Millions of devices reaching end-of-life with access to fast internet are turning into a cybersecurity nightmare. This year, a record-breaking botnet consisting of 1.33 million devices is wreaking havoc on global web services.
If this botnet were a country, it would be as large as Cyprus, Mauritius, or Estonia, and bigger than around 50 other countries in the world.
“On March 26th, 2025 – just before the end of the first quarter – we detected an attack from a massive DDoS botnet that broke previous records by a wide margin,” Qrator Labs, a cybersecurity firm, warns in its latest report on DDoS (distributed denial of service) incidents.
For comparison, the largest botnet of 2024 was almost six times smaller, with around 227,000 devices.
This monstrosity attacked an undisclosed client from the “betting shops” microsegment, and the DDoS attack lasted approximately 2.5 hours. More than half of the 1.33 million devices – 51.1% – seemed to be located in Brazil, and smaller parts of the botnet were in Argentina (6.1%), Russia (4.6%), Iraq (3.2%), and Mexico (2.4%).
“It might seem that such attacks with a high concentration of sources in a single country can be easily mitigated using geo-blocking. However, in practice, bot operators are usually prepared for this and can quickly switch to IP addresses from other regions,” the researchers at Qrator Labs explain.
Old devices turn zombie
The growth of the massive botnet is attributed to the increasing number of outdated and vulnerable devices in developing countries.
Cybernews previously reported that many cheap devices, especially off-brand Android ones coming from China, even come with malware pre-installed and Google security features disabled.
Currently, authorities and internet service providers are keeping around five million various devices “sinkholed” – no longer able to call back to hackers who used to control them – with Brazil again leading the chart.
The discovered botnet closely resembles the largest one from last year and confirms the trend, dubbed “the rise of massive DDoS botnets built from devices located in developing countries.”
People tend to keep their devices for longer than their support lasts. Cheap and outdated devices no longer receive security updates and remain connected to the internet. These conditions are especially prevalent in developing regions due to economic constraints, Qrator explains.
“The result is a perfect storm: millions of vulnerable devices with fast internet access form an ideal foundation for large botnets, which are increasingly being used to launch high-scale DDoS attacks.”
Statistics confirm: 110% more DDoS attacks
Hackers are using the new capabilities to their advantage – the first quarter of 2025 saw a 110% increase in DDoS attacks compared to a year earlier. The surge follows a 50% increase observed in 2024 over 2023.
The trend in attack activity is steady and upward.
“While the increase in the number of DDoS attacks is not entirely novel, the scale we’re now seeing is unprecedented,” said Andrey Leskin, Chief Technology Officer at Qrator Labs.
“Attacks powered by such massive botnets can generate tens of millions of requests per second, quickly overwhelming unprotected systems.”
Most of the malicious network (L3) and transport (L4) layer packets target the IT and telecoms (26.8%), fintech (22.3%), and e-commerce (21.5%) segments.
Meanwhile, DDoS attacks on the application layer (L7) most often target fintech (54%), followed by e-commerce (14.4%).
Many automated systems also generate bad bot traffic that does not disrupt the services but carries out activities like data scraping, manipulating metrics, brute-forcing login credentials, and other forms of abuse.
Your email address will not be published. Required fields are markedmarked