internet server that was specifically designed to measure large-scale DDoS attacks.
A measurement of an Oct. 6 DDoS believed to have been launched through multiple botnets operated by the owners of the Aisuru botnet. Image: DDoS Analyzer Community on Telegram.
Aisuru’s overlords aren’t just showing off. Their botnet is being blamed for a series of increasingly massive and disruptive attacks. Although recent assaults from Aisuru have targeted mostly ISPs that serve online gaming communities like Minecraft, those digital sieges often result in widespread collateral Internet disruption.
For the past several weeks, ISPs hosting some of the Internet’s top gaming destinations have been hit with a relentless volley of gargantuan attacks that experts say are well beyond the DDoS mitigation capabilities of most organizations connected to the Internet today.
Steven Ferguson is principal security engineer at Global Secure Layer (GSL), an ISP in Brisbane, Australia. GSL hosts TCPShield, which offers free or low-cost DDoS protection to more than 50,000 Minecraft servers worldwide. Ferguson told KrebsOnSecurity that on October 8, TCPShield was walloped with a blitz from Aisuru that flooded its network with more than 15 terabits of junk data per second.
Ferguson said that after the attack subsided, TCPShield was told by its upstream provider OVH that they were no longer welcome as a customer.
“This was causing serious congestion on their Miami external ports for several weeks, shown publicly via their weather map,” he said, explaining that TCPShield is now solely protected by GSL.
Traces from the recent spate of crippling Aisuru attacks on gaming servers can be still seen at the website blockgametracker.gg, which indexes the uptime and downtime of the top Minecraft hosts. In the following example from a series of data deluges on the evening of September 28, we can see an Aisuru botnet campaign briefly knocked TCPShield offline.
An Aisuru botnet attack on TCPShield (AS64199) on Sept. 28 can be seen in the giant downward spike in the middle of this uptime graphic. Image: grafana.blockgametracker.gg.
Paging through the same uptime graphs for other network operators listed shows almost all of them suffered brief but repeated outages around the same time. Here is the same uptime tracking for Minecraft servers on the network provider Cosmic (AS30456), and it shows multiple large dips that correspond to game server outages caused by Aisuru.
Multiple DDoS attacks from Aisuru can be seen against the Minecraft host Cosmic on Sept. 28. The sharp downward spikes correspond to brief but enormous attacks from Aisuru. Image: grafana.blockgametracker.gg.
BOTNETS R US
Ferguson said he’s been tracking Aisuru for about three months, and recently he noticed the botnet’s composition shifted heavily toward infected systems at ISPs in the United States. Ferguson shared logs from an attack on October 8 that indexed traffic by the total volume sent through each network provider, and the logs showed that 11 of the top 20 traffic sources were U.S. based ISPs.
AT&T customers were by far the biggest U.S. contributors to that attack, followed by botted systems on Charter Communications, Comcast, T-Mobile and Verizon, Ferguson found. He said the volume of data packets per second coming from infected IoT hosts on these ISPs is often so high that it has started to affect the quality of service that ISPs are able to provide to adjacent (non-botted) customers.
“The impact extends beyond victim networks,” Ferguson said. “For instance we have seen 500 gigabits of traffic via Comcast’s network alone. This amount of egress leaving their network, especially being so US-East concentrated, will result in congestion towards other services or content trying to be reached while an attack is ongoing.”
Roland Dobbins is principal engineer at Netscout. Dobbins said Ferguson is spot on, noting that while most ISPs have effective mitigations in place to handle large incoming DDoS attacks, many are far less prepared to manage the inevitable service degradation caused by large numbers of their customers suddenly using some or all available bandwidth to attack others.
“The outbound and cross-bound DDoS attacks can be just as disruptive as the inbound stuff,” Dobbin said. “We’re now in a situation where ISPs are routinely seeing terabit-per-second plus outbound attacks from their networks that can cause operational problems.”
