The 7 Biggest Botnets Of All Time

Botnets have matured into a disastrous cybercrime phenomenon over the years. These armies of subdued electronic devices account for cyber incidents that range from data theft and click fraud to malware propagation and distributed denial-of-service (DDoS) attacks.

Although the underlying predatory applications are typically easy to remove using mainstream antiviruses, things get tough when experienced cybercriminals come on the scene. In this scenario, the damage can be jaw-dropping and the remediation is extremely challenging.

The paragraphs below cover the world’s most impactful botnets and provide hands-on tips on the protection strategies.


  • Type: banking Trojan
  • Period of activity: 2007 – the present day
  • Bot count: more than 13 million
  • Propagation vectors: spam, exploit kits
  • Geo footprint: 196 countries
  • Financial losses caused: $120 million

When the Zeus botnet was in full swing, it was responsible for a whopping 90% of all online bank fraud cases around the world. The core malware mostly plagues computers via spam. One of the early massive outbreaks occurred in 2009, infecting more than 3.5 million machines with the banking Trojan in the U.S. alone.

In 2011, the malicious program was equipped with peer-to-peer functionality for code updates. This version was codenamed GameOver Zeus based on the gameover.php script that would set the update process in motion.

The pest is hard to detect due to a polymorphic encryption feature that prevents AV solutions from identifying its traces in a system. To top it off, the infection pollutes multiple files. Security researchers recommend reinstalling a Zeus-riddled system from scratch to address the problem for good.


  • Type: email worm
  • Period of activity: 2007-2008
  • Bot count: 2 million
  • Propagation vectors: spam

Storm made its debut in 2007. Back then, it was spreading via spam emails that contained videos of the newsmaking weather disaster in Europe, hence its name.

This computer worm was considered to be the most advanced malware at the time. Its authors leveraged the decentralized peer-to-peer Overnet protocol to control bots. Storm used server-side polymorphism to avoid being detected by traditional security tools.

This botnet reached its peak in July 2007 when it accounted for at least 20% of the whole spam volume globally. These rogue emails were mainly pushing fake drugs.

To prevent antimalware labs from reverse-engineering the code of Storm, its makers would execute DDoS attacks against IP addresses that were persistently requesting bot updates (which is what cybersecurity firms often do).

The Storm campaign came to a complete halt in late 2008. The most plausible theory on why this happened is that white hat researchers somehow managed to disrupt its malicious infrastructure.


  • Type: malware loader, banking Trojan
  • Period of activity: 2014 – the present day
  • Bot count: unknown
  • Propagation vectors: spam, social engineering

Although the credential-stealing Trojan called Emotet has been in rotation for only six years, it underlies one of the world’s top three botnets in terms of sophistication and the damage caused.

The harmful payload mainly arrives with spam emails that contain a rogue Microsoft Office file. Once opened, the attachment prompts the recipient to enable macros – if the trick works out, the predatory code is quietly downloaded onto the host.

In 2017, Emotet operators took a sharp turn and repurposed the threat into a loader for other malware, including scareware and enterprise-targeting ransomware. An offbeat feature was discovered in 2020: the Trojan can compromise unsecured Wi-Fi networks and replicate itself inside them. This is reminiscent of worm activity.

The Emotet campaign is making itself felt the most in Germany, the US, China, Russia, India, Poland, and Italy.


  • Type: Trojan/worm
  • Period of activity: 2009-2011
  • Bot count: about 23 million
  • Propagation vectors: pirated apps, P2P platforms, MSN messenger, USB sticks
  • Geo footprint: 190 countries

Mariposa (the Spanish word for “butterfly”) splashed onto the scene in 2009. In the course of its first outbreak, it enslaved 12 million computers around the world. Another wave spotted during this botnet’s two-year lifespan hit 11 million more machines.

As obsolete as it may sound nowadays, malware-riddled USB thumb drives were among the primary infection techniques. This scheme was quite effective back in the day due to the autorun.inf process that would automatically launch executables on pluggable media.

Mariposa was intended to pull off different types of online fraud, distribute browser hijackers, and steal the account credentials of its victims. Its operators furtively obtained personal information belonging to about 800,000 users.

In the aftermath of a collaborative effort of researchers and law enforcement, the command-and-control servers underlying the Mariposa botnet were seized in Spain in December 2009.


