Everything You Need to Know About Botnets

In 2023, less than half of all internet traffic came from actual humans. Roughly 42.6% was generated by malicious bots, automated scripts designed to mimic human behavior and carry out attacks, while 17.6% came from helpful bots like search engine crawlers.

This marks a significant turning point in the internet’s operation. A decade ago, human activity comprised 57% of all web traffic. So, what changed?

The rise of botnets. They are a network of internet-connected devices infected with malware and controlled by hackers without the owners’ knowledge.

Botnet attacks are becoming increasingly common and increasingly sophisticated. So, how can you spot them? And more importantly, how can you protect yourself?

In this article, we’ll break down how botnets in cybersecurity work, what they’re capable of, and what steps you can take to stay safe.

What is a botnet?

A botnet is a network of interconnected devices secretly infected with malware, from laptops and smartphones to IoT gadgets like smart TVs and routers. Hackers infect thousands, sometimes millions, of these devices and turn them into “bots” under their remote control.

Once assembled, this swarm can launch coordinated, large-scale attacks. These include crashing websites through distributed denial-of-service (DDoS) attacks, stealing personal or financial data, spreading malware across networks, and even spying on individuals through compromised webcams or microphones.

Botnets are especially dangerous because they often operate in the background, unnoticed by the device owner. Since the infected devices are geographically dispersed and operate under legitimate IP addresses, detecting and neutralizing them is both complex and time-consuming.

A botnet attack occurs when the hacker controlling the botnet issues commands to the infected devices, using them as a unified force to execute a cyberattack.

These attacks can vary in intent and impact, but they typically involve overwhelming a target system, stealing sensitive information, or hijacking digital infrastructure for financial or strategic gain. An automated bot attack is also used to disrupt client-facing assets such as websites, apps, and APIs.

What are the different types of botnets?

Botnets come in different forms depending on their architecture, communication model, purpose, and targeted platforms. Understanding these types helps security teams anticipate attacker behavior and tailor their defenses accordingly. Below are the most common types of botnets used in real-world attacks.

1. Centralized Botnets

A centralized botnet uses a single command-and-control (C&C) server to issue commands to all infected devices.

• How it works: The bots (infected devices) connect to a central server to receive instructions, such as launching DDoS attacks or stealing data.
• Examples: Zeus, SpyEye
• Pros: Easy to manage, fast command delivery
• Cons: Vulnerable to takedown if the C&C server is discovered

2. Peer-to-Peer (P2P) Botnets

P2P botnets eliminate the need for a central server. Instead, each bot can act as both a client and a server.

• How it works: Bots communicate directly with each other to share updates and commands, forming a decentralized network.
• Examples: Storm, Sality
• Pros: Resilient, difficult to take down due to distributed architecture
• Cons: Harder to control and update; more complex to develop

3. Automated Botnets

These botnets self-propagate by scanning for vulnerable systems and infecting them without human intervention.

• How it works: Malware scripts automatically exploit unpatched systems to add them to the botnet.
• Examples: Mirai, Qbot
• Pros: Rapid spread, minimal manual effort
• Cons: High volume of network activity can trigger detection tools

4. Mobile Botnets

Designed to infect smartphones and tablets, these botnets often target SMS, credentials, or two-factor authentication codes.

• How it works: Delivered via malicious apps, phishing links, or sideloaded software
• Examples: FluBot, Hydra, TeaBot
• Pros: Access to sensitive user data like banking details
• Cons: Mobile OS updates and app store restrictions limit effectiveness

5. Click Fraud Botnets

These botnets simulate clicks on ads to generate fraudulent revenue.

• How it works: Bots visit web pages and mimic real user behavior to interact with ads.
• Examples: Methbot, 3ve
• Pros: Generates large-scale ad revenue without raising suspicion
• Cons: Increasingly flagged by anti-fraud systems and anomaly detection tools

6. Proxy Botnets

These botnets turn infected devices into proxies that can be rented or used to anonymize malicious activity.

• How it works: Bots relay traffic for attackers, hiding the original IP address
• Examples: Socks5Systemz, ProxyLife
• Pros: Helps evade attribution, supports layered attacks
• Cons: Shared infrastructure can slow down performance and raise red flags

The evolving nature of bot attacks

The accepted progenitor of all modern malicious programs that make up botnets was initially observed in 1999 – an IRC-based (Internet Relay Chat) malware named “SubSeven” or “Sub7”.