“The crying need for effective and universal outbound DDoS attack suppression is something that is really being highlighted by these recent attacks,” Dobbins continued. “A lot of network operators are learning that lesson now, and there’s going to be a period ahead where there’s some scrambling and potential disruption going on.”
KrebsOnSecurity sought comment from the ISPs named in Ferguson’s report. Charter Communications pointed to a recent blog post on protecting its network, stating that Charter actively monitors for both inbound and outbound attacks, and that it takes proactive action wherever possible.
“In addition to our own extensive network security, we also aim to reduce the risk of customer connected devices contributing to attacks through our Advanced WiFi solution that includes Security Shield, and we make Security Suite available to our Internet customers,” Charter wrote in an emailed response to questions. “With the ever-growing number of devices connecting to networks, we encourage customers to purchase trusted devices with secure development and manufacturing practices, use anti-virus and security tools on their connected devices, and regularly download security patches.”
A spokesperson for Comcast responded, “Currently our network is not experiencing impacts and we are able to handle the traffic.”
9 YEARS OF MIRAI
Aisuru is built on the bones of malicious code that was leaked in 2016 by the original creators of the Mirai IoT botnet. Like Aisuru, Mirai quickly outcompeted all other DDoS botnets in its heyday, and obliterated previous DDoS attack records with a 620 gigabit-per-second siege that sidelined this website for nearly four days in 2016.
The Mirai botmasters likewise used their crime machine to attack mostly Minecraft servers, but with the goal of forcing Minecraft server owners to purchase a DDoS protection service that they controlled. In addition, they rented out slices of the Mirai botnet to paying customers, some of whom used it to mask the sources of other types of cybercrime, such as click fraud.
A depiction of the outages caused by the Mirai botnet attacks against the internet infrastructure firm Dyn on October 21, 2016. Source: Downdetector.com.
Dobbins said Aisuru’s owners also appear to be renting out their botnet as a distributed proxy network that cybercriminal customers anywhere in the world can use to anonymize their malicious traffic and make it appear to be coming from regular residential users in the U.S.
“The people who operate this botnet are also selling (it as) residential proxies,” he said. “And that’s being used to reflect application layer attacks through the proxies on the bots as well.”
The Aisuru botnet harkens back to its predecessor Mirai in another intriguing way. One of its owners is using the Telegram handle “9gigsofram,” which corresponds to the nickname used by the co-owner of a Minecraft server protection service called Proxypipe that was heavily targeted in 2016 by the original Mirai botmasters.
Robert Coelho co-ran Proxypipe back then along with his business partner Erik “9gigsofram” Buckingham, and has spent the past nine years fine-tuning various DDoS mitigation companies that cater to Minecraft server operators and other gaming enthusiasts. Coelho said he has no idea why one of Aisuru’s botmasters chose Buckingham’s nickname, but added that it might say something about how long this person has been involved in the DDoS-for-hire industry.
“The Aisuru attacks on the gaming networks these past seven day have been absolutely huge, and you can see tons of providers going down multiple times a day,” Coelho said.
Coelho said the 15 Tbps attack this week against TCPShield was likely only a portion of the total attack volume hurled by Aisuru at the time, because much of it would have been shoved through networks that simply couldn’t process that volume of traffic all at once. Such outsized attacks, he said, are becoming increasingly difficult and expensive to mitigate.
“It’s definitely at the point now where you need to be spending at least a million dollars a month just to have the network capacity to be able to deal with these attacks,” he said.
RAPID SPREAD
Aisuru has long been rumored to use multiple zero-day vulnerabilities in IoT devices to aid its rapid growth over the past year. XLab, the Chinese security company that was the first to profile Aisuru’s rise in 2024, warned last month that one of the Aisuru botmasters had compromised the firmware distribution website for Totolink, a maker of low-cost routers and other networking gear.
“Multiple sources indicate the group allegedly compromised a router firmware update server in April and distributed malicious scripts to expand the botnet,” XLab wrote on September 15. “The node count is currently reported to be around 300,000.”
