Over 20 Billion Devices, Minimal Security
The numbers have crossed a threshold that makes the problem structural, not anecdotal. IoT Analytics’ State of IoT 2025 report, published in October 2025, estimates 21.1 billion connected IoT devices globally in 2025 — a 14% increase from the 18.5 billion counted in 2024. By 2030, the projection reaches 39 billion. These devices — smart cameras, routers, industrial sensors, medical monitors, smart thermostats, connected appliances — share a common vulnerability profile: they ship with default credentials, run outdated firmware that is rarely or never updated, lack encryption for data in transit, and operate on processors too constrained to run conventional security software.
The economics of IoT manufacturing explain the security deficit. A $15 smart camera sold on AliExpress operates on margins measured in cents. Adding a secure boot process, encrypted firmware updates, unique per-device credentials, and ongoing security patch support could add $2-5 to the bill of materials and require sustained engineering investment that the manufacturer’s business model does not support. Shenzhen-based OEMs producing millions of white-label devices for global brands have zero incentive to invest in security features that consumers cannot see and do not demand. The result is a global fleet of devices that are, from a security perspective, permanently vulnerable from the moment they leave the factory.
This is not a theoretical risk. It is an active, industrialized attack surface. Cloudflare’s Q1 2025 DDoS Threat Report documented a staggering 358% year-over-year increase in DDoS attacks, blocking 20.5 million attacks in that quarter alone. The scale of individual attacks has escalated just as dramatically: in October 2024, Cloudflare mitigated a 5.6 Tbps attack launched by a Mirai-variant botnet using roughly 13,000 compromised IoT devices. By the third quarter of 2025, the Aisuru botnet — commanding an estimated 1 to 4 million infected hosts globally — was routinely generating attacks exceeding 1 Tbps, with a peak recorded at 29.7 Tbps. The Q4 2025 report capped the year with a record-setting 31.4 Tbps assault. The average cost of a DDoS attack to the targeted enterprise now runs into the hundreds of thousands of dollars per incident, and the attacks are growing in sophistication, blending volumetric floods with application-layer precision targeting.
The Botnet Economy: From Mirai to Aisuru
The Mirai botnet of 2016 was the watershed. When three college students released malware that scanned the internet for IoT devices running default credentials, compromised them, and organized them into a coordinated DDoS cannon, they demonstrated that millions of insecure devices could be weaponized trivially. The Mirai attack on DNS provider Dyn on October 21, 2016 — which temporarily took down Twitter, Netflix, Reddit, GitHub, and dozens of other major services — used approximately 100,000 compromised devices to generate over 1.1 Tbps of attack traffic.
Mirai’s source code was publicly released, spawning an entire ecosystem of variants. By 2026, security researchers track dozens of active Mirai-derived botnet families, each adding new exploitation capabilities. InfectedSlurs, discovered by Akamai in late October 2023, exploits zero-day vulnerabilities in FXC outlet wall routers and QNAP VioStor NVR devices. Mozi, a peer-to-peer botnet that historically infected over 1.5 million devices — roughly 90% of them in China and India — was neutralized in August 2023 through what researchers at ESET determined was a deliberate kill switch deployment, likely by the original creators or Chinese law enforcement. Newer variants target industrial IoT protocols like Modbus and BACnet, extending the botnet threat into operational technology environments. The most significant development of 2025 was the emergence of the Aisuru botnet, which assembled an army of an estimated 1 to 4 million compromised devices and unleashed hyper-volumetric DDoS attacks that shattered previous records. The common thread across all these variants is that each finds fresh populations of unpatched, default-credential devices to recruit.
The botnet economy has matured into a professional service industry. DDoS-for-hire services — marketed as “stresser” or “booter” services — rent IoT botnet capacity at prices ranging from as little as 10 euros for a basic attack to thousands per month for sustained, high-bandwidth campaigns. Researchers at the University of Cambridge’s Cybercrime Centre, in a study presented at the USENIX Security Symposium in 2025, examined global law enforcement efforts against these platforms, finding that most users are gamers and casual actors rather than sophisticated cybercriminals, with few attempting to hide their identities. International operations like Operation PowerOFF continue to seize booter domains, but new services emerge as fast as old ones are dismantled. For a few hundred dollars, anyone can launch a multi-hundred-gigabit attack sufficient to take a mid-sized company offline for hours.
Advertisement
The Regulatory Response: EU Cyber Resilience Act and Beyond
The market failure in IoT security — where manufacturers externalize security costs to users and the broader internet — has finally triggered regulatory intervention. The EU Cyber Resilience Act (CRA), which entered into force on 10 December 2024, with main obligations applying from 11 December 2027, represents the most significant regulatory response to date. The CRA mandates that all products with digital elements sold in the EU must meet essential cybersecurity requirements throughout their lifecycle, with reporting obligations taking effect even earlier on 11 September 2026.
For IoT manufacturers, the CRA’s requirements are transformative: no default passwords (each device must ship with unique credentials), mandatory security updates for a minimum of five years or the product’s expected lifetime, vulnerability disclosure policies, and conformity assessments for high-risk product categories (routers, smart home gateways, industrial controllers). Non-compliance carries fines of up to 15 million euros or 2.5% of global turnover. The CRA effectively makes the Shenzhen white-label model illegal for the EU market — manufacturers can no longer ship devices without security considerations and walk away.
