Could Your Device Be Part of a Botnet Without You Knowing?

Could your device be part of a botnet without you knowing? 

The answer is yes. 

Most people think joining a botnet takes action, but BADBOX 2.0 proved otherwise. 

In June, the FBI confirmed that BADBOX 2.0 - the largest botnet of infected CTV devices ever uncovered - had compromised 1 million+ off-brand Android devices and infotainment systems in 222 countries. 

And in October, the Mirai-based botnet ShadowV2 hijacked millions of IoT devices across 28 countries.  

BADBOX 2.0 proved you don’t have to do anything to be owned: It shipped with pre-installed backdoors, quietly enrolling devices the moment they were powered on. 

At any given time, millions of devices worldwide are part of botnets. In the last 24 hours alone, 1,625,000+ active bots were detected by SPAMHAUS Technology.  

Certainly, our fascination with botnets as digital boogeymen hasn’t gone unnoticed by Hollywood. 

In the 2008 movie Eagle Eye, a rogue supercomputer named ARIIA (voiced by Julianne Moore) tries to enact regime change. Its chosen weapon for insurrection? A botnet army made up of anything with a computer chip: traffic lights, cell phones, automated cranes, surveillance systems. 

While the movie reminds us that advanced systems need humans for ethical context, there’s one reality we can’t ignore: Real botnets unleashing chaos in everyday life. 

What is a botnet, and what can it really do? 

Think of a botnet like a zombie army. But instead of shuffling corpses, you have a bot network – short for robot network – a collection of digitally-connected devices that’s remotely controlled by an attacker (or bot herder) who issues commands through a command-and-control (C2) server. 

In movies, zombies generally aren’t self-aware, unless they’re “Alpha” or intelligent zombies from Army of the Dead. 

Likewise, in a bot network, each infected device is a bot or zombie following C2 orders, often without their owners knowing they’re part of a hostile digital army. 

Here are seven (7) things bots can do: 

1. Automate credential stuffing in account takeover (ATO) attacks to break into your accounts 
2. Scrape prices on your site faster than you can react, leaving you exposed to ruthless competitors who use the info to undercut you 
3. Bombard your site with an avalanche of clicks that drain your PPC (pay-per-click) funds and deliver zero real sales 
4. Harvest your personal information from social media platforms and conduct retweet storms to spread malicious links, shady crypto deals, deepfake content, or disinformation 
5. Exploit your machine’s processing power and internet bandwidth to mine millions of dollars worth of cryptocurrency - like in 2018, when the Smominru miner botnet forced over half a million computers to mine $3.6 million of Monero for its owners 
6. Snatch up in-demand or limited inventory items like collectibles, gaming consoles, concert tickets, or sneakers before you can buy them – only to sell them for inflated prices on secondary platforms 
7. Conduct massive DDoS attacks to cripple networks across the world - like the massive botnet of 1.33 million devices that hit an online betting platform with a 2.5-hour DDoS attack  

Bot-enabled DDoS attacks have surged 110% since 2024 and in 2026, the landscape will be even worse. 

In December, Cloudflare announced that it has so far disrupted “2,867 Aisuru [botnet] attacks since the beginning of the year, almost 45% of them being hyper-volumetric - attacks that exceed 1 Tbps or 1 billion packets per second (BPPS).” 

Cloudflare warned that Aisuru DDoS attacks can be so devastating it can cripple even ISPs that aren’t directly targeted: 

"If Aisuru’s attack traffic can disrupt parts of the US Internet infrastructure when said ISPs were not even the target of the attack, imagine what it can do when it’s directly aimed at unprotected or insufficiently protected ISPs, critical infrastructure, healthcare services, emergency services, and military systems."

And if you’re a business, every successful ATO attempt that results in a data breach leads to regulatory penalties, compensation claims, legal costs, and reputational damage. 

The risk is so high – and the effects so devastating – that ignoring it could cost you dearly. 

This brings us to an important question. 

Can bots actually steal your info? 

Absolutely, and in ways most people never see coming. 

Your financial data 

Bots can steal your credit card information through a carding attack, where they make small purchases to validate whether your card is active. 

Once they confirm your card works, attackers use it to make high-value purchases or buy gift cards that can convert quickly to cash. 

And that’s not all. These bots can initiate tens of thousands of transaction attempts at once.   

