Inside the Botnet Economy: Building, Selling, and Using Compromised Devices for Cyberfraud at Scale
Botnets have become a core part of the infrastructure in today’s cybercrime ecosystem — not just as enablers of disruption, but as purpose-built networks engineered for profit, stealth, and scalability. Built from large networks of compromised devices and rented out via criminal marketplaces, botnets are now essential as-a-service components of any cyberfraudster’s toolkit.
While the concept of a botnet is not new, their construction, use cases, and value have certainly advanced. With damaging trends like ransomware and cyberfraud on the rise, security teams (particularly in high-target sectors like retail) must understand the mechanisms and motivations behind modern botnet creation to effectively respond to automated threats.
What exactly is a botnet?
At its core, a botnet is a network of compromised devices controlled remotely by a botmaster or bot herder – a criminal orchestrator in other words.
Botnet creators use purpose-built malware to infect a range of devices, including anything from servers, laptops, and phones, to routers, smart TVs, and the whole gamut of Internet of Things (IoT) hardware like thermostats, cameras, and water meters. Once infected, these devices, known as ‘zombies’, operate as nodes in a network, executing tasks or relaying traffic for the attacker without the owner’s knowledge.
Some botnet builders deploy infrastructure in data centers. This might be for additional nodes but is more likely to be command and control (C&C) infrastructure. Bot masters typically use data centers in geographies with lax cybersecurity laws to evade detection. Although once security solutions associate a data center with malicious behavior, it becomes difficult for attackers to continue using it undetected.
Command and control servers are the machines used to control the botnet. Communication between C&C servers and bots or zombies can be either centralized or decentralized, depending on the botnet’s architecture, with a centralized approach being riskier in that taking out all the C&C servers will shut down the botnet.
In the simplest cases, the infected device will act as a traffic relay node or proxy, lending its IP address to the botnet as a distribution point. This serves two purposes; spreading the attack over a wider distribution surface and making it difficult to identify the origin of the attack.
Residential proxies are sought after by fraudsters
IPs addresses belonging to residential ISP networks (known as residential proxies), like a compromised home broadband router, are highly sought after and can be rented out as a premium service because some of the traffic coming from that origin is legitimate, making it harder to detect malicious intent. While the device will still be used by its owner for typical consumer activity such as browsing and shopping, it’s hosting an unseen, malicious tenant.
Residential proxies are more challenging for anti-bot solutions to deal with aggressively because enterprise brands are reluctant to introduce too much friction to visitors from these IP addresses for fear of blocking a potential customer. Sophisticated solutions will look for other attack signals within the traffic from residential IP addresses.
Attack types and the limits of device capability
Where the infected device can provide more compute resources, botnet malware might use that device to perform more sophisticated operations in the background, such as mining for crypto, or becoming a distribution point for phishing, spamming, or cyberfraud activities.
Ultimately, the capabilities of a botnet are limited by the resources available to the malware used to take control of the device, the bot attack software itself, as well as the inherent capabilities of the device.
Depending on the proposed use cases for a botnet, it may make more sense for an adversary to build a network of 100,000 infected webcams than 1,000 infected laptops. The former being more useful when wider distribution is required, the latter when more compute is needed.
When an organized cyberfraud group decides on their criminal purpose and identifies the brands or companies they will target, they become reliant on a standard set of attack vectors that must be supported by the tools they use. If their intention is to perform Account Takeover (ATO), scalping, or credit card enumeration, for example, the botnet infrastructure they rent or buy needs to support these attacks.
Buying and renting botnets
The dark web forums and Telegram channels used to buy and sell botnet access have a broad range of capabilities on offer as foundational infrastructure, or ‘off the shelf’ packages. The bot developer community (known as the botting community) provides additional, even bespoke, attack capabilities that can leverage those distribution networks.
Bear in mind that devices may also be compromised by multiple parties. After all, if one adversary found an exploitable vulnerability in a device, it’s likely the same vulnerability will be discovered by someone else. This is especially common in IoT devices, which are notorious for poor or non-existent security. So, the same device could provide different capabilities depending on which botnet operator is used. But frequent malicious activity is also more likely to land the compromised device on a watchlist or blocklist.
The pricing of botnets varies wildly, from a few dollars to multiple thousand dollars for source code you can use to build your own, through to tens of dollars to thousands of dollars per month to rent a ready-made botnet. You can even rent them by the hour.
It’s difficult to say how many botnets there are in active use, but our research shows there are tens of botnets available to rent at any one time and likely hundreds, potentially thousands in operation.
There are freebies to be had, but leaked botnet source code is largely seen as an unsophisticated offering due to the high likelihood anti-bot solutions providers have already added the information into their defensive and detection systems.
For the more entrepreneurial adversary, it’s possible to hire a botter to write bespoke bot or botnet code. Again, pricing varies wildly depending on the skills of the botter and the desired use case for the botnet.
Botnet use cases
Some typical botnet attack types or use cases include:
- Infrastructure obfuscation via proxyware
Proxyware is seen as a kind of voluntary recruitment to a botnet. Bandwidth sharing apps claim to rent out some portion of user’s bandwidth in exchange for cash or credits – known as passive earning. But many of the tenants on these services have been found to have malicious intent and at the very least could damage the host’s digital reputation.
The capabilities of a botnet depend on its scale and the type of devices it comprises. Increasingly, cyberfraudsters are prioritizing botnets that include residential IP addresses, which are harder to detect and block due to the nature of the traffic being sometimes legitimate and sometimes malicious. This is because adversaries using botnets to commit fraud want to stay under the radar for as long as possible and hide their activities among large volumes of legitimate visitor traffic.
