What Is a Botnet? How Zombie Networks Power Cyberattacks

What Is a Botnet?

A botnet—a portmanteau of "robot network"—is a collection of internet-connected devices that have been infected with malware and placed under the control of a malicious actor. Individual infected devices are often called bots or zombies, and the person controlling them is called a bot herder or botmaster. The infected machines typically continue to function normally from their owners' perspective, with no obvious signs that they have been conscripted into criminal service.

Botnets are the infrastructure underlying some of the most significant cyberattacks in history. They power distributed denial-of-service (DDoS) attacks that knock websites offline, send billions of spam emails per day, facilitate credential-stuffing attacks against financial institutions, mine cryptocurrency on victims' electricity bills, and distribute ransomware and other malware to new victims. The scale can be staggering: the Mirai botnet at its 2016 peak comprised over 600,000 IoT devices and generated a 620 Gbps DDoS attack—at the time one of the largest ever recorded.

Any internet-connected device can potentially be recruited into a botnet: desktop computers, laptops, smartphones, routers, smart TVs, IP cameras, internet-of-things devices, and even industrial control systems. The proliferation of poorly secured IoT devices in recent years has given bot herders an enormous pool of potential recruits.

How Botnets Are Built

Building a botnet requires infecting a large number of devices with malware that connects each device to a command-and-control infrastructure. This process unfolds in several stages.

Stage 1: Infection and Recruitment

Bot herders recruit devices through a variety of infection vectors:

Phishing campaigns: Mass emails containing malicious attachments or links that install bot malware when clicked.
Drive-by downloads: Compromised websites that silently install malware when a visitor's unpatched browser loads the page.
Exploit kits: Automated toolkits that scan visitors' browsers for vulnerabilities and deploy the appropriate exploit.
Credential attacks: Automated attempts to log into devices using default or commonly used passwords—especially effective against routers and IoT devices that many users never reconfigure.
Social engineering: Tricking users into downloading fake software, game cheats, or pirated content that contains embedded bot malware.
Worm propagation: Self-replicating malware that scans for and infects vulnerable systems autonomously, dramatically accelerating botnet growth. Mirai operated this way, scanning the internet for IoT devices with default credentials.

Stage 2: Command and Control (C2)

Once infected, each bot establishes a communication channel with a command-and-control (C2) server—the infrastructure through which the bot herder issues instructions. C2 architectures have evolved over time to become more resilient and harder to disrupt:

Centralized C2: All bots communicate with a single server. Simple to manage but fragile—taking down the server disables the entire botnet. Early botnets typically used Internet Relay Chat (IRC) as their C2 channel.
Multi-tier C2: A hierarchy of servers where primary bots relay commands to secondary bots, making takedown harder.
Peer-to-peer (P2P) C2: No central server—bots communicate directly with each other, making the network highly resilient. Taking down individual bots has little effect on the network's ability to function. P2P botnets like Gameover ZeuS were notoriously difficult to dismantle.
Domain generation algorithms (DGAs): The malware automatically generates a large number of domain names using a cryptographic algorithm. The bot herder registers only a few of these at a time, but the bot tries all of them. Law enforcement cannot register them all preemptively, and taking down known C2 domains merely sends bots to new ones.
Fast flux: Rapidly changing IP addresses associated with C2 domains, complicating blocking efforts.

What Botnets Are Used For

Botnets are versatile criminal tools. A single botnet can be used for multiple purposes simultaneously, and bot herders frequently rent access to their networks to other criminals through a "botnet-as-a-service" model.

Distributed Denial of Service (DDoS) Attacks

The most well-known botnet use case is DDoS attacks, in which thousands or millions of bots flood a target server, website, or network with traffic—overwhelming it and preventing legitimate users from accessing it. DDoS attacks are used for extortion (pay or we'll keep attacking), competitive sabotage, political protest (hacktivism), and as a distraction during more sophisticated attacks. The scale achievable with a large botnet—hundreds of gigabits per second—can overwhelm even well-resourced targets.

Spam and Phishing

Botnets send the vast majority of the world's spam email. Distributing spam across thousands of bots makes it harder to filter, since each email comes from a different IP address. The spam may advertise fraudulent products, distribute malware attachments, or conduct phishing attacks to harvest credentials.