If you’re a business, every successful attempt that’s disputed by the legitimate card holder – who notices the unauthorized charge - results in a chargeback. 

The true cost of a chargeback, however, can be prohibitive if you’re an SMB or a low-margin business.  

According to Mastercard, each disputed transaction costs $9.08 to $10.32 to process. Multiply that by about 261 million chargebacks generated in 2025, and you’re talking trillions of dollars in lost revenue for businesses. 

That’s not the end of the story, however. 

Bots can also scrape your site for pricing information and inventory data to sell to competitors, giving them an unfair advantage while damaging your brand. 

But credit cards are just the beginning. 

Your login credentials and sensitive data 

Once your device is part of a botnet, the C2 may issue a command to run a keylogger that records every keystroke you make. This means attackers can capture your banking passwords, email credentials, social media logins, and chat history.  

The C2 can also issue a command to run: 

• Rootkits to maintain persistent access 

• Spyware to exfiltrate your most sensitive data 

• Ransomware to support a multi-extortion scheme, where attackers demand you pay up not only to access your own data but also prevent it from being leaked 

Your session cookies 

Botnets can also steal cookies from your authenticated sessions. Does this mean they can bypass MFA, because they aren’t signing in as you? The unfortunate answer is, yes.  

The botnet is essentially hijacking a session where you’re already signed in. 

So, is MFA obsolete? 

Far from it – but the type of MFA matters (here’s why it's time to rethink text-based MFA). 

But first, let’s talk about Device Bound Session Credentials (DBSC). 

DBSC cryptographically binds session cookies to your device’s hardware (such as a Trusted Platform Module). This makes your stolen cookies useless elsewhere.  

But there’s a catch. DBSC alone isn’t phishing resistant, and it can’t stop credential-based attacks. 

However, when you combine DBSC with FIDO2 MFA like passkeys, that’s when the magic happens. 

Passkeys secure the login, while DBSC (now available in open beta on Chrome) secures the session. Together, they make it exponentially harder for botnets to hijack your logins and sessions. 

How do attackers create botnets? 

Creating a botnet is now surprisingly simple, which is why they’ve exploded in number.  

In a nutshell, attackers create botnets by infecting your device with malware that, once executed, connects back to a C2 server that remotely controls your device. To infect your device, they use several avenues such as: 

• Phishing emails: Did you click on that free game download or pop-up telling you to “update your software”? They could be delivery vehicles for malware that infects your device and connects it to a botnet army. 

• Misconfigured databases: Is your MongoDB publicly searchable? This allows attackers to break in and grab stored credentials or admin logins.  

With the stolen creds, they can scan your network for vulnerable IoT devices, inject botnet payloads, and link all infected devices to their C2 server. 

• Brute-force attacks: If you’re still using “password123” or “admin” for your router or security cameras, you’re at risk.  

Attackers are leveraging AI to deploy password spraying at scale, trying common passwords across millions of devices simultaneously to avoid lockouts. If one works, they’re in. 

• Exploitation of vulnerabilities: If your devices run outdated software and you don’t update regularly, attackers will exploit any flaws to slip malware onto your device. 

• Drive-by downloads: According to CIS, the top malware for Q3 2025 was the SocGholish JavaScript loader.

Here’s how it works: If you’re redirected to a scam site and see a browser or software update prompt - for Chrome, Flash, or Microsoft Teams – don't click. Just one click will install the SocGholish JavaScript file. And if you run the file after it downloads, your device will connect to the attacker’s C2 server. 

 

Remember: With botnet malware, one infected device can scan for other vulnerable devices in the network and spread the infection.  

This means your laptop can infect your phone and then a succession of devices such as your baby cam, smart speakers, smart TV, and security system. Once infected, all your devices will “phone home” to the bot herder’s C2 server and await instructions. 

And here’s something most people don’t realize: Many attackers aren’t even building their own botnets. Instead, they’re using Botnet-as-a-Service (BaaS) to get a massive ROI. 

For example, Gafgyt malware generally spreads through poorly secured IoT devices, which are then used as part of a botnet to launch DDoS attacks. 

And some Gafgyt variant packages are selling on social media platforms for $8-$150. This means even low-skilled actors can operate their own botnets. 

Now, this brings us to an important question. 

How do I detect a botnet attack on my network? 