The “Sub7” is a classical server-client-based RAT (Remote Access Trojan) that targets Windows 9x and NT operating systems. Botnets became an attractive conduit for malicious actors after an incident in 2000. Under the name “Khan C. Smith” of Tennessee, the malicious actor generated approximately $3 million in profits from 1.25 billion phishing emails, which enabled him to access stolen credit card numbers and passwords from EarthLink users.

The malicious actor was later charged $25 million for that crime. This incident demonstrated to all malicious actors the potential profits they can reap by gaining control over large numbers of infected devices, commonly called zombies.

In 2007, the Internet was hit with the “Storm,” the world’s first peer-to-peer botnet. It could conduct various malicious actions, including DDoS and malspam, all controlled from a command and control server. The “Cutwail” botnet was also created in 2007, and at one point, it was responsible for nearly half the world’s spam.

Nowadays, botnet operators have found new ways to monetize their assets and are often observed providing access to other malicious actors to install ransomware, information stealers, and malware.

They act as the first-stage payload for more destructive campaigns. For instance, Group-IB observed indicators that the Emotet botnet was used to spread IcedID, TrickBot, Gootkit, AZORult, and ransomware, such as UmbreCrypt and BitPaymer, findings uncovered through our  Threat Intelligence investigations.

How can a botnet invade your network security?

Botnets work by installing malware on a device, which allows the attacker to remotely control the device and add it to the botnet. The malware may be installed through a variety of methods, such as phishing attacks, vulnerabilities in software, physical access to the device, malvertising, etc.

Once a device is part of a botnet, it is known as a “bot” and can be used to carry out a variety of tasks. The attacker typically controls the botnet through a central server, known as a command-and-control (C&C) server.

The bots communicate with the C&C server to receive instructions and report back on their activities. The attacker can use the C&C server to issue commands to the bots, such as to start a DDoS attack or steal data from a specific target.

What are the types of bot attacks?

1. Phishing attacks

One of the most frequent methods for expanding botnets is phishing attacks, wherein the attacker sends emails with malicious links or attachments. If the recipient clicks on the link or downloads the attachment, their device may become infected with malware and be added to the botnet.

2. Brute-force

A botnet attack using brute force occurs when a group of compromised computers repeatedly guesses users’ credentials (usernames and passwords) for a target system. The goal is to gain unauthorized access to the target system and potentially spread malware or steal sensitive data.

3. Loyalty fraud

Loyalty fraud exploits loyalty program systems (redeemable credits) by a botnet. A botnet can automate the creation of multiple fake accounts, earn rewards, and then sell the illegally obtained rewards on underground forums.

4. DoI and scalping attacks

Denial of Inventory (DoI) and scalping attacks refer to tactics malicious actors use to exhaust the inventory, purchase items in bulk, and sell them at higher prices, often on underground forums.

5. Web scrapping

This automatically extracts data from websites, which can degrade the app or web performance. The scraping process generates many requests to the target website, overwhelming its servers, hampering the user experience, slowing down its response time, and causing friction.

6. Vulnerable software

When software is not promptly updated, attackers can exploit existing vulnerabilities to install malware silently. Once compromised, the device joins the botnet, adding to its collective attack power.

7. Malvertising

Malvertising refers to the use of online advertising to spread malware. If you visit a website that serves malicious ads, your device may become infected with malware and then be added to a botnet.

8. Spamming

A botnet can send large volumes of spam emails, often for phishing attacks or promoting fraudulent products or services.

9. Cryptocurrency mining

Attackers use infected devices’ processing power to mine cryptocurrency by solving complex computational problems. This enables attackers to earn cryptocurrency as a mining reward without the owner’s knowledge.

10. Ransomware attacks

Botnets can deliver ransomware directly to the target system. Once activated, the ransomware encrypts a victim’s files and demands payment for the decryption key.

Examples of Botnet Attacks

Throughout history, numerous high-profile examples of botnet attacks have highlighted the dangers posed by these networks.

1. Operation Dragon Eye

Group‑IB’s Operation Dragon Eye targeted a DDoS botnet known as Dragon, which launched relentless attacks on major industrial and financial organizations between 2011 and 2012.

We traced infected devices to analyze malware samples and monitor the botnet’s command-and-control infrastructure, and we identified the 24‑year‑old organizer from Sayansk.

This enabled local law enforcement to quickly apprehend and prosecute the threat actor, sending a powerful message to the cybercriminal underworld and halting one of the largest DDoS botnet operations in the region.

