KrebsOnSecurity, the prominent cybersecurity blog managed by investigative journalist Brian Krebs, has recently fallen victim to a significant distributed denial-of-service (DDoS) attack that peaked at an astonishing 6.3 terabits per second (Tbps). This attack is among the largest documented to date and is believed to have been executed by a new Internet of Things (IoT) botnet known as “Aisuru.”
Although the onslaught lasted for approximately 45 seconds, its intensity was considerable. Remarkably, KrebsOnSecurity remained operational throughout the incident, thanks to Google’s Project Shield—a complimentary service designed to safeguard news and journalistic platforms from cyber assaults.
Aisuru Botnet Accounts for the Assault
Krebs informed that the Aisuru botnet was identified as the perpetrator behind this attack. Cybersecurity analysts from QiAnXin XLab first recognized this botnet in August 2024. Comprised mainly of compromised IoT devices such as routers, IP cameras, and digital video recorders, these devices were commandeered to function as “zombies,” generating a massive volume of traffic directed at KrebsOnSecurity in a coordinated strike.
The name “Aisuru” started circulating in underground forums earlier this year, often associated with DDoS-for-hire services. While investigations are ongoing, initial findings indicate that the botnet might be stress-testing its capabilities, using KrebsOnSecurity as a prominent target to demonstrate its reach or send a warning.
A Familiar Tactic with an Elevated Scale
Brian Krebs is familiar with DDoS attacks. His blog, known for its extensive coverage of cybercrime and internet misconduct, has been repeatedly targeted over the years. In 2016, for instance, his site experienced a crippling 620 Gbps attack involving the Mirai botnet.
The incident in 2025 serves as a stark reminder of the growing threat landscape. With a peak traffic rate of 6.3 Tbps, the Aisuru-triggered DDoS attack was ten times larger than the 2016 event, highlighting both the evolution of contemporary botnets and the persistent security vulnerabilities embedded in consumer-grade IoT devices.
Identifying the Perpetrators
Attributing cyberattacks poses a considerable challenge. However, Krebs’ blog post regarding the incident indicates a person identified online as “Forky” as a potential suspect. This alias has been linked to forum activities offering DDoS services and botnet rentals, with security researchers associating Forky with discussions surrounding Aisuru.
During a conversation via Telegram with Krebs, Forky denied orchestrating the attack but suggested that someone else might have leveraged the botnet without their direct involvement.
“Forky denied being involved in the attack but acknowledged that he helped to develop and market the Aisuru botnet. He claims to now be merely a staff member of the Aisuru botnet team and that he ceased operations roughly two months ago after starting a family.”
Brian Krebs
The Aftermath and Implications
Incidents of this magnitude pose severe threats to the future of online infrastructures. A DDoS attack of 6.3 Tbps is not merely an inconvenience for blogs or small websites; it possesses the potential to incapacitate entire hosting providers or data centers if unaddressed. To recall, the DDoS attack on DYN DNS in October 2016, powered by the Mirai botnet, profoundly impacted internet accessibility.
This incident emphasizes the urgent need for enhanced security measures in internet-connected devices. Unlike its Airashi counterpart, the majority of the hardware utilized in the Aisuru botnet is affordable, outdated, and typically comes equipped with weak or default login credentials. Until manufacturers prioritize security for these devices, the proliferation of botnets will continue, leading to more frequent large-scale attacks.
BreachSpot will persist in monitoring advancements concerning the Aisuru botnet and related threats as more information becomes accessible.
