The FBI Destroyed an Internet Weapon, but Criminals Picked Up the Pieces
wsj.com By Robert McMillan Sept. 15, 2025 7:00 am ET Botnets, massive networks of hacked devices, are being used for dangerous attacks, one of which recently set a world record The Federal Bureau of Investigation recently disrupted a network of hacked devices used by criminals in some of the largest online attacks yet seen. Now those devices have been hacked by someone new to build an even bigger weapon. Law-enforcement agencies and technology companies are waging a war against increasingly powerful networks of hacked devices, called botnets, that can knock websites offline for a fee. They are used for extortion and by disreputable companies to knock rivals offline, federal prosecutors say. But lately, a new age of dangerous botnets has arrived, and existing internet infrastructure isn’t prepared, some network operators say. These botnets are leveraging new types of internet-connected devices with faster processors and more network bandwidth, offering them immense power. The criminals controlling the botnets now have the capabilities to move beyond website takedowns to target internet connectivity and disrupt very large swaths of the internet. “Before the concern was websites; now the concern is countries,” said Craig Labovitz, head of technology with Nokia’s Deepfield division. In August, federal prosecutors charged a 22-year-old Oregon man with operating a botnet that had shut down the X social-media site earlier this year. But the FBI’s takedown last month appeared to have an unwanted consequence: freeing up as many as 95,000 devices to be taken over by new botnet overlords. That led to a free-for-all to take over the machines “as fast as possible,” said Damian Menscher, a Google engineer. The operators of a rival botnet, called Aisuru, seized control of more than one-fourth of them and immediately started launching attacks that are “breaking records,” he said. On Sept. 1, the network services company Cloudflare said it had measured an attack that clogged up computer networks with 11.5 trillion bits of junk information per second. That is enough to consume the download bandwidth of more than 50,000 consumer internet connections. In a post to X, Cloudflare declared this attack, known as a distributed denial of service, or DDoS, a “world record” in terms of intensity. Some analysts see it almost as an advertisement of the botnet’s capabilities. It was one of several dozen attacks of a similar size that network operators have witnessed over the past weeks. The attacks were very short in duration—often lasting just seconds—and may be demonstrations of the Aisuru capabilities, likely representing just a fraction of their total available bandwidth, according to Nokia. With the world’s increasing dependence on computer networks, denial-of-service attacks have become weapons of war. Russia’s intelligence service, the GRU, used DDoS attacks on Ukraine’s financial-services industry as a way to cause disruption ahead of its 2022 invasion, U.K. authorities have said. Botnets such as Aisuru are made up of a range of internet-connected devices—routers or security cameras, for example—rather than PCs, and often these machines can only join one botnet at a time. Their attacks can typically be fended off by the largest cloud-computing providers. One massive network that Google disrupted earlier this year had mushroomed from at least 74,000 Android devices in 2023 to more than 10 million devices in two years. That made it the “largest known botnet of internet-connected TV devices,” according to a July Google court filing. This network was being used to click billions of Google advertisements in an ad fraud scheme, Google said, but the massive network “could be used to commit more dangerous cybercrimes, such as ransomware” or denial-of-service attacks, the Google filing said. To date, denial-of-service attacks are spawned from networks like Aisuru that typically include tens of thousands of computers, not millions, making them easier to defend against. In the past year, a very large botnet that has typically been used for fraud began launching online attacks. Called ResHydra, it is made up of tens of millions of devices, according to Nokia. Res Hydra represents a whole new level of problem, said Chris Formosa, a researcher with the networking company Lumen’s Black Lotus Labs. Harnessing a botnet of that size would “do extreme damage to a country.”