A malicious script implanted into a Totolink update server in April 2025. Image: XLab.
Aisuru’s operators received an unexpected boost to their crime machine in August when the U.S. Department Justice charged the alleged proprietor of Rapper Bot, a DDoS-for-hire botnet that competed directly with Aisuru for control over the global pool of vulnerable IoT systems.
Once Rapper Bot was dismantled, Aisuru’s curators moved quickly to commandeer vulnerable IoT devices that were suddenly set adrift by the government’s takedown, Dobbins said.
“Folks were arrested and Rapper Bot control servers were seized and that’s great, but unfortunately the botnet’s attack assets were then pieced out by the remaining botnets,” he said. “The problem is, even if those infected IoT devices are rebooted and cleaned up, they will still get re-compromised by something else generally within minutes of being plugged back in.”
A screenshot shared by XLabs showing the Aisuru botmasters recently celebrating a record-breaking 7.7 Tbps DDoS. The user at the top has adopted the name “Ethan J. Foltz” in a mocking tribute to the alleged Rapper Bot operator who was arrested and charged in August 2025.
BOTMASTERS AT LARGE
XLab’s September blog post cited multiple unnamed sources saying Aisuru is operated by three cybercriminals: “Snow,” who’s responsible for botnet development; “Tom,” tasked with finding new vulnerabilities; and “Forky,” responsible for botnet sales.
KrebsOnSecurity interviewed Forky in our May 2025 story about the record 6.3 Tbps attack from Aisuru. That story identified Forky as a 21-year-old man from Sao Paulo, Brazil who has been extremely active in the DDoS-for-hire scene since at least 2022. The FBI has seized Forky’s DDoS-for-hire domains several times over the years.
Like the original Mirai botmasters, Forky also operates a DDoS mitigation service called Botshield. Forky declined to discuss the makeup of his ISP’s clientele, or to clarify whether Botshield was more of a hosting provider or a DDoS mitigation firm. However, Forky has posted on Telegram about Botshield successfully mitigating large DDoS attacks launched against other DDoS-for-hire services.
In our previous interview, Forky acknowledged being involved in the development and marketing of Aisuru, but denied participating in attacks launched by the botnet.
Reached for comment earlier this month, Forky continued to maintain his innocence, claiming that he also is still trying to figure out who the current Aisuru botnet operators are in real life (Forky said the same thing in our May interview).
But after a week of promising juicy details, Forky came up empty-handed once again. Suspecting that Forky was merely being coy, I asked him how someone so connected to the DDoS-for-hire world could still be mystified on this point, and suggested that his inability or unwillingness to blame anyone else for Aisuru would not exactly help his case.
At this, Forky verbally bristled at being pressed for more details, and abruptly terminated our interview.
“I’m not here to be threatened with ignorance because you are stressed,” Forky replied. “They’re blaming me for those new attacks. Pretty much the whole world (is) due to your blog.”
“Pretty much the whole world (is) due to your blog.”
“And Krebs said, ‘Let there be light’. And there was light.”
World went downhill when someone had the ‘bright’ idea to create the NASDAQ.
world went downhill when your dad fuhcked your mom
is krebs plural?
Is zagoria feminine?
Is there any easy way for a home owner to determine whether any of the devices on their home network has been compromised? I probably have 20 devices. Some are computers with real passwords, but I have a printer, phones, 3D printers, etc. If we all could police our own devices, that could be helpful.
I would like to know also.
My consumer grade router in my house, an ASUS RT-AX3000, was repeatedly compromised through what must have been a zero-day in a router feature in October of 2024. I first noticed something was off when my computer was having periodic trouble accessing the internet. Through investigation I discovered that multiple devices in my house would have absolutely terrible ping to internet destinations at the same time. I finally thought to check the traffic chart web page on my router, and saw that the WAN port (facing the internet) would have a massive amount of traffic flow while there was very little traffic on LAN ports (facing inside my house). I eventually stopped the pain by disabling optional router features and rebooting the router until it stopped getting re-compromised after reboot. I had checked for firmware updates, and I was fully up to date at the time. And I had a strong password set, which I’d also tried changing.
