Your home router, that security camera by your door, even your laptop sitting idle: any of these could secretly be part of a botnet right now. You'd likely never know.
A botnet is a network of hacked devices remotely controlled by criminals. Your device looks normal and works normally, but in the background it's sending spam, attacking websites, spreading malware, or helping hide other crimes. Most people become part of botnets through automated scans, not targeted attacks. The criminals cast a wide net and your device simply got caught.
For more information, visit The Assymetric Economics of Cyberycrime.
How Criminals Actually Make Money
This isn't theoretical. Botnets are industrial-scale criminal operations with clear profit models:
Cryptocurrency Mining
Your device's processor runs at maximum capacity mining Monero, Bitcoin, or other cryptocurrencies 24/7. The criminals pocket every cent while you pay the electricity bill. Large mining botnets have enslaved hundreds of thousands of devices simultaneously. One documented operation infected over 500,000 devices and mined $3 million worth of Monero before being shut down. The criminals pay nothing for hardware, electricity, or infrastructure. You subsidize their entire operation.
Credential Theft and Account Takeover
Malware records everything you type: passwords, credit card numbers, bank logins, social security numbers. This data is immediately packaged and sold on criminal marketplaces. Fresh credentials sell for $1 to $50 per account depending on type and balance. Banking credentials with verified high balances command premium prices. Your entire digital identity becomes inventory in a criminal marketplace.
Ransomware Distribution
Your device becomes part of the delivery infrastructure for ransomware campaigns. Criminals use botnets to spread ransomware that encrypts victims' files and demands payment, typically $500 to $50,000 depending on the target. Hospitals have been forced to divert ambulances. Schools have lost years of records. Small businesses have been destroyed. Your hacked router or computer serves as a relay point, distribution hub, or command-and-control server.
DDoS-as-a-Service
Criminals rent out botnet capacity to anyone willing to pay. Customers specify a target, pay $10 to $500 depending on attack duration and intensity, and the botnet floods that target offline. Gaming companies, small businesses, news sites, even hospitals have been knocked offline by rented DDoS attacks. Some DDoS services operate like legitimate businesses with customer support, uptime guarantees, and user-friendly dashboards.
Spam and Phishing Infrastructure
Millions of phishing emails flow through compromised home connections. Your IP address becomes the sender, making it nearly impossible to trace back to the real criminals. Large spam botnets send billions of emails daily. Criminals earn money through affiliate marketing commissions, malware installations that pay per infection, direct fraud, or selling email lists. Your connection provides legitimate-looking residential IP addresses that bypass spam filters.
Proxy Networks for Serious Crime
Your internet connection becomes a relay point hiding the true origin of fraud, identity theft, child exploitation, and other serious offenses. Law enforcement traces the activity to your address, not the criminal's. Botnet operators sell proxy access to other criminals at $1 to $5 per proxy per day. When investigations trace crimes back to your IP address, you face questioning and potential legal complications.
Ad Fraud Operations
Your device generates fake clicks on advertisements, fake video views, and fake engagement metrics. Advertisers pay for these interactions thinking they're reaching real people. The criminals pocket the advertising revenue. Ad fraud is a multi-billion-dollar criminal industry. Some operations generate millions of fake ad impressions daily. Criminals typically earn $0.001 to $0.10 per fake interaction, which adds up to substantial income when multiplied across massive botnets.
Extortion and Protection Rackets
Some botnets launch targeted DDoS attacks against businesses, followed by extortion demands: "Pay us $5,000 in Bitcoin or we'll knock your website offline for a week." The criminals demonstrate their capability with a short attack, then wait for payment. Many businesses pay rather than suffer prolonged downtime.
Why This Matters to You
You'll Notice the Effects
Internet slows down when nobody's using it. Devices run hot while supposedly idle. Laptop fans spin at full speed when nothing is open. Battery drains faster than normal. Electricity bills jump unexpectedly. One family discovered their router was part of a mining botnet costing them an extra $40 per month in electricity.
You Risk Real Consequences
ISPs send abuse warnings, throttle your connection, or suspend service entirely. Your IP address gets linked to cybercrime investigations and blacklisted. Online accounts get flagged, restricted, or permanently banned. Gaming accounts, social media, email, and financial accounts may be locked. Some people have had police show up asking questions about criminal activity traced to their address.
Your Device Helps Cause Real Harm
It might be participating in attacks that knock hospitals offline, enabling ransomware that shuts down schools, or helping serious criminals hide behind your connection. Your router might be the relay point that helps distribute ransomware that bankrupts a small business.
