9 of History's Notable Botnet Attacks

Business may be booming for the cybercrime underworld at large, but that doesn’t mean that any old scheme will be profitable. Botnets, armies of thousands of bots, give criminals the scale they need.

A botnet is any large network of web-based malicious applications or “bots.” Some botnets operate out of data centers, while others are made up of real internet users’ devices infected by malware. Some send millions of spam emails; some take down websites and hold them for ransom; some perform account takeover and fake account creation; some steal from programmatic advertisers through ad fraud.

While botnets themselves vary widely, they have remained a favored tool of the most sophisticated cybercriminals. Here are some of the botnets that have come to define cybercrime:


EarthLink Spammer - 2000

Any good history starts at the beginning. The first botnet to gain public notoriety was a spammer built by Khan K. Smith in 2000. The botnet sent 1.25 million emails – phishing scams masked as communications from legitimate websites – in a little over a year. Smith hoped to collect sensitive information like credit card numbers or downloaded viruses onto victims’ computers that would remotely feed him information. Eventually, Smith was sued for $25 million by EarthLink for using their network for his spam scheme, which earned him at least $3 million.


Storm - 2007

Storm was one of the first known peer-to-peer botnets — that is, it was among the first to be controlled by several different servers. The network was tremendous, ranging from 250,000 to 1 million infected computers, and could be rented out to any criminal willing to pay for it on the dark web. Because of this, Storm was involved in a wide range of criminal activities, from DDoS attacks to identify theft. Some of Storm’s servers were shut down in 2008, and today the botnet is thought to be more or less inactive.


Cutwail - 2007

In 2009, the spam botnet Cutwail was sending 51 million emails every minute, contributing up to 46.5% of the entire world’s spam volume at the time. Since Cutwail is comprised of around 1.5 million infected machines, attempts to shut it down have been frustratingly ineffective. Even after an attempted takedown by the FBI, Europol, and other law enforcement agencies in 2014, the botnet remains active and available for rent today.


Grum - 2008

Grum was a spam botnet specializing in pharmaceutical spam, but had massive scale. In 2009 it was capable of sending 39.9 billion messages per day, or 18% of the world’s spam. Law enforcement discovered Grum command and control centers in locations around the world, from the Netherlands to Panama, successfully shutting the operation down in 2012.


Kraken - 2008

It’s hard to know exactly how big the Kraken botnet was, but its massive reach is undeniable. It’s been estimated that Kraken infected 10% of all Fortune 500 companies, and that each of its 495,000 bots could send as many as 600,000 emails per day. The botnet was one of the first observed to use evasion techniques that allowed it to avoid being detected by anti-malware software, even when auto-updated. While Kraken is inactive today, its remnants have been spotted by security systems in the past and may well resurface again one day.


Mariposa - 2008

Mariposa was a botnet of Spanish origin, capable of stealing millions of dollars from unsuspecting users by taking their credit card numbers and passwords to their accounts on financial services sites. It used malvertising – the use of digital ads to spread malware – to take over a whopping ten million machines, making it the second largest botnet discovered to date. However, Spanish law enforcement was able to bring down the operation in one fell swoop when they discovered a record of everyone who paid to rent the network.


Methbot - 2016

Methbot fraudulently acquired hundreds of thousands of IP addresses from two global internet registries and associating them with US-based ISPs. Methbot’s operators created more than 6,000 domains and 250,267 distinct URLs that appeared to come from premium publishers, got advertisers to bid on them, then sent their bots to "watch" as many as 300 million video ads every day. Methbot was discovered and uprooted by White Ops in 2015, but we’re always looking out for signs of it resurfacing.


Mirai - 2016

The Mirai botnet was behind a massive distributed denial of service (DDoS) attack that left much of the internet inaccessible on the U.S. east coast. But, what made Mirai most notable was that it was the first major botnet to infect insecure IoT devices.  At its peak, the worm infected over 600,000 devices. Most surprising of all: the botnet was created by a group of college kids looking to gain an edge in Minecraft. 


3ve - 2018

3ve was the “mother” to three distinct yet interconnected sub-operations, each of which perpetrated ad fraud and were able to skillfully evade detection. A months long investigation led by White Ops, Google and law enforcement that began in early 2017 resulted in an unprecedented take down in the Fall of 2018. 3ve's demise was historic in that it was the first time several individuals were arrested and indicted for ad fraud, subsequently altering the risk-reward ratio for would be fraudsters.