Become a TechRadar Insider
- Largest tracked botnet expanded from 1.33 million to 13.5 million infected devices
- Sustained 2Tbps attack lasted 40 minutes with repeated spikes above 1Tbps
- Blockchain-based command systems complicate traditional botnet disruption and mitigation efforts
Security researchers tracking large-scale cyberattacks say the biggest botnet currently on record has expanded at a pace that massively outstrips earlier forecasts.
New data from Qrator Labs shows the network increased from 1.33 million infected devices to 13.5 million in roughly a year, marking a tenfold jump that raises concerns about just how quickly these systems can scale.
Most of the compromised devices are now spread across the United States, Brazil, and India, although the United Kingdom has also entered the top five sources. That spread makes country-based blocking far less effective because traffic can originate from almost anywhere.
Article continues belowDDoS attack hits over 2Tbps
One of the largest DDoS attacks in Q1 2026 linked to the expanding botnet targeted an unnamed organization in the betting sector, reaching more than 2Tbps at peak intensity.
The sustained phase lasted over 40 minutes, far longer than typical bursts which usually peak for only seconds.
Qrator's researchers recorded 11 spikes during that period, four exceeding 1Tbps. The repeated surges suggest attackers adjusted their methods mid-attack to maintain pressure on the target’s infrastructure.
Large attacks at this scale were rare not long ago. In early 2025, no incidents above 1Tbps were recorded, yet four appeared within the first quarter of 2026.
Activity patterns also show attackers shifting toward multi-vector incidents that combine multiple methods at once.
The share of those attacks rose from 8.0% to 10.7%, while combinations of network-layer and application-layer traffic nearly doubled.
Another development involves a botnet loader known as Aeternum C2, which uses the Polygon blockchain as its command channel. Commands are written to smart contracts and retrieved by infected devices through public endpoints rather than centralized servers.
That setup removes common points of failure. Without a central domain or hosting provider, traditional takedown strategies become far harder to execute.
The security researchers also tracked growing volumes of automated traffic unrelated to direct outages. Blocked malicious bot requests averaged about 2.5 billion per month, while one attack against an e-commerce target lasted more than two weeks and generated over 178 million requests.
Network routing incidents remained active as well, with seven global route leaks and one BGP hijack recorded during the quarter.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.