Botnet.

A botnet is a collection of compromised endpoints — PCs, servers, routers, IoT devices — that connect back to one or more command-and-control (C2) servers and execute orders from the botnet operator (the "botmaster"). Botnets are used for DDoS attacks, spam, credential stuffing, click fraud, cryptocurrency mining, malware distribution, and as proxy networks for further intrusions. They may use centralized C2, peer-to-peer or fast-flux DNS to resist takedown.

Scale is the defining trait. The Mirai botnet (2016) recruited hundreds of thousands of IoT cameras and routers using a list of default credentials, then aimed roughly 1 Tbps of traffic at DNS provider Dyn, knocking Twitter, Reddit and Spotify offline. The "911 S5" residential-proxy botnet — dismantled by the FBI and international partners in May 2024 with the arrest of administrator YunHe Wang — had infected nearly 19 million IP addresses across almost 200 countries, renting victim devices out to fraudsters and causing billions in losses. Banking botnets such as Emotet and Qakbot were similarly disrupted through coordinated law-enforcement sinkholing operations.

flowchart TD
  M[Malware infection<br/>default creds / exploit / phishing] --> B1[Bot 1]
  M --> B2[Bot 2]
  M --> B3[Bot N]
  B1 --> C[C2 server / P2P / fast-flux]
  B2 --> C
  B3 --> C
  C --> O[Botmaster issues commands]
  O --> A[DDoS / spam / proxy / mining]

Defences include endpoint hygiene, IoT firmware updates, blocking known C2, sinkholing, egress filtering, network anomaly detection, and law-enforcement-led disruptions.