TL;DR

  • The U.S. Department of Justice disrupted a massive IoT botnet comprising approximately 3 million compromised devices — primarily routers, IP cameras, and other network equipment [1]
  • Most compromised devices were consumer and small business equipment with default credentials, unpatched firmware, or end-of-life hardware that no longer receives security updates
  • Your office router, IP cameras, and smart devices could be part of a botnet right now without showing any obvious symptoms
  • Protecting your business requires changing default passwords, updating firmware, segmenting IoT devices onto separate networks, and retiring end-of-life equipment

The DOJ Just Took Down a 3-Million-Device Botnet — Here's Why You Should Care

In March 2026, the U.S. Department of Justice announced the disruption of one of the largest IoT botnets ever recorded — a network of approximately 3 million compromised devices spread across the globe [1]. The botnet was used for distributed denial-of-service (DDoS) attacks, proxy services, and as infrastructure for other criminal operations.​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​​‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​‌

​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

The compromised devices weren't servers in data centers. They were routers, IP cameras, DVRs, NAS (network-attached storage) devices, and other network equipment — the same types of devices sitting in SMB offices, retail stores, medical practices, and home offices right now.

This is the core message for every small business owner: your network devices are targets, and if they're compromised, you might never know.​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​​‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

Botnets are silent. A compromised router still routes your traffic. A compromised camera still records video. The device works normally for you while simultaneously participating in criminal activity — launching DDoS attacks against other organizations, acting as a proxy for attackers to hide their identity, or scanning the internet for more vulnerable devices to recruit.

Related: Supply Chain Attacks in CI/CD — What SMBs Need to Know

How IoT Devices Get Recruited Into Botnets

The infection process for most IoT botnets follows predictable patterns. Understanding these patterns is the first step toward defending your business.

Default Credentials

The most common entry point for IoT compromise is unchanged default credentials. Many routers, cameras, and network devices ship with factory-set usernames and passwords — often combinations like admin/admin, admin/password, or vendor-specific defaults that are publicly documented.

Botnet operators run automated scanners that try these default credentials against every internet-facing device they can find. The Mirai botnet — which first emerged in 2016 and whose source code has since been used as the basis for countless variants — originally spread by trying just 62 default username/password combinations [2]. That small list was enough to compromise hundreds of thousands of devices.

Unpatched Firmware Vulnerabilities

IoT devices run firmware — embedded software that controls how the device operates. Like any software, firmware has vulnerabilities. Unlike your laptop or phone, most IoT devices don't update automatically. Many require manual firmware updates that most users never perform.

When a vulnerability is discovered in a router's firmware, the manufacturer may release a patch — but if nobody applies it, the device remains vulnerable indefinitely. Botnet operators actively scan for devices running known-vulnerable firmware versions.

End-of-Life Devices

Perhaps the most insidious problem: many IoT devices reach "end of life" (EOL) — meaning the manufacturer stops releasing security updates entirely. The device still works, so the owner keeps using it, but it will never receive another security patch.

CISA has specifically warned about the risks of end-of-life network devices, noting that they represent a growing and permanent vulnerability in organizational networks [3].

If your business is running a router that's more than 5 years old, there's a meaningful chance it's no longer receiving security updates. It still works, but it's a permanent opening in your defenses.

What Was This Botnet Actually Used For?

Large-scale botnets like the one disrupted by the DOJ serve multiple purposes for criminal operators [1]:

DDoS-for-hire. The botnet's primary function was launching DDoS attacks — overwhelming target websites, services, and networks with traffic from millions of compromised devices. Botnet operators sell DDoS attacks as a service to anyone willing to pay.

Residential proxy services. Compromised consumer and business devices provide "clean" IP addresses. Attackers route their traffic through your router, making their activity appear to come from a legitimate residential or business connection. This is used for fraud, credential stuffing, scraping, and evading geographic restrictions.

Cryptocurrency mining. Some botnets use the processing power of compromised devices (particularly NAS devices and more capable routers) to mine cryptocurrency. This consumes your electricity and degrades device performance.

