The source of attack power for the world's largest and most destructive botnet, Aisuru, is 300,000 hacked IoT devices

The Aisuru botnet unleashed a record-breaking 30 Tbps (30 trillion bits per second) DDoS attack. According to security expert Brian Krebs, much of the attack power came from an estimated 300,000 hacked IoT devices hosted by US ISPs like AT&T, Comcast, and Verizon.

DDoS Botnet Aisuru Blankets US ISPs in Record DDoS – Krebs on Security

Aisuru's 30 Tbps botnet traffic crashes through major US ISPs | CSO Online
https://www.csoonline.com/article/4071594/aisurus-30-tbps-botnet-traffic-crashes-through-major-us-isps.html

Aisuru is a botnet that has been active since around 2024. It wasn't the most powerful botnet to begin with, but its attack power has increased as it has grown in size. In May 2025, Krebs on Security, a security information website run by Krebs, received a 6.35 Tbps DDoS attack from Aisuru. According to Krebs, this was the largest attack that Google's DDoS defense service, Project Shield, had ever received at the time. However, a few days later, Aisuru broke the record with an 11 Tbps DDoS attack.

As of late September 2025, Aisuru had a DDoS attack power of 22 Tbps, and finally recorded a 29.6 Tbps data attack on October 6, 2025. This attack was only carried out by Aisuru for a short time to demonstrate its capabilities, so it went almost unnoticed.

Aisuru's attacks target ISPs that operate online gaming communities such as Minecraft. For example, Global Secure Layer , an Australian ISP that provides TCPShield , a DDoS attack protection service for Minecraft servers, was hit by a 15Tbps DDoS attack from Aisuru on October 8, 2025. After the attack, Global Secure Layer was notified by its top ISP, OVH, that it could no longer accept them as a customer. Analysis has revealed that the preliminary attacks on Global Secure Layer began in September.

Aisuru is based on the code behind the IoT botnet Mirai, which in 2016 swept away other DDoS botnets and broke the previous record with a 620Gbps attack. Its significant expansion since 2024 is attributed to the compromise of servers distributing firmware updates for inexpensive routers and network devices, distributing malicious scripts, and its number of nodes is said to have reached 300,000.

Roberto Coelho, co-founder of Proxypipe, a competitor to Mirai, said, 'The week-long Aisuru attack was extremely large, with many providers down multiple times a day,' and added that the 15 Tbps attack on TCPShield likely did not use all of Aisuru's attack power. 'We've definitely reached a point where we need at least $1 million a month just to have the network capacity to deal with these attacks,' he said.