More aggressive types of botnet activity, such as DDoS, are very noisy and obvious in nature and there is little need for discretion.
Examples of well-known botnets
In May 2025, well-known cybersecurity evangelist Brian Krebs reported his blog website, KrebsOnSecurity, had been hit with “a near record distributed denial-of-service (DDoS) attack that clocked in at more than 6.3 terabits of data per second”.
The attack appears to have been a test run for a massive new IoT botnet known as Aisuru.
For reference, the 6.3Tbps Aisuru attack was ten times the size of an assault launched against the same site in 2016 by the infamous Mirai IoT botnet, which took KrebsOnSecurity offline for four days.
The Aisuru botnet is made up of a globally dispersed collection of compromised IoT devices, including routers, digital video recorders and other systems that were commandeered via default passwords or software vulnerabilities.
Aisuru is understood to be rented out in subscription tiers ranging from $150 per day to $600 per week, and Krebs says that a notice posted on Telegram in August 2024 advises users “may not attack any measurement walls, healthcare facilities, schools or government sites.”
While some botnets, like Aisuru and Mirai, are more focused on DDoS, others are more specifically suited to fraud.
The 911 S5 botnet, apparently dismantled in May 2024 by the FBI, was a network of residential Windows computers worldwide associated with more than 19 million unique IP addresses used to enable “cyber-attacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations”.
The 911 S5 operators propagated the botnet by packaging malware with other program files, including pirated versions of software.
The US claims pandemic-related fraudulent unemployment insurance claims originating from compromised IP addresses linked to this botnet resulted in losses exceeding $5.9bn.
Furthermore, the 911 S5 client enabled cyberfraudsters located outside of the US to purchase goods with stolen credit cards and illegally export them outside of the country. Threat actors specifically used stolen credit cards to target the Army and Air Force Exchange Service (AAFES) ecommerce platform to submit approximately 2,525 fraudulent orders valued at $5.5m.
Why are botnets built?
The motivation behind building botnets is clear: anonymity, automation, and commercialization of criminal activities. In some cases, cybercriminals are not just using these networks for their own operations; they are selling or leasing access to other actors, turning millions of compromised devices into high-value digital infrastructure. This follows a trend of cyberfraud-as-a-service where even a non-technical wannabe crime lord can put together an automated fraud process with little more than an idea and a few hundred dollars in upfront capital.
The malware supply chain
Building a botnet today often starts with acquiring or creating malware specifically designed to infect devices at scale. This malware is engineered to remain undetected, avoid performance disruption, and persist on the device for as long as possible.
IoT devices are particularly vulnerable, with many shipped with default usernames and passwords or no security at all, making them easy targets for attackers. Even the most innocuous devices like pet cams and home security systems, while limited in processing power, can still serve as viable nodes within a larger botnet.
Once established, attackers can either use the botnet themselves or sell access to it, often segmenting it for different uses. One botnet may simultaneously power a credential stuffing attack against a retailer, a scraping operation targeting pricing data, and act as a proxy network for another group’s refund fraud scheme.
Cybersecurity teams must be prepared
Somewhat counterintuitively, there is an argument to say that it’s better to have more, smaller, botnets than fewer large ones. Because botnet operators are competing for the same finite resources, they are effectively splintering the total number of potential nodes into smaller, more manageable botnets from a defense perspective. Furthermore, devices compromised by multiple botnets also tend to draw more attention to themselves, which impacts their reputation.
Still, it’s undeniable that the sophistication and scale of modern botnets should not be underestimated and present serious challenges for defenders. Traditional IP-based blocking strategies are insufficient when malicious traffic originates from residential addresses also used by legitimate customers.
For these sophisticated threats, anti-bot security solutions must be able to detect malicious intent and behavior patterns in real time, rather than relying solely on static indicators like IP reputation.
Why understanding cyberfraud bots is vital
In a mature cybercriminal ecosystem, botnets are a strategic asset in a sophisticated fraud toolkit. Their commercialization, adaptability, and stealth make them a top concern for security and fraud managers across industries, especially in retail, where attackers exploit the very logic used by business processes to extract value at scale.
Netacea’s threat researchers have observed firsthand how quickly the botnet economy is evolving and recommends a layered, defense-in-depth approach to bot protection.
Threat intelligence can help you model your threat universe and understand the Tactics, Techniques, and Processes (TTPs) favored by your adversaries. Threat feeds, such as Netacea’s Threat Intel Feed, serve as a real-time map of confirmed botnets providing reputational data on IPs. While specialist bot protection solutions are tasked with real-time detection and mitigation of sophisticated and dynamically evolving attacks.
Depending on the attacks your brand is facing, a threat feed of confirmed malicious IPs could be imported into your WAF as a blocklist at the network edge, catching known botnet threats as a front line zero-latency defense.
For highly sophisticated automated attacks, a threat feed could also be ingested into your SIEM, XDR, or a wide variety of risk engine systems for further analysis, such as authentication and access engines to help protect accounts, or payment fraud engines as a risk factor on transactions, either by triggering MFA during a suspected ATO (Account Takeover) or blocking a transaction from a known malicious IP.
We’ve even seen situations where Netacea’s Threat Intel Feed list of malicious IPs has been used to identify compromised devices within a customer’s own network, where assets are revealed as part of an known botnet.
Cybersecurity and fraud teams need to recognize that today’s botnets are an increasingly flexible infrastructure. Like any infrastructure however, they can be understood, mapped, and mitigated, but only if you know what you’re looking for.