Lateral movement infrastructure. A compromised device on your network can serve as a foothold for deeper attacks. If an attacker controls your router, they can intercept traffic, redirect DNS queries, or pivot to other devices on your network.

Why SMBs Are Disproportionately Affected

Enterprise organizations typically have network security teams that manage device inventories, enforce firmware update policies, and segment IoT devices from critical business systems. SMBs generally don't.

Here's the typical SMB IoT security reality:

The router was set up once and forgotten. An IT contractor or the ISP installed the router years ago. Nobody has logged into the admin panel since. The firmware hasn't been updated. The admin password might still be the factory default.

IP cameras were installed for physical security. They're connected to the same network as the business computers. Nobody has updated the camera firmware or changed the default credentials. Some models have known vulnerabilities that are years old.

Nobody maintains an IoT device inventory. Most SMBs can't list every networked device in their environment. Smart TVs in the break room, network printers, smart thermostats, wireless access points — they're all on the network, and nobody tracks their security status.

End-of-life equipment stays in service. Replacing working equipment costs money. When a router still works, there's no business pressure to replace it — even if it's a security liability.

The result: the average SMB office has multiple devices that are vulnerable to botnet recruitment right now.

Related: MCP Security — Why AI Security Can't Be Patched

How to Protect Your Business — A Practical IoT Security Checklist

IoT security doesn't require expensive tools or dedicated security staff. It requires attention and discipline. Here's a checklist any SMB can follow:

1. Change Every Default Password

Log into every network device in your office — routers, switches, access points, IP cameras, NAS devices, printers — and change the default admin credentials. Use strong, unique passwords for each device. Store them in a password manager.

This single step would have prevented the majority of devices in this botnet from being compromised.

2. Update Firmware on All Network Devices

Check the manufacturer's website for each device and compare your installed firmware version against the latest available. If updates are available, apply them. If the manufacturer no longer releases updates, the device is end-of-life — plan to replace it.

Set a quarterly calendar reminder to check for firmware updates. Many manufacturers offer email notification lists for security advisories.

3. Identify and Replace End-of-Life Equipment

Any device that no longer receives security updates is a permanent vulnerability. Make a list of all network devices in your environment, check their EOL status with the manufacturer, and budget for replacing any that are no longer supported.

This is especially important for routers and firewalls — the devices that sit at the boundary of your network and are directly exposed to the internet.

4. Segment IoT Devices onto a Separate Network

Your IP cameras, smart TVs, and other IoT devices should not be on the same network as your business computers and servers. Most modern routers support VLANs (Virtual Local Area Networks) or at minimum a guest network.

Put IoT devices on a separate network segment with restricted access to your business systems. If an IoT device is compromised, network segmentation prevents the attacker from pivoting to your critical business data.

5. Disable Remote Management Unless Required

Many routers and network devices have remote management features enabled by default — allowing admin access from the internet. Unless you specifically need this, disable it. Remote management is one of the primary attack surfaces that botnet operators exploit.

If you do need remote management, ensure it's protected by strong credentials, uses encrypted connections (HTTPS, not HTTP), and ideally is restricted to specific IP addresses.

6. Monitor for Unusual Network Activity

Watch for signs that a device on your network has been compromised:

  • Unexplained increases in network traffic, especially upload traffic
  • Devices communicating with unexpected external IP addresses
  • Slower network performance without an obvious cause
  • Device admin panels that have been locked out or have changed settings

Your router's admin panel often shows connected devices and traffic statistics. Check it periodically.

7. Consider a Network Security Audit

If you're not sure about the security status of your network devices, a professional security audit can identify vulnerable and end-of-life equipment, check for compromised devices, and recommend specific improvements. This is especially valuable if your business handles sensitive data, serves customers online, or has compliance requirements.

