The FBI Just Freed Three Million Hacked Devices. The Concept of a Botnet Was Born on IRC in 1999.

Key Takeaways

• •The FBI-led operation freed over three million compromised IoT devices across 40 countries
• •The botnets were used for DDoS attacks, credential stuffing, cryptocurrency mining, and proxying criminal traffic
• •The concept of a botnet originated with IRC bots in 1999 that could remotely control compromised machines
• •The 2016 Mirai botnet attack on Dyn DNS took down Twitter, Netflix, Reddit, and dozens of other major sites
• •An estimated 30 billion IoT devices are now connected worldwide, many with minimal security

Timeline

On the morning of March 20, 2026, a coordinated operation spanning 40 countries and involving the FBI, Europol, the UK's National Crime Agency, and law enforcement from a dozen other nations simultaneously executed takedown orders against two of the largest IoT botnets ever discovered.

The operation, code-named "Operation Cobalt Sweep," targeted command-and-control infrastructure spread across servers in the United States, the Netherlands, Germany, Singapore, and Brazil. When the digital dust settled, over three million devices had been freed from remote control by criminal operators.

Three million devices. Not computers. Not servers. Routers. Security cameras. Baby monitors. Smart thermostats. Connected refrigerators. DVRs. Smart plugs. The unglamorous, invisible infrastructure of modern life, each one quietly compromised and conscripted into a digital army that its owner never knew existed.

Three million devices. Routers, cameras, baby monitors, smart thermostats. Each one quietly conscripted into an army its owner never knew existed.

— ROOT•BYTE analysis

The two botnets, which researchers have dubbed "Undertow" and "SiltNet," had been operating for approximately 18 months before law enforcement moved. Undertow specialized in distributed denial-of-service attacks, renting its capacity to anyone willing to pay. SiltNet was more sophisticated: it used compromised devices as proxy nodes, routing criminal traffic through millions of innocent home networks to obscure the origin of everything from credential stuffing attacks to ransomware deployment.

The takedown is the largest IoT botnet operation in history, eclipsing the 2023 Qakbot disruption that freed 700,000 devices. But to understand what these botnets are and why they keep appearing, you have to go back to the late 1990s and the chaotic, creative, often criminal culture of Internet Relay Chat.

IRC, for those who did not live through the early internet, was the social media of its day. Launched in 1988, it was a real-time text chat protocol organized into channels. By the mid-1990s, IRC was where hackers, programmers, gamers, and early internet communities gathered. It was also where the concept of the botnet was born.

In 1999, programmers began creating automated IRC clients, called bots, that could sit in channels and perform tasks. Some were benign: they managed channels, logged conversations, or played trivia games. Others were not. Tools like Sub7 and Back Orifice allowed hackers to install remote-access trojans on victims' computers. Once installed, these trojans would connect to an IRC channel and wait for commands.

The hacker could type a command in the IRC channel, and every compromised computer listening in that channel would execute it simultaneously. Send spam. Launch a flood of traffic at a target website. Harvest passwords. The compromised computers had no idea they were being controlled. They were bots in a network. A botnet.

The term entered common usage around 2000, when a Canadian teenager known as "Mafiaboy" used a network of compromised machines to launch DDoS attacks against Yahoo, CNN, eBay, Dell, and Amazon. The attacks took the sites offline for hours and caused an estimated $1.7 billion in economic damage. Mafiaboy was 15 years old.

The average IoT device ships with security that would have been considered negligent on a desktop computer in 2005. The manufacturers externalize the cost of security onto everyone else.

— ROOT•BYTE analysis

Botnets evolved rapidly. The Storm botnet of 2007 infected over a million PCs using email attachments. Conficker in 2008 exploited a Windows vulnerability and compromised an estimated seven million computers worldwide. These were traditional botnets: they targeted Windows PCs, which were numerous, poorly patched, and often connected to broadband.

Then came the Internet of Things, and everything changed.