2. Cron

In the Cron investigation, we uncovered a highly organized botnet specialized in financial fraud and data theft. The botnet employed advanced evasion techniques to hide its command-and-control channels and conduct widespread phishing campaigns.

Through detailed digital forensics and infrastructure mapping, Group‑IB identified key components and links within the criminal network, allowing law enforcement to disrupt its operations.

The investigation highlighted the botnet’s role in facilitating identity theft and unauthorized transactions, emphasizing the critical need for real‑time threat intelligence.

3. Tiptop

The Tiptop investigation exposed a botnet campaign focused on covert phishing and data exfiltration. Our experts meticulously tracked the botnet’s infection vectors and command-and-control structure, revealing its method of compromising targeted organizations to harvest sensitive information.

Correlating digital evidence and dismantling its infrastructure helped Group-IB neutralize Tiptop’s operations and highlighted the growing threat of stealthy botnets that operate under the radar.

4. Carberp Gang

Group‑IB’s investigation into the Carberp Gang revealed the operations of a sophisticated cybercrime syndicate that used the Carberp banking Trojan to steal financial credentials and execute large‑scale fraud.

Group-IB used comprehensive forensic analysis and threat intelligence to map the gang’s command-and-control networks and identify the key players.

Our findings disrupted the gang’s activities and supported law enforcement in dismantling the network. This curtailed the financial damage and reinforced the message that organized cybercrime will be relentlessly pursued.

How Cybercriminals Monetize Botnets

The financial incentives behind botnet operations are a driving force for cybercriminals. Here are several ways in which these malicious networks generate revenue:

1. Ransom and Extortion

Criminals can launch a botnet attack to hold networks hostage, demanding ransom payments in exchange for stopping the attack.

2. Data Theft and Sale

Botnets equipped with botnet spyware are often used to steal sensitive information, which is then sold on the dark web to the highest bidder.

3. Ad Fraud

Ad fraud is one of the promising methods for botnet attackers to make money. Through click fraud and ad manipulation, botnets generate income by artificially inflating online advertisement metrics.

4. Cryptocurrency Mining

Some botnets covertly mine cryptocurrencies using the compromised computing power of devices, earning revenue without the user’s knowledge.

How botnets are sold and managed on the dark web

The dark web provides a hidden marketplace where cybercriminals can buy, sell, and lease access to botnets. Here’s how the process works:

Botnet-as-a-Service (BaaS)

In the Botnet-as-a-Service model, criminals offer access to their networks for a fee. This makes it easier for non-technical criminals to launch botnet attacks using rented infrastructure.

Subscription Models

Some dark web vendors operate subscriptions, offering continuous access to updated botnet malware and management tools. This model ensures that the botnet remains resilient and up-to-date against countermeasures.

Anonymous Transactions

Using cryptocurrencies and anonymizing technologies, transactions on the dark web remain untraceable, encouraging the proliferation of botnet spyware and other cybercriminal tools.

Understanding how botnets are traded on the dark web provides businesses with a deeper insight into the evolving threat landscape and helps them develop more effective countermeasures.

How to protect your business against botnet attacks?

Here are a few preliminary yet stern steps to protect against botnets:

• Keep your software and operating system updated: make sure you have the latest security updates and patches installed to protect against vulnerabilities that could be exploited by botnets.
• Use a firewall and antivirus software: firewall can help block malicious traffic and prevent unauthorized access to your device, while antivirus software can help detect and remove malware.
• Be cautious before clicking or downloading: be vigilant while clicking on links or downloading attachments from unknown sources, as these may contain malware that could be used to create a botnet.
• Use strong passwords: use strong, unique passwords for your accounts and devices, and enable multi-factor authentication (MFA) as an additional layer of protection.
• Use a VPN: a virtual private network (VPN) can help protect your online activity by encrypting your internet connection and hiding your IP address. Choose a reputable VPN provider to help protect against botnets and other online threats.

The consequences of automated bot attacks are dire. Therefore, organizations need to enable an effective bot detection and mitigation solution for strengthened security. Breaking the limitations of traditional anti-fraud solutions, the Group-IB Fraud Protection platform stops malicious activity even before the attack is executed.

Learn how Fraud Protection, the most complete anti-fraud solution in the market, guards 130 million users daily. Also, from an ROI standpoint, see how it offers unmatched bot protection for businesses through easy deployment, continued seamless operability, precise reporting, and takedown of the bad bot traffic on your website.