9 of the Biggest Botnet Attacks of the 21st Century

Botnets are responsible for hacking, spamming, and malware—here are the most significant botnet attacks with the worst consequences.

Individual systems, commonly known as zombies, combined with the criminal’s system (from where all other systems are controlled) are known as a master of the zombie network or “bot-network.” A bot-network can deliver a DDoS attack on a large-scale. Botnets target to send millions of spam emails, pull the websites down for ransom, or harm the victim financially or even emotionally. These botnets, due to their efficiency, remain a favorite among cybercriminals. Here is an overview of nine of the most significant botnets attacks of the 21st century that turned out to be drastic to those affected.

EarthLink Spammer—2000

EarthLink Spammer is the first botnet to be recognized by the public in 2000. The botnet was created to send phishing emails in large numbers, masked as communications from legitimate websites. Over 1.25 million malicious emails were sent to collect sensitive information, such as credit card details, in the span of a year. The botnet had downloaded viruses on victims’ computers when they clicked on the links in the emails, and this virus remotely fed the information to the sender. Later, EarthLink sued the creator for $25 million for spamming their network, which earned him nearly US$3 million [1].


Cutwail, a malware that targets Windows OS through malicious emails, was discovered in 2007. The malware was distributed via the Pushdo Trojan to turn the infected system into a spambot. Message Labs, a security organization, identified that Cutwail had compromised 1.5–2 million infected systems and was capable of sending 74 billion spam emails per day. The malware represented 46.5% of global spam distribution, and therefore was recognized as one of the largest botnets in 2009. Even though the FBI, Europol, and other law enforcement agencies attempted to takedown Cutwail in 2014, the botnet remains active even today [2].


Storm may not be the most malicious piece of malware in the history of a botnet, but it is on track to be the most successful, with the number of systems infected at more than 1 million. Storm is one of the first peer-to-peer botnets that can be controlled from several different servers. The storm is activated in victims’ systems by sending messages that encourage them to visit a malicious website where the malware downloads on the system. The network was rented out on the dark web, which made it a contributor in a wide range of criminal activities. Most Storm servers were pulled down in 2008, and it is not very active [3].


Grum is a massive pharmaceutical spammer bot that was identified in 2008. It appeared to be more complex and larger beyond the imagination of the experts. During Grum’s demise in July 2012, it was able to send 18 billion email spams per day. Law enforcement discovered 136,000 internet addresses that were sending spam for Grum. Several individuals who were likely responsible for spreading Grum are recognized today as the world’s most active spam botnets [4].


Remember Storm botnet? Now imagine a botnet that is twice as powerful as Storm, and that is how big Kraken is. Damballa, an internet security company, was the first to report Kraken. Unlike, peer-to-peer techniques, Kraken uses command and control servers located in different parts of the world. The botnet infected 50 of 500 Fortune company’s infrastructures. Damballa claimed that botnet infected machines were sending over 500,000 spam messages per day. Though Kraken is inactive today, the security systems spotted its remnants, and those might invoke this botnet again in the future [5].


Originated in Spain in 2008, Mariposa botnet hijacked around 12.7 million computers around the world in 2 years duration. The word “Mariposa” stands for butterfly in French. The botnet got its name because it was created with a software called Butterfly Flooder, which was written by Skorjanc illegally. Mariposa infected computers in more than 190 countries via various methods, such as instant messages, file sharing, hard disc devices, and more. The botnet also used malvertising—using digital ads to spread the malware that was capable of stealing millions of dollars from unsuspected users by taking their credit card numbers and passwords from banking websites [6].


Methbot is the biggest ever digital ad malware that acquired thousands of IP addresses with US-based ISPs. The operators first created more than 6,000 domains and 250,267 distinct URLs that appeared to be from premium publishers, such as ESPN and Vogue. Later, video ads from malicious advertisers were posted on these websites which sent their bots “watch” around 30 million ads daily. White Ops uprooted Methbot in 2015, but the botnet might resurface again in the future [7].


Mirai infects digital smart devices that run on ARC processors and turns them into a botnet, which is often used to launch DDoS attacks. If the default name and password of the device is not changed then, Mirai can log into the device and infect it. In 2016, the authors of Mirai software launched a DDoS attack on a website that belonged to the security service providing company. Soon after a week, they published the source code to hide the origins of the attack, which was then replicated by other cybercriminals who believed to attack the domain registration service provider, Dyn, in the same year. At its peak, Mira infected over 6 million devices [8].


3ve botnet gave rise to three different yet interconnected sub-operations, each of which was able to evade investigation after perpetrating ad fraud skillfully. Google, White Ops, and other tech companies together coordinated to shut down 3ve’s operations. It infected around 1.7 million computers and a large number of servers that could generate fake traffic with bots. The malware also counterfeits 5,000 websites to impersonate legitimate web publishers along with 60,000 accounts of digital advertising companies so that fraudsters can earn from the ads received. The only goal of this malware is to steal as much money as it can from US$250 billion global ad industry while not getting detected as long as possible [9].

Botnets have been a constant threat to the IT infrastructure of the industry, and dealing with them requires an aggressive, assertive, and skilled cybersecurity approach. If you want to be a pro in combating botnet attacks and other similar cybersecurity attacks, you should be a Certified Ethical Hacker (C|EH). C|EH is a credential from EC-Council that equips you with the tools and methodologies required to trace the vulnerabilities that any criminal attacker would have used. More details can be accessed from our website.

Becoming an Ethical Hacker on your checklist?

Make sure you choose the right pathway for your career progression!


  1. https://www.whiteops.com/blog/9-of-the-most-notable-botnets
  2. https://www.cyber.nj.gov/threat-profiles/botnet-variants/cutwail
  3. https://www.networkworld.com/article/2286172/storm–the-largest-botnet-in-the-world-.html
  4. https://krebsonsecurity.com/tag/grum-botnet/
  5. https://www.theregister.co.uk/2010/06/29/kraken_botnet_resurgence/
  6. https://www.bbc.com/news/technology-25506016
  7. https://www.forbes.com/sites/thomasbrewster/2016/12/20/methbot-biggest-ad-fraud-busted/#10fc08624899
  8. https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/
  9. https://www.buzzfeednews.com/article/craigsilverman/3ve-botnet-ad-fraud-fbi-takedown


get certified from ec-council
Write for Us