You Become a Financial Victim
If keyloggers capture your credentials, every account you access from that device is compromised. Bank accounts drained, credit cards maxed out with fraudulent charges, retirement accounts emptied, cryptocurrency wallets compromised. Identity theft can take months or years to fully resolve.
Your Privacy is Destroyed
Everything you type, every website you visit, every file you open can be monitored, recorded, and exfiltrated. Private messages, financial documents, personal photos, medical records, business secrets. Some malware activates cameras and microphones without indicator lights.
How Devices Get Hijacked
Home Routers (The Primary Target)
Routers are always on, rarely monitored, and control access to every device in your home.
Default passwords are the biggest vulnerability. Countless routers ship with "admin/admin" or "admin/password" as credentials. Criminals maintain databases of default credentials for thousands of router models. Automated scripts continuously scan the internet trying these combinations.
Outdated firmware is the second major entry point. Most people never update their firmware because it's not automatic or obvious. A router running firmware from 2022 likely has dozens of known, documented, publicly-available exploits.
Remote management features allow access from outside your home network. If enabled with a weak password, your router is accessible to criminals worldwide.
UPnP automatically opens ports and configures network settings. Malware can use UPnP to open permanent backdoors through your router without your knowledge.
Smart Devices
Security cameras, video doorbells, smart plugs, baby monitors, smart TVs, connected thermostats. Many ship with terrible security: hardcoded passwords that can't be changed, unencrypted communications, no security updates. The Mirai botnet famously compromised hundreds of thousands of devices using just 60 common default username/password combinations.
Computers
Pirated software is among the most common malware sources. When you download cracked software, you're trusting that the person who cracked it didn't bundle malware. Most do. The malware is their incentive to make it "free". For additional information, visit The Hidden Costs of Cracked Software.
Fake updates look legitimate because they copy the real thing. Pop-ups claiming "Your Flash Player is out of date" lead to malware downloads.
Email attachments remain effective despite decades of warnings. Criminals send invoices, receipts, legal notices as attachments containing macros or exploits.
Browser extensions ask for broad permissions. An extension that can "read and change all your data on websites you visit" can capture passwords and inject malicious code.
Phones and Tablets
Sideloaded apps from unofficial sources are the primary risk on Android. Devices running ancient versions of Android or iOS no longer receive security updates and have years of known, unpatched vulnerabilities.
Warning Signs You Can Spot
No single sign proves infection, but multiple signs together should raise concern:
- Internet is slow when you're not actively using it
- Router lights blink constantly, even at 3 AM when everyone's asleep
- Devices run hot while supposedly idle
- Laptop or desktop fans at full speed when no applications are open
- Battery drains unusually fast
- Data usage consistently higher than you can account for
- ISP sends abuse complaints or malware notices
- Unexplained network activity late at night
- Accounts getting locked or flagged for suspicious activity
- New browser toolbars or extensions you didn't install
- Default search engine or homepage changed without your action
- Disabled security features or antivirus that won't turn back on
Six Rules That Block Most Botnets
1. Lock Down Your Router
What to do:
- Change the admin password to something strong (16+ characters, mixed case, numbers, symbols)
- Disable remote management unless absolutely necessary
- Turn off UPnP unless you need it for specific devices
- Update firmware now, then set a quarterly calendar reminder
- Reboot monthly
Why this works: Automated botnet scanners try default credentials on millions of routers continuously. Changing the password removes you from the pool of easy targets. Without router access, criminals can't redirect traffic, intercept data, or use your router as a command-and-control server. This blocks the most common botnet infection method.
Remote management creates a globally-accessible entry point. Disabling it eliminates that attack surface entirely. Criminals can't access what isn't exposed.
Firmware updates patch vulnerabilities that criminals actively exploit. Running old firmware is like leaving your front door unlocked with a sign advertising it. Updates close known entry points and force criminals to find new, unknown vulnerabilities.
2. Isolate Smart Devices
What to do:
- Put all smart home devices on a guest network or separate WiFi
- Before buying, check if the manufacturer provides regular security updates
- Disconnect or replace devices from defunct companies or without updates
Why this works: When a smart camera is compromised, isolation contains the infection to that network. The compromised device cannot spread malware to your phone or computer, monitor your traffic, or use your computer's processing power. Botnet malware spreads laterally through networks. Isolation stops this spread.
Devices without updates become permanently vulnerable. Abandoned devices have documented, public vulnerabilities that will never be patched. They are permanent entry points to your network.