Here’s what makes bot attacks particularly difficult to detect: AI-powered bots can use residential proxies or IP addresses to hide their digital footprint.  

But all is not lost. While apps can crash or a device overheat, it’s time to take a closer look when you see these red flags. 

For your home network 

• Is your internet unusually slow? If Netflix suddenly buffers constantly and video calls are lagging even though you have a fast internet subscription, there could be several explanations for it. 

Maybe your ISP is experiencing issues, or someone at home is streaming 4K video. Although some consumer forums say lagging internet may be a bot using your connection as a proxy, it’s worth nothing that slow internet alone isn’t a reliable indicator. 

 

However, if it occurs alongside the following red flags, it’s worth looking into. Just remember: You can have zero symptoms and still be part of a botnet. 

• Is your device behaving strangely? For example, is your security camera moving on its own or is your laptop fan running hot, even when you aren’t using it? Have you spotted new devices you don’t recognize on your Wi-Fi? 

• Have your router settings changed without you touching them? For example, you see modified DNS settings or port forwarding settings. Or perhaps, your firewall has been disabled. 

• You’re completely locked out of all accounts. Botnets often steal passwords. If you’re suddenly locked out of your email, banking, and social media accounts - and you’re certain you’re using the right passwords - your device may be compromised. 

If you see these things happening regularly, don’t ignore them. Change your Wi-Fi password (use the LastPass generator to create one that’s compliance with NIST’s current guidance). 

Also, consider running an antivirus and doing a factory reset to wipe your device. Do the same for your router if unfamiliar devices keep reconnecting. If the above warning signs occur on more than one device, it may be time to consult with a trusted security professional.  

For your business network 

For an enterprise network, bot threats fall into two categories: (1) network-layer bots that overtax bandwidth (2) application-layer bots that target web applications  

Your IT team likely already tracks common indicators like network lag, periodic unavailability of resources, and unusual traffic spikes: 

• Your POS (point-of-sale) system or website is down. Transactions take longer than usual, and your system freezes or reboots frequently.  

• Employees can’t access critical tools or services. For example, your team is suddenly locked out of all SaaS apps or services. 

• Network traffic spikes at odd hours. If you see security tools disabled and huge data transfers at 3AM when no one’s in the office, you know this is a high-severity red flag.  

• Your security cameras frequently go offline without explanation. Cameras that disconnect frequently or have unexplained footage gaps are cause for concern.  \

Retail security systems are prime targets for botnet activity. In March 2025, more than 86K IoT devices – especially security cameras - were exploited by Eleven11bot for DDoS attacks, and it appears we haven’t seen the last of such botnet campaigns. 

 

The diagnostic challenge is that any of the above could stem from other causes (such as network issues).  

For example, unexpected traffic spikes during odd hours could be benign (cloud syncs, updates) and disrupted access to SaaS could be due to misconfigured SAML data, DNS failures, or load balancers blocking SAML traffic. 

And if security tools are disabled, this could mean someone has gained admin-level access, allowing them to change settings and disable protections. Could it be an insider threat? 

Despite the challenges, the right tools and methods can help with bot detection.  

Network-layer bots

According to CSO Online, effective detection requires analyzing traffic patterns against your baseline. For network-layer bots, you’ll want to track: 

• Unusual port activity: Sustained outbound traffic through Port 6667 (IRC, often used for bot command-and-control) unexpected Port 25 activity (email or spam relay), or Port 1080 usage (for proxy servers such as Socks) 

• Traffic volume deviations: Outbound traffic significantly exceeding baseline levels 

• Connection patterns: Unusual number of connections to outbound IP addresses 

• Protocol anomalies: Traffic saturation attacks such as SYN floods or UDP floods 

And if you want to get some initial clarity? Check out the GreyNoise Labs free tool called GreyNoise IP Check, which lets you see if your IP address is part of a botnet. 

GreyNoise classifies home networks as one of four categories: benign, malicious, suspicious, or unknown.  

Meanwhile, business networks fall under GreyNoise’s RIOT dataset and get classified as Trust Levels: 

• Trust Level 1 (trustworthy, controlled by the company or service provider) or 

• Trust Level 2 (somewhat trustworthy, less directly controlled by the company or service provider). 

Application-layer bots

Meanwhile, application layer bots can be detected with bot mitigation and SaaS Monitoring services. 