Starting around 2010, manufacturers began connecting everything to the internet. Cameras. Doorbells. Light bulbs. Thermostats. Refrigerators. Toasters. Baby monitors. The devices were cheap, the software was minimal, and security was an afterthought when it was a thought at all. Default passwords were often "admin/admin" or "root/root." Firmware was rarely updated. Many devices had no mechanism for security patches at all.

In September 2016, a piece of malware called Mirai demonstrated what this meant. Created by three college students in the United States, Mirai scanned the internet for IoT devices with default credentials, logged into them, and enrolled them in a botnet. At its peak, Mirai controlled over 600,000 devices.

On October 21, 2016, the Mirai botnet launched a DDoS attack against Dyn, a major DNS provider. The attack generated over 1.2 terabits per second of traffic, overwhelming Dyn's infrastructure. Because Dyn provided DNS resolution for major websites, the attack's effect cascaded: Twitter, Netflix, Reddit, CNN, The New York Times, PayPal, Spotify, and dozens of other sites went offline for hours. It was the largest DDoS attack in history at the time, and it was powered by webcams and DVRs.

Mirai's source code was released publicly, spawning dozens of variants. The IoT botnet had become a permanent feature of the threat landscape.

The Undertow and SiltNet botnets that the FBI dismantled this week are direct descendants of Mirai. They use the same fundamental approach: scan for IoT devices, exploit weak credentials or known vulnerabilities, install lightweight malware, and connect to command-and-control servers. The scale is larger because there are simply more IoT devices now. An estimated 30 billion IoT devices are connected worldwide. Many still ship with default passwords. Many have known vulnerabilities that will never be patched because the manufacturer has gone out of business or simply does not issue updates.

The FBI's operation involved sending commands to the compromised devices that removed the botnet malware and, where possible, closed the vulnerability that allowed the initial infection. But law enforcement officials acknowledged that many devices will be reinfected within weeks or months because the underlying security flaws remain.

This is the fundamental problem with IoT security. The devices are designed to be cheap and disposable. Security costs money: secure boot processes, encrypted communications, regular firmware updates, vulnerability response teams. Every dollar spent on security is a dollar that raises the price of a device competing in a market where consumers choose primarily on price.

The result is that the cost of insecurity is externalized. The owner of a compromised baby monitor does not notice that their device is participating in a DDoS attack. The target of the DDoS attack bears the cost. The ISP whose network carries the attack traffic bears the cost. Society bears the cost. The manufacturer bears nothing.

Some progress has been made. The US Cyber Trust Mark program, launched in 2024, provides a voluntary certification label for IoT devices that meet minimum security standards. The EU's Cyber Resilience Act, which takes full effect in 2027, will mandate security requirements for connected devices sold in Europe. But voluntary programs have limited uptake, and mandates take years to implement.

Meanwhile, the botnets keep growing. The FBI freed three million devices this week. Within a year, many of those same devices, and millions of new ones, will be compromised again. The root cause is not the malware. It is the economic incentive structure that makes insecure devices profitable to manufacture and sell.

Twenty-seven years ago, hackers in IRC channels discovered that compromised computers could be controlled as a group. Today, that same concept scales to three million baby monitors and smart plugs. The attack surface has expanded from PCs on desks to every connected device in every home on earth.

The bots have left IRC. They live in your router now.

(Sources: FBI press release on Operation Cobalt Sweep, Europol advisory, Krebs on Security, Akamai State of the Internet Report, NIST IoT Cybersecurity guidelines, Recorded Future botnet tracking data)

Enjoy This Article?

RootByte is 100% independent - no paywalls, no corporate sponsors. Your support helps fund education, therapy for special needs kids, and keeps the research going.

How did this make you feel?

Recommended Gear

Keep Reading

Cybersecurity

Someone Poisoned Hundreds of Python Repos. The Trick Is 2,500 Years Old.

9 min read

Cybersecurity

Iranian Hackers Used Microsoft's Own Security Tool to Destroy a Medical Device Company's Data

7 min read

Cybersecurity

Two Cybersecurity Experts Were Secretly Running Ransomware Attacks on the Companies They Were Hired to Protect. The History of Double Agents Goes Back Centuries.

8 min read