3. Minimize Your Attack Surface
What to do:
- Delete apps you haven't used in three months
- Remove forgotten browser extensions
- Never install pirated or cracked software
- Only install apps from official stores
Why this works: Fewer apps means fewer potential vulnerabilities. Apps you don't use can still be exploited. Browser extensions run with significant privileges and can capture everything you type, inject ads, or install additional malware. Many legitimate extensions have been sold to new owners who updated them to include malware.
Cracked software is where most consumer malware hides. The person who cracked it bundled malware into the installer. That's often the entire point. Legitimate software from official sources goes through security review. Cracked software goes through no review.
4. Updates Are Not Optional
What to do:
- Enable automatic updates on everything that offers them
- Update router firmware manually if automatic updates aren't available
- Replace or disconnect devices that no longer receive updates
Why this works: Security updates patch vulnerabilities that criminals actively exploit. When vendors discover a security flaw, they release a patch. From that moment, the flaw becomes public knowledge. Criminals build exploits targeting unpatched systems. Every day you delay updates, your device has known, documented, actively-exploited vulnerabilities.
Devices without updates accumulate vulnerabilities that will never be fixed. These become guaranteed infection vectors. Criminals specifically target end-of-life devices because exploitation is trivial.
5. Notice When Devices Talk Without You
What to do:
- Investigate if laptop fans spin when the lid is closed
- Check why router lights blink constantly at 3 AM
- Monitor which devices use unexpected amounts of data
- Enable login notifications on important accounts
Why this works: Cryptocurrency mining requires constant maximum CPU usage, generating heat and noise. Fans running at full speed when you're not using the device is a clear sign. Mining also appears clearly in task managers: unknown processes consuming 90-100% CPU are obvious red flags.
Botnets often perform intensive operations during off-hours when they're less likely to be noticed. DDoS attacks, spam campaigns, and proxy services generate significant network traffic. Your router shouldn't be handling heavy traffic when all your devices are idle.
Smart devices involved in botnets participate in bandwidth-intensive operations. A security camera that only uploads during motion detection shouldn't transfer gigabytes daily. A smart TV that's turned off shouldn't use any data.
6. Reset Decisively When in Doubt
What to do:
- Factory reset suspected devices
- For computers, back up files (scan them first), then wipe and reinstall the OS (this ensures that no hidden 'persistence' scripts remain to reinfect the system later)
- For routers, reflash firmware or reset to factory defaults
- Change all passwords after cleaning (from a clean device)
- Replace devices you can't trust or properly secure
Why this works: Most malware includes persistence mechanisms that survive partial cleaning. Manual removal often leaves components behind. A complete wipe removes everything: malware, backdoors, persistence mechanisms. Criminals lose access completely.
Changing passwords after cleaning prevents criminals from using credentials they captured during the infection. Using a clean device to change passwords ensures new passwords aren't immediately captured.
Some devices cannot be properly secured due to age, lack of updates, or persistent compromises. A $40 router from 2016 with multiple known vulnerabilities is a permanent liability. Replacing it eliminates that vulnerability.
What Not to Do
Don't ignore ISP warnings. They mean your connection is actively being used for criminal activity.
Don't rely solely on antivirus. It's one layer, not complete protection. Many botnet infections evade antivirus, especially on routers and smart devices.
Don't expose devices directly to the internet. Port forwarding and DMZ settings should be used sparingly.
Don't keep abandoned devices connected. If the manufacturer ended support, disconnect or replace the device.
Don't use the same password everywhere. If one device is compromised, criminals will try that password on every other service.
The Bottom Line
If a device is online, unpatched, and poorly configured, it will eventually be compromised. That's how automated scanning works at internet scale. Criminals run continuous scans across the entire internet looking for vulnerable devices. Your device just needs to be visible and unprotected.
Botnets generate millions of dollars through cryptocurrency mining, credential theft, ransomware, DDoS extortion, ad fraud, and proxy services. These operations run 24/7, generating income from computing resources they don't own. They externalize all costs to you: your electricity, your bandwidth, your hardware wear, your legal risk.
The good news: simple, consistent habits prevent most problems. Change default passwords, enable automatic updates, isolate risky devices, minimize unnecessary software, pay attention to unusual behavior, and reset decisively when something seems wrong.
Each action directly blocks specific criminal profit models. Strong passwords block automated scanning. Updates patch the exploits they depend on. Isolation contains compromises. Minimizing software reduces attack surface. Noticing unusual behavior catches infections early. Decisive resets remove persistent access.
Take two hours this week to work through these six rules for every device in your home. Your devices should work for you, not for criminals running them remotely.