The United States has taken a softer approach with the U.S. Cyber Trust Mark program, officially launched by the White House on January 7, 2025, which provides a voluntary labeling scheme for IoT devices meeting baseline security criteria. Administered by the FCC, the program allows compliant devices to display a shield-shaped label with a QR code linking to security information, indicating they meet standards for unique passwords, regular software updates, and data protection. While voluntary, major retailers including Amazon and Best Buy have committed to highlighting Cyber Trust Mark products, creating market pressure that may prove more effective than mandates in the U.S. context. The UK’s Product Security and Telecommunications Infrastructure Act (PSTI), effective since 29 April 2024, bans universal default passwords and requires manufacturers to publish vulnerability disclosure policies — a narrower mandate than the CRA but enforceable with fines of up to 10 million pounds or 4% of global turnover, whichever is greater, plus up to 20,000 pounds per day for ongoing violations.
Technical Challenges: Securing 256KB of RAM
Even with regulatory pressure, securing IoT devices faces genuine technical constraints that distinguish the problem from conventional software security. Many IoT devices operate on microcontrollers with 256KB of RAM or less — a Cortex-M0 processor running at 48MHz with 32KB of flash storage cannot run a TLS 1.3 stack, a host-based intrusion detection system, and an OTA update agent simultaneously. Security solutions must be fundamentally different from the endpoint protection paradigms that work on servers and laptops.
The industry response is converging on several approaches. ARM’s Platform Security Architecture (PSA Certified) provides a hardware-rooted security framework for Cortex-M microcontrollers, establishing secure boot, secure storage, and cryptographic service foundations at the silicon level. NIST’s Lightweight Cryptography standardization project selected the Ascon algorithm family in February 2023, and finalized the standard as SP 800-232 in August 2025. Ascon provides authenticated encryption, hashing, and extendable output functions with minimal memory and computational overhead, making strong cryptography feasible on the smallest devices. Microsoft’s Azure Sphere and Google’s OpenThread represent platform-level approaches, embedding security into the development SDK rather than bolting it onto finished products.
Network-level security offers a complementary approach for the billions of devices already deployed with no prospect of firmware updates. Companies like Armis — which raised $200 million in a Series D round in October 2024 at a $4.2 billion valuation, then followed with a $435 million round in November 2025 at a $6.1 billion valuation — and Finite State provide agentless IoT security platforms that monitor device behavior at the network level, detecting anomalous traffic patterns, identifying compromised devices, and segmenting vulnerable devices from critical network assets. For enterprises and service providers managing large IoT fleets, network-based detection may be the only viable security layer for devices whose firmware will never be updated. The fundamental challenge remains: the IoT security problem is one of economic incentives, not technical impossibility, and until the cost of insecurity falls on manufacturers rather than users, the botnet crisis will continue to scale with every device shipped.
Frequently Asked Questions
What does “The IoT Botnet Crisis” mean?
The IoT Botnet Crisis: How Billions of Connected Devices Became the Internet’s Biggest covers the essential aspects of this topic, examining current trends, key players, and practical implications for professionals and organizations in 2026.
Why does the iot botnet crisis matter?
This topic matters because it directly impacts how organizations plan their technology strategy, allocate resources, and position themselves in a rapidly evolving landscape. The article provides actionable analysis to help decision-makers navigate these changes.
How does the botnet economy: from mirai to aisuru work?
The article examines this through the lens of the botnet economy: from mirai to aisuru, providing detailed analysis of the mechanisms, trade-offs, and practical implications for stakeholders.
Sources & Further Reading
- IoT Analytics — State of IoT 2025: 21.1 Billion Connected Devices
- Cloudflare — Q4 2024 DDoS Threat Report: Record 5.6 Tbps Attack
- Cloudflare — Q1 2025 DDoS Threat Report: 358% YoY Increase
- Cloudflare — Q3 2025 DDoS Threat Report: Aisuru Botnet
- Cloudflare — Q4 2025 DDoS Threat Report: 31.4 Tbps Record
- Cloudflare — Inside Mirai: A Retrospective Analysis
- EU Cyber Resilience Act — Official Summary
- Akamai — InfectedSlurs Botnet Zero-Day Discovery
- ESET — Who Killed Mozi? Putting the IoT Zombie Botnet in Its Grave
- NIST — Lightweight Cryptography: Ascon Selection (Feb 2023)
- NIST — SP 800-232: Ascon Lightweight Cryptography Standard (Aug 2025)
- U.S. Cyber Trust Mark — White House Launch Announcement
- FCC — U.S. Cyber Trust Mark Program
- UK PSTI Act — Product Security Regime
- Armis — $200M Series D at $4.2B Valuation (Oct 2024)
- Armis — $435M Round at $6.1B Valuation (Nov 2025)
- ARM PSA Certified Security Framework
- Cambridge Cybercrime Centre — DDoS-for-Hire Takedown Study (USENIX 2025)