I posted details in a thread discussing ASUS routers being compromised at the time: https://www.snbforums.com/threads/rt-ax88u-maxing-out-a-core-and-regularly-showing-60-mb-s-upload.92141/page-10#post-931853
But anyways, to answer your question, in my case everything in my house had miserable internet access for 20 seconds at a time every 2 to 3 minutes.
A key question. I’d like to know too.
I run an old free network monitoring app called Bitmeter with a small window always open in the lower left of my Win10 machine. It lets me see internet traffic visually.
If I see any large traffic passing through, then I would know that there is something amiss and to dig deeper into the cause.
I’m sure there are other similar apps floating around.
I’m surprised how many people are now deft enough to change their WiFi access point names, now, compared to a decade ago, although — ironically — I believe people were far safer and more secure not doing so.
I have a cheap router. I check the router’s admin tools now and then to confirm the other computers on my network are operating as intended, but no idea what to do if the router itself gets hacked – and at its price point, it’s probably the most likely thing! A guide to how to check for this would be great.
Search a favorite vuln DB for your model #. Be prepared to read things that don’t matter.
Most newer TP- are patched / current to the extent publicly known. A few older ones are junk.
You’ll see the same posse of junk models over and over.
As long as you set strong pws, disable remote administration, and are careful about FW updates…
you’re about as safe as anyone from known-vuln spraying techniques. Sneakernet > internet.
Or build a cheap pfsense linux box with medium-fast i/o to act as a gateway logger. The rabbit hole.
Get used to reading logs periodically, oh but now you have to make sure that box isn’t hacked too…
so assume the praying position and hope for the best like the rest of the 18% of users who still care.
Search your model # on a vuln catalogue or 5. If you’re on some of these lists, read carefully.
Some of them are mitigated by updates, some will never be. Those are junk, time to update.
You can update the FW, you can HW reset, they will always be pwnable devices. Junk it.
Example, TP-Link AX-21, Zyxel-anything. Recycle it now. Get something new.
If you’re asking is there some way to detect the (hundreds of) thousands of potential, possible and unknown TTP’s/exploits already running on your unknown# router by running a program or typing a few cmd lines into a prompt, not really at all. You would be talking about a middle-man pfsense/other firewall dedicated PC logging all traffic and then running analysis on that for known trends. Which is doable – but will you do it? Will most people? Big no.
perform a packet capture on your local network, it has been noted that they use .su domains, look for DNS queries to that
dns.qry.name contains “.su”
no ‘.su’ or su domains at all (or .sue, I checked to be sure) on my network, and never were (as far back as the 90s and my tcpdump captures), so why am I getting all of this garbage traffic, you think?
some lawyers really need to hang up their Martindale Hubble already.
Are ISPs not allowed to severely throttle or outright terminate misbehaving customers?
Same with customers that run pirate IPTV boxes that also end up with them joining a botnet. They should be on the hook for whatever credit card fraud or DDoS attacks that come out of their service.
Do they just want to avoid the wrath of Karens demanding they get the speeds they pay for or else they threaten to move ISPs, or is there some law (Net Neutrality?) getting in the way?
Is “totolink” responsible for the mystery cheap too good to be true networking equipment on Amazon like “NICGIGA”, or are people really buying “totolink” equipment? Never heard of it.
Also I love how these DDoS skiddies still think they’re all slick making big money off minecraft DDoS protection rackets over a decade later as if they’re not the ones feeding the poison just like good ole CJ.
The enforcement at the top level must continue but this has been a “digital public health” problem for the last couple decades. As long as we have herds of functionally unmaintained low end devices that can act up a lot, just as long as its not so much that their owners start rebooting/replacing, this is going to be an issue. Regulation might be a solution, but who gets regulated? Who does enforcement? Honestly, the best thing here might be “taxing” the misbehavior of IoT devices. If ISP picks up problematic behavior, monthly cost goes up some small amount, $5 – $7/month, such that consumer will replace the edge device. If it’s something inside the consumer network, the edge has to be smart enough to interdict. That means a security subscription, edge devices already need OS updates, if they’ve got a filtration mechanism as well, everybody wins.
I haven’t been responsible for an ISP in fifteen years. I miss many things about that business, but dealing with compromised customer systems is NOT one of them.
Appears that AT&T is high on the list, and seeing the Houston area (big customer base for them here) was a large source of the Mirai bot – seems like opportunities abound. The default gateway/routers they offer have pretty good options to configure networks – you can have guest networks for IoT devices segregated from the main household access. You can limit a lot of protocols and/or types of outgoing data.
I’d love to know more about the types of data / packets (UDP?) most of these common types of DDOS attack are leveraging from the home routers. The default AT&T SSID has that in the name. I could probably help a few dozen neighbors secure them with a bit more free time. 😀
could be ICMP. would make sense, given the sorts of DDOSing currently happening.
I haven’t been responsible for an ISP since just before the bombing in Oklahoma City in 1995. Noone even had ‘home routers’ then except for those people willing to pay big bucks for private lines.
Forky causing outbound problems is a gift from the gods for making ISP’s pay a little more than the zero attention they usually pay to ddos.
You (they/whomever) know how this (these) “systems?”works (work) yet it perpetuates with NO “intelligent” solutions/ (resolutions) just conjectured complaints….rightly so but WTF? Stay Thirsty My Morons! What time is the 9:00PM “broadcast” please?……..
ISPs can mitigate this problem. But they do absolutely nothing. They can track outbound traffic for similar packets and flag the source (their customers) and notify them. But it all costs money so they simply ignore it (because it’s not their problem.)
Question from a cybersecurity ignoramus: how often are these mega-hackings caused by crass carelessness/negligence on the part of corporate staff users (e.g. easily-crackable passwords, reusing passwords, lack of 2FA, lack of basic anti-malware protection, clicking on a link in an e-mail from a stranger). For example, I’m told that the mega-hack of Equifax was possible because an employee simply forgot to renew a website certificate (5 minutes work).
Every vuln chains to another. User at home has outdated router, gets bot-infected, gets end-cpu infected, gets his email/browser/pwmanager scraped, oops now his company VPN creds are in the wind, now they’re into the Citrix/etc, now it’s everyone’s problem at work. What % are caused by mass corporate negligence (ahem, MICROSOFT, ADOBE, DELL, etc.) vs those caused by one person’s misclick or expired router selection, etc… flip a coin a million times. It’s as rando as anything and ascribing malice to incompetence is moot at that point – judge them by how they manage disclosure and damage control to customers. That’s the only saving grace when everybody’s getting compromised.
Should we all be ‘willing to assume’ that you’re trying to pump and dump and/or ‘bet’ on some college sports to really reward the recent illegal acquisition of ‘predictions markets’ by nasdaq? There’s only one prediction I can make, and that it’s you’re all goddamn dumb.
Ain’t no ‘rosy’ days ahead for anyone now.
Should be really epic though for ‘infosec’, if it were 2008. Unfortunately for all of you, it is not.
The solution to this problem seems to be very simple: to ban all that cheap Chinese crap hardware, including but not limited to routers, TVs and other popular IOT stuff that it can’t be sold anymore in the United States of America. Hopefully, President Donald J Trump will enforce his new tariffs on Chinese Communists and it will end all of this nonsense.
You just can’t help yourself ranting. Without the Chinese your post would be impossible.
Impossible not really, certainly more expensive…
without George Burns arpanet wouldn’t exist. and he dead.
Pretty much nailed the nail right on the crucifix, dude.
Marco, you are a really funny dude…..
If it’s not coming from China, you don’t think someone else will see a marketing opportunity for stuff made (and sold) as cheaply as possible? Maybe Trump thinks that, but nobody else does.
Pretty obvious who created Aisuru.
There weren’t many people talking to Erik all those years ago.
C’mon Erik. You know very well who this is.
People seem to overlook the fact that in the DDoS/Botnet community, pretty much everyone knows everyone. This isn’t some noface creature who came out of the woodwork.
Krebs I’m sure you have some idea who this is. I wouldn’t be surprised if the FBI know who this is but due to jurisdiction challenges and no evidential ties directly linking this person to the botnet. There isn’t much they can do.
bibi?
Bibi can’t create, he can only genocide.
Solution to this problem appears remarkably straightforward: Ban all that cheap Chinese hardware in the United States—including but not limited to routers, TVs, and other popular IoT devices—so it can no longer be sold here. Hopefully, President Donald J. Trump will strictly enforce his new tariffs on Chinese imports, putting an end to all this nonsense once and for all.
Concur. Although I suspect the Taiwanese and Japanese exports are at least as bad.
I continue to be surprised there isn’t more of a manufacturing market for such things in central Canada.
Yes! Involve POTUS #47 whose problem-solving track record is spotless, right?
And then they call me, The Republican, conspiracy theorist when I’m absolutely confident that most of you, democratic wokies, work for any interest but not of your Fatherhood. For example, for the interests of sneaky Chinese Communists who import in our country all this cheap crap with backdoors and profit pockets of your sponsors.
Actually, most ‘democratic wokies’ I know have at one time or another taken an oath to “…support and defend the Constitution of the United States against all enemies, foreign and domestic; [and]… will bear true faith and allegiance to the same;” as opposed to the NDAs that the POTUS King requires of all his ring kissers.
The TRUMP ROUTER 9000 – gold wires, gold antennas, the best security Russia can buy.
Just 1 Bitcoin! And for each one we sell we’ll donate 1 to a polling station. BUY AMERICA!
(Some people say buy American, I say buy America!)
Shouldn’t you be at your fantasy retreat for wayward people delusionally believing they are ‘chipping in’ to ‘feed and clothe America’?
Da Comrade, everyone who notices Trump is a criminal grifter must be Communist Party.
Da’strovia!
Does your employer know what are you talking about our 47th elected President Donald J Trump on internet?
Or you would like me to inform him about it and about your obvious sympathies to communist regime of China, also known as main sponsor of democratic think-tanks and wokie leftist bot-farms on X and Mastodon?
“President” is merely a title, like FELON or PERJURER, RAPIST, GRIFTER.
They denote what that person has been found responsible for.
Trump will be known as all of those by history. Enjoy your rant! 😀
Second read of your comment, WTAF are you even babbling about lol?
What?
Congratulations! This is the best speed running game out there. I hope this inspires a whole new group of players to the game.
agreed. to be a ghost, no body must be entered.
when you gonna croak, already, Joe?
The Sikh already left but still they seek, wonder why, Mario?
this is boring! investigate krimin.al
why would he investigate ur crappy dead website LOL
Why don’t you do it? Get a constella account and get to work!
Would the major ISPs identifying significant sources of junk traffic and blocking it at the source… or perhaps limiting the number of packets allowed per IP, work for permanent mitigation?
This is a concerning development regarding the DDoS attacks. It’s alarming to see how easily these botnets can disrupt services. We need to strengthen our defenses and collaborate more effectively to mitigate these risks.
This article on the DDoS botnet Aisuru is really concerning. It’s alarming to see how easily these attacks can disrupt services across the US. I hope ISPs are taking serious measures to protect against this kind of threat!
The “war’ is lost. Get over it.
potus 47 is better than potus 45. which is more than i could say for the ‘clintons’ in 1992-1998. oh well, at least ‘hillary’ lost; too bad bush didn’t win. in those days, president was just a cheese occasionally marked down.
i believe you are simply confusing an australian movie/novel for a botnet. or an imaginary ‘deal’.