Credential Stuffing and Account Takeover

Bot herders use botnets to conduct credential stuffing attacks—automated testing of username-password combinations (purchased from data breaches) against login pages. Distributing these attempts across thousands of IP addresses evades rate limiting and IP blocking defenses. Successful logins are harvested for financial fraud, resale, or use in further attacks.

Cryptocurrency Mining

Cryptomining botnets (cryptojackers) conscript victims' computing resources to mine cryptocurrency for the bot herder. The victim bears the electricity cost and hardware wear while the attacker collects the profits. Cryptomining botnets may be deployed opportunistically on any vulnerable device—compromised web servers, corporate workstations, cloud instances, and IoT devices have all been targeted.

Click Fraud

Botnets generate fraudulent clicks on online advertisements, stealing revenue from advertising networks and advertisers. The bot herder may operate malicious websites enrolled in pay-per-click advertising programs and use their botnet to generate artificial clicks, collecting advertising revenue for traffic that never existed. This is a multibillion-dollar problem for the digital advertising industry.

Data Theft and Surveillance

Bot malware frequently includes information-stealing capabilities, harvesting banking credentials, email accounts, browsing history, stored passwords, cryptocurrency wallet data, and other sensitive information from infected machines. This data is either exploited directly or sold on criminal marketplaces.

Notable Botnets in History

Botnet	Active Period	Peak Size	Primary Use
Storm Worm	2007–2008	~1–50 million	Spam, DDoS
Conficker	2008–present (dormant)	9–15 million	Spam, data theft
Zeus/Gameover ZeuS	2007–2014	3.6 million	Banking credential theft
Mirai	2016–present (variants)	600,000+ IoT devices	DDoS
Emotet	2014–2021 (taken down)	Millions	Banking malware delivery, spam
TrickBot	2016–ongoing	Millions	Banking fraud, ransomware delivery

Botnet Takedowns: Law Enforcement Efforts

Dismantling botnets requires coordination between law enforcement agencies, private cybersecurity firms, internet service providers, and domain registrars. Operations target the C2 infrastructure—seizing or sinkholing C2 servers redirects bot communications to law enforcement servers, effectively neutralizing the botnet while enabling identification of victims. Notable takedowns include:

Operation Tovar (2014): A global effort involving law enforcement from multiple countries and private sector partners took down Gameover ZeuS and Cryptolocker, disrupting infrastructure responsible for $100 million in banking fraud.
Emotet Takedown (2021): A coordinated operation by Europol, Eurojust, and authorities from eight countries seized Emotet's infrastructure. Investigators even pushed an update to infected machines to schedule their own disinfection.
TrickBot Disruption (2020): Microsoft, working with security partners, took legal and technical action to disable TrickBot's C2 servers in the weeks before the U.S. presidential election, concerned the botnet would be used to disrupt election infrastructure.

How to Protect Your Devices

Preventing your devices from being conscripted into a botnet requires attention to both hardware and software security:

Keep all software and firmware updated. Most botnet infections exploit known, patched vulnerabilities. Prompt patching closes the majority of entry points.
Change default credentials on all devices. Routers, IP cameras, smart doorbells, and other IoT devices often ship with easily guessable default usernames and passwords—a primary recruitment vector for Mirai-style botnets.
Use strong, unique passwords and a password manager. Compromised credentials from one service should not give attackers access to others.
Install reputable security software. Endpoint protection can detect and block bot malware before it establishes persistence.
Monitor network traffic. Unexpected outbound connections to unfamiliar IP addresses or unusual spikes in upload traffic can indicate bot activity.
Segment your network. Isolating IoT devices on a separate network prevents a compromised smart thermostat from serving as a pivot point into your primary devices.
Be cautious with downloads and email attachments. Avoiding suspicious links and only downloading software from official sources eliminates a major infection vector.

Botnets represent cybercrime at scale—a global, automated criminal infrastructure operating across millions of unknowingly conscripted devices. Defending against them requires both individual vigilance and collective action: security researchers detecting new malware, ISPs monitoring for anomalous traffic, law enforcement pursuing bot herders across borders, and ordinary users maintaining secure, updated devices. Every device hardened against infection makes the internet marginally safer for everyone.