  • Type: Trojan downloader, coin miner
  • Period of activity: 2011-2013
  • Bot count: 9 million
  • Propagation vectors: exploit kits

Discovered in 2011, ZeroAccess was an unusual strain that used a clever “red herring” technique to terminate antiviruses on contaminated computers. It created a decoy file that was easily detectable by popular security solutions running on subordinated machines. This way, the Trojan determined the underlying AV executable and ran the ExitProcess command to terminate it.

In December 2013, Microsoft analysts and law enforcement agencies pinpointed and brought down the C2 servers used by ZeroAccess operators. As a result of this move, the botnet came to a standstill.


  • Type: banking Trojan
  • Period of activity: 2011 – the present day
  • Bot count: unknown
  • Propagation vectors: malware-riddled freeware bundles, spam

Also known as Citadel, this nasty was first spotted in the fall of 2011. Its early iteration focused on stealing funds from users via web injection tricks that allowed the Trojan to display rogue sign-in forms on e-commerce or online banking pages. Since this version of Dridex could spread via USB memory sticks, it was originally categorized as a worm.

In 2017, the crooks gave their harmful code an overhaul by switching to different loaders once in several days. This makes the threat more evasive and poses a hurdle to performing in-depth analysis. Dridex mainly infects European users, with the UK, Germany, and France being the hardest-hit countries.


  • Type: DDoS botnet
  • Period of activity: 2016 – the present day
  • Bot count: about 550,000
  • Propagation vectors: brute-force attacks

This botnet consists of infected IoT devices that run vulnerable firmware or use easy-to-guess access credentials. It was created by a group of students who wanted to knock their college IT network offline via a large amount of malformed web traffic. However, the control over Mirai slipped out of its authors’ hands, and it has since grown into the most massive IoT botnet in existence.

In October 2016, Mirai was weaponized to orchestrate a powerful DDoS attack against the high-profile Internet infrastructure company called Dyn. This raid temporarily impacted Twitter, GitHub, Amazon, Comcast, Pinterest, Netflix, and dozens of other popular services. Although the number of mishandled smart devices was only about 100,000, the attack generated a mind-boggling traffic volume that went well over 1Tbps.

Protection Tips

Botnets are here to stay, and therefore end-users and businesses need to proactively defend themselves against the escalating menace. The following cost-effective methods can prevent your devices from becoming low-hanging fruit:

  • Use trusted antivirus software. The silver lining is that most security solutions can easily identify sketchy code used by botnet operators. Therefore, running regular scans with a reputable AV tool is half the battle.
  • Do not download suspicious email attachments. Although modern email services filter out most spam and phishing emails in a snap, some of these messages may still end up in your inbox. If the sender is unfamiliar, you are better off never opening files attached to such emails.
  • Keep your operating system and third-party apps up to date. This is a hugely important habit that prevents botnet-related malware from exploiting known vulnerabilities in your software. Because updates patch such flaws, you can raise the bar for attackers.
  • Treat freeware bundles with caution. Some botnet makers spread their malware via free app packages in which the default setup option conceals the actual list of entities being installed. Always go for the custom installation mode and deselect unwanted items, if any.
  • Use strong passwords. IoT botnets such as the above-mentioned Mirai hinge on weak firmware passwords on connected devices. Be sure to change the default credentials and specify hard-to-guess passwords consisting of letters, numbers, and special characters.
Posted In: contributorcontributorsGeneral

Ad Disclosure: The rate information is obtained by Bankrate from the listed institutions. Bankrate cannot guaranty the accuracy or availability of any rates shown above. Institutions may have different rates on their own websites than those posted on The listings that appear on this page are from companies from which this website receives compensation, which may impact how, where, and in what order products appear. This table does not include all companies or all available products.

All rates are subject to change without notice and may vary depending on location. These quotes are from banks, thrifts, and credit unions, some of whom have paid for a link to their own Web site where you can find additional information. Those with a paid link are our Advertisers. Those without a paid link are listings we obtain to improve the consumer shopping experience and are not Advertisers. To receive the rate from an Advertiser, please identify yourself as a Bankrate customer. Bank and thrift deposits are insured by the Federal Deposit Insurance Corp. Credit union deposits are insured by the National Credit Union Administration.

Consumer Satisfaction: Bankrate attempts to verify the accuracy and availability of its Advertisers' terms through its quality assurance process and requires Advertisers to agree to our Terms and Conditions and to adhere to our Quality Control Program. If you believe that you have received an inaccurate quote or are otherwise not satisfied with the services provided to you by the institution you choose, please click here.

Rate collection and criteria: Click here for more information on rate collection and criteria.