The Broader IoT Security Problem

The 3-million-device botnet takedown is significant, but it's also a symptom of a deeper problem. The IoT security landscape remains fundamentally challenged because:

Manufacturers often prioritize features over security. Many IoT devices ship with minimal security features, default credentials, and no automatic update mechanism. The market incentivizes cheap, fast-to-market devices.

There's no universal IoT security standard enforcement. While frameworks like NIST's IoT security guidance (NISTIR 8259) provide recommendations for manufacturers [4], compliance is largely voluntary in many markets.

The installed base of vulnerable devices is enormous. Even when manufacturers improve security in new products, the billions of older devices already deployed remain vulnerable. They'll continue operating — and being compromised — until they physically fail or are replaced.

For SMBs, this means IoT security is an ongoing discipline, not a one-time fix. Regular firmware updates, credential management, and equipment lifecycle planning must be part of your standard business operations.

FAQ

Most botnet infections show no obvious symptoms to the user. Your device continues to function normally while participating in attacks. Signs to watch for include unexplained increases in network traffic (especially outbound), degraded network performance, devices making connections to unfamiliar IP addresses, and unexpected changes to device settings. Your router's traffic monitoring features or a network scanning tool can help identify suspicious activity.

Routers are the most commonly targeted IoT devices because they're directly exposed to the internet and often run outdated firmware. IP cameras and DVRs are also heavily targeted because many models have well-known vulnerabilities and default credentials. Network-attached storage (NAS) devices, smart home hubs, and even printers have been observed in botnets. Any device with a network connection and a processor can potentially be compromised.

Yes, if the router has reached end-of-life status and no longer receives firmware security updates. A working router that has unpatched vulnerabilities is a permanent opening in your network's defenses. Replacing a consumer-grade router with a current, supported model typically costs under a few hundred dollars — a fraction of the cost of responding to a network compromise. Consider it a necessary business expense, like replacing a worn lock on your office door.

Network segmentation means dividing your network into separate zones so that devices in one zone can't freely communicate with devices in another. For IoT security, this means putting cameras, smart devices, and other IoT equipment on a different network segment than your business computers and servers. If an IoT device is compromised, segmentation prevents the attacker from reaching your business data. Most modern business-grade routers support VLANs for this purpose.

While direct legal liability for unknowing botnet participation varies by jurisdiction, there are potential consequences. If your compromised devices are used to attack another organization, your IP address will appear in their logs, potentially leading to investigations. Additionally, if a botnet compromise leads to a data breach on your own network, you may face regulatory penalties under data protection laws. Maintaining reasonable security practices — including firmware updates and credential management — is the best protection against both technical and legal risk.

References

[1] U.S. Department of Justice, "DOJ Disrupts 3-Million-Device IoT Botnet," U.S. Department of Justice, Mar. 2026. [Online]. Available: https://thehackernews.com/2026/03/doj-disrupts-3-million-device-iot.html

[2] B. Krebs, "Who is Anna-Senpai, the Mirai Worm Author?," Krebs on Security, Jan. 2017. [Online]. Available: https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

[3] CISA, "Securing Network Infrastructure Devices," Cybersecurity and Infrastructure Security Agency, 2024. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/securing-network-infrastructure

[4] NIST, "IoT Device Cybersecurity Capability Core Baseline," NISTIR 8259A, May 2020. [Online]. Available: https://csrc.nist.gov/publications/detail/nistir/8259a/final

[5] ENISA, "Baseline Security Recommendations for IoT," European Union Agency for Cybersecurity, Nov. 2017. [Online]. Available: https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot

[6] FBI, "Internet Crime Complaint Center (IC3) Guidance on IoT Security," Federal Bureau of Investigation, 2024. [Online]. Available: https://www.ic3.gov/

[7] OWASP, "IoT Top 10," Open Web Application Security Project, 2024. [Online]. Available: https://owasp.org/www-project-internet-of-things-top-10/

[8] NIST, "Recommendations for IoT Device Manufacturers," NISTIR 8259, Dec. 2019. [Online]. Available: https://csrc.nist.gov/publications/detail/nistir/8259/final

