“How do you fight a storm when most of the clouds are over your own house?” That question, asked by analysts after a record‑shattering distributed denial‑of‑service event, captures the dilemma facing network defenders today — and it frames a darker question beneath it: who gains when entire classes of cheap devices become weapons? Security reporting this year has traced two related phenomena — the Aisuru DDoS juggernaut that drew much of its power from U.S. ISP networks and the Kimwolf campaign that rapidly commandeered millions of unofficial Android TV boxes — and the answers point to a small ecology of attackers, service operators and market incentives that sustained them.
Background: botnets are old; scale and concentration are new. For decades criminal and state actors have assembled collections of compromised machines — “bots” — to send spam, mine cryptocurrency or flood targets with traffic. What changed with Aisuru was scale and geography: researchers observed a short‑lived DDoS surge that peaked at a nearly unprecedented volume, and a plurality of the compromised endpoints were commodity IoT devices — routers, cameras and other always‑online appliances — sitting on networks run by major U.S. providers such as AT&T, Comcast and Verizon. That domestic clustering forced operators into surgical, slower mitigations rather than blunt, upstream blocks that would disconnect large numbers of legitimate customers.
Kimwolf, reported earlier this year, followed a different but complementary path. Rather than drawing on broad IoT pools, Kimwolf targeted a narrow but massive cohort: unofficial Android TV streaming boxes. Within weeks the botnet’s operators had corralled an estimated multi‑million‑device army, turning inexpensive set‑top devices into uplinks for scanning, proxying and dissemination of other malware. KrebsOnSecurity documented how the rapid, automated compromise of large numbers of poorly provisioned streaming boxes produced both transient chaos and long‑term infrastructure value for the operators. (See original reporting at the end of this piece.)
Who benefitted — and how
- Botnet operators and affiliates. The primary beneficiaries are the people who wrote and ran the botnet code. They monetize their assets directly — renting DDoS capacity, offering proxy services, or selling access to the network to other criminals. Because both Aisuru and Kimwolf exploited large pools of unmanaged devices, their operators achieved massive capacity at negligible marginal cost, turning low‑value hardware into highly valuable infrastructure.
- Resale and proxy markets. Once a botnet reaches critical mass it can be packaged as “infrastructure‑as‑a‑crime.” Buyers seeking to anonymize traffic, amplify attacks, or host illicit services can rent access on a per‑hour or per‑attack basis. That secondary market rewards operators who can deliver scale and geographic concentration — an advantage Aisuru and Kimwolf both provided in different ways.
- Network operators and intermediaries (indirectly). This is a paradox: in the short term ISPs and CDNs absorb costs — mitigation expenses, customer support and reputational damage — but some intermediaries profit by selling mitigation services, scrubbing capacity and threat intelligence. The concentration of Aisuru traffic inside U.S. ISPs complicated mitigation and therefore increased demand for specialized, paid defenses.
- Device vendors and supply chains — perversely. While reputable vendors do not profit from criminal abuse, the market dynamics that produced the vulnerable devices — cheap hardware, opaque firmware supply chains and rapid time‑to‑market — lowered retail prices and increased unit sales. Those same incentives make it economically rational for some manufacturers to ship devices with weak defaults or no update mechanism, a condition exploited by botnet operators.
- Nation‑state and authoritarian actors (opportunistically). Large botnets provide raw capabilities that can interest state actors for signaling or disruption. Even if a botnet’s operators are criminal rather than state‑sponsored, sympathetic or opportunistic state actors can rent or co‑opt capabilities for harassment or espionage, raising geopolitical risk when major infrastructure is compromised.
Why the beneficiaries matter
Understanding who profited is not an abstract accounting exercise. The identity of beneficiaries shapes response: law enforcement targets the operators; network defenders harden and isolate devices; vendors face regulatory scrutiny; and policymakers debate liability, minimum security standards and the role of ISPs in remediation. When a botnet’s power is concentrated inside domestic networks, as with Aisuru, blunt mitigations (null‑routing prefixes or asking upstream providers to drop traffic) risk cutting off law‑abiding users, so the commercial winners — mitigation vendors and intelligence services — find a larger market. That dynamic creates both incentives for defensive innovation and an asymmetric cost burden placed on infrastructure providers and consumers.
Different vantage points on the problem
- Technologists worry about root causes: default credentials, unpatchable firmware, opaque supply chains and the impossibility of updating millions of low‑cost devices in the field. Their prescriptions are technical and operational: better device telemetry, automated remediation workflows for ISPs, network segmentation for consumers and industry‑wide secure‑by‑design practices.
- Policymakers face tradeoffs between regulation and market resistance. Minimum security standards, labeling requirements, or liability rules for manufacturers could force safer defaults, but they also raise manufacturing costs and invite industry pushback. In the near term, legal frameworks that enable rapid, cooperative takedowns while preserving due process and consumer privacy are politically hard but increasingly salient.
- Users are both victims and vectors. Many consumers are unaware that low‑cost devices can be turned against the network. Practical steps — changing default passwords, installing updates, isolating IoT devices on separate networks — reduce risk but require user education and easier remediation mechanisms from vendors and ISPs.
- Adversaries exploit economics. For criminal operators, the calculus is straightforward: scale cheaply, sell access, and avoid attribution. For less scrupulous service operators in gray or black markets, offering anonymized proxying or DDoS rentals is a low‑risk, high‑reward business as long as compromise remains cheap and enforcement slow.
Policy and operational recommendations (concise)
- Require secure defaults and update mechanisms for consumer IoT devices; incentivize or mandate patchability through procurement rules.
- Encourage ISPs to deploy fine‑grained telemetry and automated customer notification/remediation workflows so infections can be isolated without broad outages.
- Develop rapid legal pathways for cross‑industry takedowns that balance speed with legal safeguards.
- Support public awareness programs that help consumers harden devices and segregate networks.
Closing analysis: an economy of damage
What the Aisuru and Kimwolf episodes reveal is a simple market truth: when devices are cheap, durable and poorly secured, they become exploitable infrastructure. That creates an informal economy — actors who profit from assembling, renting and selling malicious capacity — sustained by weak incentives across manufacturers, sellers and some consumers. Defenders can win on technology, on law, and on market structure, but only if action aligns across those fronts. Otherwise the cycle repeats: cheap device, cheap compromise, expensive consequences.
So where does that leave us? The vulnerabilities are fixable; the harder task is fixing the incentives that let vulnerable devices flood the market in the first place. Will industry, regulators and consumers accept the short‑term costs of safer design to avoid the long‑term price of persistent, industrial‑scale abuse? The answer will determine whether the next botnet is contained quickly — or whether we all face the bill for another storm blowing from inside our own houses.
Source: https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/




