- Largest tracked botnet expanded from 1.33 million to 13.5 million infected devices
- Sustained 2 Tbps attack lasted 40 minutes with repeated spikes over 1 Tbps
- Blockchain-based command systems complicate traditional botnet disruption and mitigation efforts
Security researchers who track large-scale cyberattacks say the largest botnet currently on record has expanded at a pace that massively exceeds previous forecasts.
New data from Qrator Labs shows that the network has grown from 1.33 million infected devices to 13.5 million in about a year, marking a tenfold increase that raises concerns about how quickly these systems can scale.
Most of the compromised devices are now spread across the US, Brazil and India, although the UK has also entered the top five sources. That spread makes country-based blocking far less effective because the traffic can originate from almost anywhere.
The article continues below
DDoS attacks hit over 2Tbps
One of the largest DDoS attacks in Q1 2026 linked to the expanding botnet targeted an unnamed organization in the betting sector and reached more than 2 Tbps at peak intensity.
The persistent phase lasted over 40 minutes, far longer than typical eruptions, which usually only peak for seconds.
Qrator’s researchers recorded 11 spikes during that period, four above 1 Tbps. The repeated spikes suggest that the attackers adjusted their methods mid-attack to maintain pressure on the target’s infrastructure.
Major attacks on this scale were rare not long ago. At the beginning of 2025, no events above 1 Tbps were recorded, yet four appeared within the first quarter of 2026.
Activity patterns also show that attackers are shifting towards multi-vector events that combine multiple methods at once.
The share of these attacks increased from 8.0% to 10.7%, while combinations of network-layer and application-layer traffic nearly doubled.
Another development involves a botnet loader known as Aeternum C2, which uses the Polygon blockchain as its command channel. Commands are written to smart contracts and fetched by infected devices through public endpoints instead of centralized servers.
This setup removes common points of failure. Without a central domain or hosting provider, traditional takedown strategies become far more difficult to execute.
The security researchers also tracked growing amounts of automated traffic unrelated to direct outages. Blocked malicious bot requests averaged around 2.5 billion per month, while an attack against an e-commerce target lasted more than two weeks and generated over 178 million requests.
Network routing incidents also remained active, with seven global route leaks and one BGP hijack recorded during the quarter.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