• If your business operates a customer-facing application, e-commerce platform, or digital service, bots may target your website and APIs to scrape data, hoard inventory (scalper bots), and execute credential stuffing & account takeover attacks.  

Detection requires specialized bot mitigation services like HUMAN Security or Cloudflare Bot Management (more on this below) 

• If your business relies on SaaS apps like GitHub, Salesforce, or Microsoft 365, bots can exploit stolen credentials to move laterally, spread malware through insecure file sharing, or exfiltrate sensitive data. With LastPass SaaS Monitoring, you get complete visibility into your internal SaaS ecosystem (more on this below)

How do I prevent botnet attacks? 

You can prevent botnet attacks in seven (7) ways: 

#1 Change every default password immediately 

This means your router, security cameras, and smart appliances.  

Every single one comes with default, factory passwords that attackers already know. You can easily create strong passwords that comply with the newest NIST guidelines with the LastPass generator.  

#2 Store your passwords and sensitive documents in your LastPass vault 

Let’s face it: It’s impossible to remember 50+ passwords.  

Perhaps your solution is to reuse old passwords, jot them on Post-it notes, or share them via text. However, this creates the exact vulnerabilities botnets exploit.  

Think about what you’re protecting: 

• Sensitive documents like your SSN card, passport, driver’s license, or insurance cards 

• Login credentials to e-commerce, banking, or SaaS apps 

• Financial records and credit card information 

• Proprietary business documents 

• Client contracts and confidential agreements 

A single breach could lead to identity theft, which cost consumers an eye-watering $43 billion in 2023.  

And if you’re running a business, the average cost of a data breach is now $10.22 million. 

With LastPass, you get military-grade AES-256 for your most sensitive secrets. This is the same encryption trusted by the NSA, federal agencies, and U.S. military. Here's why: Unlike RSA or ECC, AES-256 remains quantum-resistant. 

Now, here’s something most people don’t realize: Having strong encryption for passwords isn’t enough. 

There’s another piece of information you must protect: the URLs of login pages linked to your passwords.  

Think about what these URLs reveal: 

• yourbank.com/login -> This means a payday for attackers if they can sign in with your login credentials. 

• datingapp.com/profile -> If attackers know your relationship status, they can customize phishing scams to entrap you. 

• payroll.com/employee -> If attackers can log into your payroll portal, they can redirect your paychecks to accounts they control. 

• highnetworthinvestment.com/client -> With this, attackers can estimate your wealth and target you with investment scams. 

• therapyportal.com/patient -> Healthcare or therapy service credentials are a goldmine for identity theft, extortion, or medical fraud. Think fraudulent claims for prescriptions you never ordered, where attackers bill your insurance while selling the drugs. 

Fortunately, LastPass encrypts all URLs tied to your login credentials. This means attackers have absolutely no idea where you bank, work, or shop.  

URL encryption is a pivotal upgrade in our ongoing security transformation, born from our abiding commitment to your privacy and security. 

And with smart autofill, your credentials will only be entered on legitimate sites, which means you get an extra layer of protection against phishing scams.  

Our commitment to a seamless experience you can trust hasn’t gone unnoticed by the industry. In 2025, LastPass was recognized as: 

• A platinum Business Titan winner in the category of Information Technology (Business to Consumer) 

• A gold Globee Business award winner for our SaaS Monitoring capabilities 

And for winter 2026, G2 has recognized LastPass as the #1 password manager with 70 badges across seven (7) categories. 

#3 Secure your router 

Your router is the gateway to every device in your network, so you’ll want to protect it. Your best bet is enabling WPA3-Personal (home networks) or WPA3-Enterprise (business networks). 

But what’s WPA3? In a nutshell, it’s the newest Wi-Fi security protocol providing stronger authentication and encryption for wireless networks. 

While WPA3 isn’t a silver bullet, it does replace WPA2’s older Pre-Shared Key (PSK) with the newer SAE (Simultaneous Authentication of Equals). PSK uses a single shared key for both authentication and encryption, while WPA3 creates fresh, unique keys for every session. 

WPA3 essentially blocks: 

• Downgrade attacks 

• Offline password cracking  

#4 Enable FIDO2 MFA wherever possible 

Even if attackers steal your passwords, they can’t access your data without that second, phishing-resistant authentication factor. With passkeys or hardware security keys, you can block botnet infections, even if your credentials are compromised. 

