31.4 Tbps—The Biggest DDoS Attack Ever Just Happened, and Your Android TV Might Be to Blame

If you've ever wondered what the internet equivalent of getting hit by a freight train looks like, Cloudflare just showed us: 31.4 terabits per second. That's trillion with a T. And it lasted all of 35 seconds before their systems killed it.

The culprit is a botnet called AISURU, also tracked as Kimwolf, that's managed to quietly conscript over two million Android devices into its digital army. Most of them are those cheap Android TV boxes people buy because why pay $150 for a Roku when this one's $30 on Amazon? Turns out, that's exactly why.

Cloudflare's latest threat report reads like someone turned the volume knob to 11 and then broke it off. DDoS attacks surged 121 percent in 2025, with the company now mitigating an average of 5,376 attacks every single hour. That's nearly 90 attacks per minute. The annual total hit 47.1 million—more than double 2024's numbers. And the size of these attacks has grown over 700 percent compared to late 2024. The record-setter hit 31.4 Tbps in November 2025, part of a campaign Cloudflare's calling "The Night Before Christmas" because apparently cybercriminals have a sense of humor. The Christmas Eve wave averaged 4 Tbps with bursts hitting 24 Tbps.

AISURU didn't build its army through clever zero-days or sophisticated nation-state tradecraft. It went for volume. The operators distributed over 600 trojanized Android apps embedding proxy SDKs, more than 3,000 fake Windows binaries pretending to be OneDrive sync tools or Windows updates, and a Beijing-based proxy company called IPIDEA that was essentially running malware-as-a-service.

The brilliance, if you can call it that, was hiding in plain sight. IPIDEA ran at least a dozen "legitimate" residential proxy services—the kind people use for price comparison tools or ad verification. Behind the curtain, they were all feeding into one centralized command infrastructure.

Google finally stepped in last month, disrupting the operation and partnering with Cloudflare to suspend domains and accounts. But the damage is done. Millions of devices still phone home to whoever picks up the pieces.

Telecom companies, IT providers, and gambling platforms topped the target list in Q4 2025. Geographically, China, Hong Kong, and Germany led the pack, with the U.S. and U.K. not far behind. As for where these attacks originate, Bangladesh just overtook Indonesia for the top spot. Ecuador, Argentina, and Vietnam round out the top sources—essentially anywhere cheap, unsecured IoT devices ship en masse.

If your organization is still relying on on-premise DDoS mitigation appliances or on-demand scrubbing centers, Cloudflare has a polite but pointed suggestion: reconsider. When attacks measure in terabits and arrive in seconds, traditional defenses don't scale.

For the rest of us, this is yet another reminder that the $30 streaming box might cost a lot more than you think. Check what's on your network. Update what you can. And maybe consider that boring-but-trustworthy Roku after all.