Four DDoS-for-hire botnets (Aisuru, KimWolf, JackSkid, Mossad) collectively compromised over three million IoT devices including web cameras, DVRs, and WiFi routers, generating a verified peak of 31.4 Tbps; device compromise relied on endemic design flaws including hardcoded credentials, insecure defaults, and missing authentication rather than a discrete patched vulnerability. C2 infrastructure has been seized but compromised devices remain active and recruitable by successor infrastructure, and law enforcement assesses reconstitution within weeks is probable. Organizations should immediately audit internet-facing IoT devices for default credentials, enforce network segmentation with deny-by-default outbound policies for IoT VLANs, and monitor for botnet beaconing patterns on Telnet, TR-069, and ADB ports.