#5 Verify and monitor SaaS app logins with LastPass SaaS Monitoring & SaaS Protect 

With 30,000+ SaaS providers powering the workflows of 14 billion users worldwide, SaaS sits at the core of digital transformation. And that makes it a prime target for credential stuffing, account takeover (ATO) attacks, and botnet-driven exploits. 

Think about what your business runs on: 

• Microsoft Teams or Slack for internal communications 

• Zoom for meetings 

• GitHub for code repositories 

• Microsoft 365 for email 

• Salesforce or HubSpot for customer management 

• Azure AD for authentication 

For your business, SaaS security is critical. In 2025, 88% of attacks on web applications involve stolen credentials.  

With LastPass SaaS Monitoring + SaaS Protect, you get real-time enforcement of security policies. This means you can block high-risk apps and guide user behavior through customizable messages, thereby reducing the chances of bot infiltration. 

As the #1 G2 password manager for Winter 2026, LastPass provides full visibility into your organization’s SaaS app use.  

Best of all, our premier Business Max experience integrates password management, SSO, MFA, and SaaS Monitoring/Protect into ONE platform.  

This comprehensive approach ensures credential & authentication security as well as SaaS visibility, reducing the risk of bot-related unauthorized access.  

Today, you can unlock all of these features for free with a Business Max trial (no credit card required). 

Don’t have a business? Get effortless security for daily living with a free Premium trial (no credit card required).  

#6 Deploy bot detection & mitigation 

Here’s where things get serious. In 2025, you can no longer rely on CAPTCHAs or rate limiting, especially when it comes to application-layer bots.  

This is where platforms like HUMAN Security come in. In 2024 and 2025, it was ranked the #1 vendor in all G2 Grids for Bot Detection and Mitigation.  

HUMAN verifies 20 trillion digital interactions weekly and in March of this year, it launched HUMAN Sightline, an innovative suite of capabilities that track individual bot profiles. 

The Sightline Threat Tracker shows you which bots are active, what products or sites they’re targeting, and what their objectives are. You can see: 

• Distinct bot activities and attack paths 

• How each bot tries to evade detection 

• Exactly what distinguishes them from legitimate traffic 

• Sophistication levels and capabilities of each bot profile 

#7 Deploy network traffic and behavior monitoring tools 

Protection doesn’t stop at bot detection. You need eyes on everything that happens across your network.  

That’s where tools like SolarWinds Security Event Manager (SEM) become essential. SEM provides real-time situational awareness and advanced botnet detection. The system watches for: 

• Communications between devices and C2 servers 

• Repeated failed logins across multiple accounts 

• Abnormal data transfers indicating data exfiltration 

• Sudden spikes in network traffic from IoT devices 

Essentially, SolarWinds SEM is a SIEM solution that can ingest logs from firewalls, apps, identity platforms, routers, servers, and IDS/IPS tools. 

You can also configure SEM to automatically block suspicious IPs and deactivate infected devices. 

That said, the above isn’t an exhaustive list of every security tool or technique you’ll ever need to fight back against botnets. Every network has unique requirements. 

So, due diligence is critical.  

What works perfectly for a 50-employee agency may not be adequate for a healthcare provider with HIPAA obligations. And what’s overkill for a solo entrepreneur may be baseline protection for an e-commerce firm processing thousands of transactions daily.  

The key principle is this: Putting appropriate solutions in place – with expert guidance – is your best path forward.  

Sources 

SPAMHAUS Technology live threat map for bots

Eagle Eye: A technological thriller

Botnet takes advantage of AWS outage to smack 28 countries

Botnets, DDoS, and TDoS

Human Security: What is a bot | 5 common bot attacks

The Thales Group: 2025 Bad Bot Report

Cyber Defense Magazine: Retail budgets at risk. Price scraping and fraudulent bot attacks are on the rise

SecureMyOrg: How do hackers create botnets?

CybelAngel: IoT botnets and databases

Malware Patrol: Command and control servers

ESET: How to check if your router has been hacked – and what to do about it

StrongDM: 35+ alarming data breach statistics for 2025

MIMECAST: Tools and techniques for detection, prevention, and removal

Tencent Cloud: How to remove botnet trojans

Radware: Best anti-botnet software (top 5 solutions in 2025)

Prophaze: Top 10 bot mitigation tools for 2025