Your office network devices are either assets or liabilities. lilMONSTER helps SMBs audit their IoT security posture, identify end-of-life equipment, implement network segmentation, and build ongoing device management practices. Book an IoT security assessment →

TL;DR

  • The U.S. government shut down a network of 3 million hacked devices — mostly routers and cameras — that were being controlled by criminals
  • These devices worked normally for their owners while secretly helping criminals attack other targets
  • Your office router, security cameras, and smart devices could be hijacked without you ever noticing
  • Simple steps like changing default passwords and updating device software can prevent this

What Is a Botnet?

Imagine someone figured out how to secretly mind-control thousands of toy robots. The robots still do their normal job — cleaning your room, playing music, whatever. But in the background, the controller can also make them do other things: spam your neighbors with junk mail, bang on someone's door all at once to keep them from opening it, or sneak around gathering information.

A botnet works the same way, but with real electronic devices. "Bot" means robot, and "net" means network. A botnet is a network of hijacked devices all controlled by one person or group. The devices — usually things like routers, security cameras, and smart home gadgets — still work normally for their owners. But they're also secretly following the commands of the bad guys.

What Happened?

The U.S. Department of Justice took down a botnet made up of about 3 million devices. These were mostly routers (the box that gives you WiFi), IP cameras (security cameras that connect to the internet), and other smart devices in homes and small businesses.

The criminals controlling these devices used them to:

  • Attack websites by flooding them with so much traffic they crash (called a DDoS attack)
  • Hide their identity by routing their internet activity through your device, so it looks like the bad activity is coming from your business
  • Scan for more victims to add to the botnet and make it even bigger

The owners of these 3 million devices mostly had no idea their equipment was compromised.

How Do Devices Get Hijacked?

Three main ways:

Default passwords. Many routers and cameras come with a pre-set password like "admin" or "password." If you never change it, it's like leaving your front door key under the mat — everyone knows where to look.

Old software that was never updated. Devices run software, and sometimes that software has holes in it. The manufacturer releases a fix, but if you don't install the update, the hole stays open. Bad guys know about these holes and specifically look for devices that haven't been updated.

Devices too old to get fixes. After a few years, manufacturers stop releasing updates for older devices. The device still works, but any new security holes that are discovered will never be fixed. It's like having a lock that the locksmith can't improve anymore.

Could This Be Happening to My Business?

If your office has a router that's been running for years without anyone checking it, a set of security cameras with factory-default passwords, or smart devices that have never been updated — then yes, it's possible.

The tricky part about botnets is that you usually can't tell your device has been hijacked. It still works. The internet still works. The cameras still record. Everything seems fine. The criminal activity happens silently in the background.

What Can You Do?

Change every default password. Log into your router, cameras, and any other smart devices. Change the admin password to something strong and unique. This is the single most effective thing you can do.

Update the software on your devices. Check the manufacturer's website for your router and cameras. If there's a newer version of the software (called "firmware"), install it. Set a reminder to check every few months.

Replace really old equipment. If your router is more than 5 years old, check if the manufacturer still supports it. If they've stopped releasing updates, it's time for a new one. A new router costs a fraction of what dealing with a security problem costs.

Put smart devices on a separate network. Most modern routers let you set up a "guest" network. Put your cameras, smart TVs, and other gadgets on the guest network so they can't directly reach your business computers. If a camera gets hijacked, at least it can't spread to your important stuff.

Turn off remote access if you don't need it. Many routers let you manage them from anywhere on the internet. Unless you specifically need this, turn it off. It's one of the main ways bad guys get in.

Think of your office devices like the locks and windows in a physical building. You wouldn't leave windows open and doors unlocked. The same principle applies to your digital equipment — a little regular maintenance goes a long way.

Not sure if your office devices are secure? lilMONSTER helps small businesses check their routers, cameras, and smart devices for security problems — and fix them before bad guys find them. Talk to us →

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation