Your CCTV Camera Might Be a Criminal: What the Massive IoT Botnet Takedown Really Means for UK Businesses
There is a certain kind of cupboard in a certain kind of business. You know the one. It contains an elderly router, a bargain bin switch, a dusty CCTV recorder, a random Android box nobody remembers buying, and at least one device powered by a plug that looks as though it came free with a magazine in 2019.
It also contains a lie.
The lie is this: those devices are boring, harmless, and beneath anyone’s interest.
They are not.
On 19 March 2026, US, Canadian, and German authorities disrupted infrastructure behind four major IoT botnets called Aisuru, KimWolf, JackSkid, and Mossad. According to the US Department of Justice, those botnets had infected more than three million devices worldwide and were used to launch hundreds of thousands of DDoS attacks, sometimes alongside extortion demands. The infected kit was mostly what you would expect: digital video recorders, web cameras, and WiFi routers. In other words, exactly the sort of neglected edge tat that turns up all over small businesses.
That is the real story here. Yes, the takedown matters. Yes, it is good news when law enforcement stamps on criminal infrastructure. But the more important question is not whether the feds won a round. It is why millions of insecure devices were sitting there in the first place, waiting to be conscripted into someone else’s cyber artillery.
If you run a UK small business, or look after one, this is not some distant American drama involving acronyms and men in windbreakers. Cloudflare’s Q4 2025 DDoS report says the United Kingdom jumped 36 places in a single quarter to become the sixth most attacked location in the world for DDoS. The same report tied the Aisuru Kimwolf botnet to hyper volumetric campaigns and a record 31.4 Tbps attack that lasted 35 seconds. The volume is absurd. The relevance is not.
So pull up a chair.
Because this story is not really about a botnet takedown.
It is about what happens when cheap, forgotten, badly managed internet connected junk is allowed to squat on business networks for years without anyone asking basic questions.
What actually happened?
Let’s do this in plain English.
The DOJ says the botnet operators used a cybercrime as a service model. They infected devices, kept control of them, and then sold access to those infected devices to other criminals. Those criminals then used the hijacked devices to participate in huge DDoS attacks against targets around the world. Some victims reportedly suffered tens of thousands of dollars in losses and remediation costs. Some were also pressured with extortion demands.
The scale was grotesque. Court documents cited by the DOJ say Aisuru alone issued more than 200,000 DDoS attack commands. KimWolf issued more than 25,000. JackSkid launched more than 90,000. Mossad launched more than 1,000. Add it up and you get more than 316,000 attack commands from just these four botnets. That is not background internet noise. That is industrialised abuse.
The targets were not trivial either. The DOJ says seizure warrants targeted infrastructure allegedly involved in DDoS attacks against Department of Defense IP addresses, among many other victims. Reuters reported that the wider operation involved support from a long list of major technology firms and was coordinated with Europol’s PowerOFF team. This was not a one man band with a laptop and a grudge. It was serious enough to trigger a multinational response.
Brian Krebs’ reporting adds useful context here. He notes that Aisuru emerged in late 2024, and that by mid 2025 it was already launching record breaking DDoS attacks while rapidly infecting new IoT devices. He also reports that Kimwolf grew out of Aisuru and introduced a spreading method that allowed it to infect devices hidden behind internal networks. That last detail should make you sit up. The idea that a cheap internet box is “safe” because it is not openly exposed is not something I would bet the business on.
Why should a UK SMB care?
Because most UK SMBs have exactly the sort of environment attackers love.
Not the glamorous part of the stack. Not the new Microsoft licensing. Not the polished cloud dashboards shown in sales decks. I mean the ugly bits. The CCTV box. The old branch router. The streaming box behind the reception TV. The “temporary” wireless bridge that has now been there for four years. The security camera app that nobody has logged into since installation day. The internet connected doorbell or alarm kit that was set up by a contractor who has long since vanished.
The NCSC has been warning for some time that enterprise connected devices present an expanding attack surface, that many are accessible over the public internet, and that cyber security is often an afterthought. It also says these devices are attractive because they can be used as an attack vector or pivot point into wider networks for disruption, espionage, or financial gain. That is not abstract theory. That is a polite government way of saying these things can be a bloody liability.
The NCSC has also published specific guidance on edge devices, noting that routers, smart appliances, IoT devices, sensors, and cameras can be particularly vulnerable because they sit at the edge of the network and connect directly to external networks. It urged manufacturers to include secure logging and forensic visibility by default because attackers are increasingly targeting these devices. If the people at GCHQ are telling the market to stop treating edge devices like invisible furniture, perhaps we should take the hint.
Cloudflare’s data adds the missing business context. The UK became the sixth most attacked location in the world in Q4 2025. The same report says 2025 saw 47.1 million DDoS attacks overall, with attacks surging 121% year on year. That does not mean every SME is about to be flattened by a 31.4 Tbps flood. It does mean the threat landscape around online services, internet facing systems, and digital dependence is getting nastier, faster, and more industrialised. If your business relies on web apps, eCommerce, VoIP, cloud portals, remote access, or customer logins, why would you pretend that DDoS is somebody else’s problem?
The cheap device problem nobody owns
This is the part that really gets on my nerves.
Businesses will spend time debating AI policy, buying meeting room screens, and refreshing laptops, then leave a 5 year old DVR on the network with a mystery password and firmware older than some apprentices. Why? Because nobody owns it. It sits in the dead zone between IT, facilities, security, reception, and “the bloke who installed it”.
That dead zone is where bad things breed.
Reuters reported that most of the infected systems in this takedown were IoT gadgets such as webcams and routers, often compromised because of weak security settings. The UK’s PSTI regime, which came into effect on 29 April 2024, now requires baseline security for consumer connectable products sold in the UK, including a ban on universal default and easily guessable passwords, plus published security reporting contacts and minimum security update periods. The NCSC has also been blunt that default passwords can let criminals log into smart devices and use them to access local networks or conduct cyber attacks. That is progress, and it matters. But it does not magically fix the mountain of old, cheap, badly supported junk already hanging off real world networks.
And that is before we get to the really grubby stuff.
Synthient said in January 2026 that Kimwolf had already surpassed two million infected devices, primarily targeting Android devices with exposed Android Debug Bridge through residential proxies. It specifically warned that infected TV boxes should be wiped or destroyed. Read that again. Not rebooted. Not monitored closely. Destroyed. If you have cheap Android based media boxes, signage kit, or streaming devices in the business because someone wanted to save a few quid, are you certain they are not a back door with a power light?
Cloudflare says the Aisuru Kimwolf botnet was made up primarily of infected Android TVs and estimated the botnet at between one and four million hosts. It described the associated campaigns as capable of crippling critical infrastructure, crashing legacy cloud based DDoS protection, and even disrupting connectivity at national scale. So when someone shrugs and says “it’s only a telly box”, what they really mean is “I do not understand what this thing can become once it is weaponised”.
A takedown is not a cure
Here is the bit people always miss when these stories break.
Taking down command and control infrastructure is good. It disrupts criminal operations. It makes life harder for the operators. It prevents some future abuse. But it does not fix the root disease.
The disease is that the internet is still full of under secured, under patched, badly designed devices that were shipped with weak defaults, abandoned support, poor logging, or no proper lifecycle ownership. Law enforcement can kick over one operation, and another will grow out of the same rotten soil a week later if nothing changes. Wired makes exactly this point, noting that despite the disruption, botnet threats persist because criminals keep building new methods and infrastructures.
The NCSC’s older work on enterprise connected devices makes the same broader point from a UK risk perspective. It says many of these devices are publicly accessible, often have security treated as an afterthought, and after compromise can be used as a pivot point into wider enterprise networks. So the danger is not only that your device becomes part of a DDoS cannon. It is also that it becomes an access route, an observation point, or a foothold. Are you just worried about availability, or are you also asking what else that “smart” box can see, touch, or reach?
That matters because small businesses tend to think in isolated incidents. The website went down. The camera feed stopped. The internet was slow. The VPN acted oddly. In reality, these things often belong to one wider problem: unknown devices, poor asset control, weak credential hygiene, patching gaps, and rubbish procurement choices.
Or, to put it more bluntly, crap accumulates.
And then one day the crap starts attacking people.
What should UK businesses do this week?
Start with the obvious question.
Could you produce a list today of every internet connected camera, DVR, router, smart display, streaming box, signage player, wireless bridge, alarm panel, doorbell, and edge device in your business?
Not in theory. Not after a week of rummaging. Today.
If the answer is no, that is already a finding.
The first job is asset visibility. You cannot secure what you do not know exists. That means identifying every edge and IoT device, who installed it, what it does, where it lives, whether it is still needed, and who is responsible for patching and credentials. The NCSC’s guidance on edge devices and enterprise connected devices makes it clear that these categories are now a serious part of the attack surface, not an eccentric side issue.
Second, sort out credentials. The UK PSTI regime bans universal default and easily guessable passwords for in scope consumer connectable products sold in the UK, and the NCSC has been explicit that default passwords can be used by criminals to access local networks or launch attacks. Great. But your job is not to admire the law. Your job is to check the devices you already have. If a device still has default or shared credentials, change them. If it supports stronger access controls or 2SV, enable them. If you cannot do either, ask yourself why the thing is still on the network.
Third, patch or replace. The law now requires manufacturers to publish minimum security update periods for in scope consumer smart products sold in the UK. Use that information when buying, and use common sense with what you already own. If a device is out of support, no longer patched, or impossible to update safely, stop romanticising it. Replace it. Unsupported edge kit is not thrifty. It is just a future incident wearing a plastic shell.
Fourth, segment this stuff. Cameras, recorders, smart displays, IoT controllers, and similar devices do not need to sit happily on the same broad trusted network as user devices and core business systems. Give them their own network where appropriate. Restrict what they can talk to. Block unnecessary outbound access. Make it harder for a compromised gadget to wander around the estate like it owns the place. This is not glamourous work, but then neither is explaining to the board that the coffee area streaming box turned into a proxy node. The NCSC’s guidance on edge devices exists precisely because these systems sit at the boundary and deserve tighter treatment.
Fifth, review suppliers. Who installed the CCTV? Who manages the alarm platform? Who picked the signage player? Who decided the reception TV needed a bargain Android box from a marketplace seller? If you outsource bits of your technology estate, you also outsource some of your risk. Ask what is internet connected, how it is maintained, how firmware is managed, how credentials are handled, and what the support lifecycle is. If the answers are vague, cheerful, and undocumented, that is not reassuring. It is the opposite.
Finally, stop treating “smart” as a synonym for “safe”. It never was. The DOJ takedown shows what happens when millions of neglected devices are absorbed into criminal infrastructure. Cloudflare’s data shows how violent the resulting traffic can become. The NCSC’s guidance shows that governments are now openly worried about these devices as a major defensive blind spot. At what point does this stop being a niche cyber story and become simple business hygiene?
The uncomfortable truth
The easiest way to read this story is as a victory lap for law enforcement.
The correct way to read it is as an indictment of how much insecure junk still gets plugged into real networks.
Because that is what these botnets are built from. Not elite hardware. Not military systems. Not science fiction. Just masses of poorly managed devices, weak settings, old firmware, vague ownership, and collective indifference.
That is the tension sitting in the server cupboard, the loft space, the comms cabinet, and behind the reception screen.
You do not need a nation state to ruin your week.
Sometimes you just need a cheap camera, a lazy password, and nobody paying attention.
So here is the question.
If I asked you, right now, which internet connected devices in your business are most likely to be forgotten, weak, out of date, and still reachable, could you answer without guessing?
Because if not, this story is not about other people.
It is about you.
Sources
| Source | Link | Why it matters |
|---|---|---|
| US Department of Justice | https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks | Primary source for the takedown, botnet names, infected device count, and attack command totals |
| Reuters | https://www.reuters.com/business/media-telecom/us-says-it-disrupted-botnets-that-infected-over-3-million-devices-worldwide-2026-03-20/ | Independent reporting on the multinational operation, device types, and wider coordination |
| Krebs on Security | https://krebsonsecurity.com/2026/03/feds-disrupt-iot-botnets-behind-huge-ddos-attacks/ | Strong narrative reporting and extra context on Aisuru and Kimwolf evolution |
| Cloudflare Q4 2025 DDoS Threat Report | https://blog.cloudflare.com/ddos-threat-report-2025-q4/ | Source for the 31.4 Tbps attack, UK ranking, and wider DDoS trend data |
| NCSC edge device guidance | https://www.ncsc.gov.uk/news/cyber-agencies-unveil-new-guidelines-to-secure-edge-devices-from-increasing-threat | UK guidance showing why routers, cameras, and IoT edge devices matter defensively |
| NCSC IoT guidance hub | https://www.ncsc.gov.uk/section/advice-guidance/all-topics/internet-of-things | UK guidance backdrop for practical IoT and connected device security |
| UK PSTI regulations guidance | https://www.gov.uk/guidance/regulations-consumer-connectable-product-security | Source for the UK baseline security requirements for consumer connectable products |
| Wired | https://www.wired.com/story/us-takes-down-botnets-used-in-record-breaking-cyberattacks/ | Useful context on why takedowns disrupt but do not eliminate the wider botnet problem |