Botnet
Web3 / compliance
A botnet is a network of internet-connected devices — personal computers, servers, routers, IP cameras, and other Internet-of-Things (IoT) hardware — that have been covertly compromised with malware and brought under the unified control of a remote operator known as a 'bot-herder.' Each infected device, or 'bot,' silently awaits and executes instructions delivered through command-and-control (C2) infrastructure, allowing the operator to coordinate the combined computational power, bandwidth, and network reach of thousands or millions of machines simultaneously. Botnets are among the oldest and most versatile tools in the cybercrime arsenal, used for distributed denial-of-service (DDoS) attacks, spam distribution, credential stuffing, click fraud, mass vulnerability scanning, malware proxying, and — directly relevant to digital assets — unauthorised cryptocurrency mining (cryptojacking) and as the device pool from which relay and proxy infrastructure is built.
Botnet command-and-control has evolved from simple centralised models, where every bot connects to a single server (a single point of failure that defenders can seize), toward more resilient architectures: peer-to-peer botnets in which bots relay commands among themselves with no central node, fast-flux DNS that rapidly rotates the IP addresses behind a domain, and the use of legitimate services (social media, blockchain transactions, cloud functions) as covert C2 channels. The same compromised-device pool that powers a conventional botnet increasingly doubles as the raw material for Operational Relay Box (ORB) networks — the distinction being that a botnet is typically operated as a single monetised fleet for noisy, high-volume activity, whereas an ORB mesh is curated for quiet, long-term, attribution-resistant relaying by state actors.
In the cryptocurrency context, botnets intersect with digital assets in several ways. Cryptojacking botnets hijack victims' CPU and GPU cycles to mine privacy coins such as Monero, monetising stolen compute at the victim's electricity expense. Botnet operators accept cryptocurrency for DDoS-for-hire ('booter/stresser') services and rent access to their fleets on darknet markets. And some botnets abuse public blockchains themselves as a censorship-resistant C2 channel, encoding instructions in transaction metadata that bots read directly from the chain — a technique that makes the C2 effectively un-takedownable.
Example
The Mirai botnet (2016) enslaved hundreds of thousands of poorly secured IoT devices and launched record-breaking DDoS attacks, including the assault that disrupted the DNS provider Dyn and took major websites offline across the US east coast; its source code was subsequently released, spawning a long lineage of IoT botnets — and IoT-device compromise of exactly this kind is the raw material later weaponised into state-operated ORB relay networks such as Volt Typhoon's KV Botnet.
Why It Matters
Botnets are both a direct threat (cryptojacking, DDoS extortion against exchanges, credential stuffing of customer accounts) and the substrate of the relay infrastructure that obscures advanced attacks. For compliance and security teams, botnet awareness informs IP-reputation scoring in transaction monitoring, anti-automation defences on login and withdrawal endpoints, and the recognition that traffic arriving from residential or IoT IP space may be attacker-controlled rather than a genuine customer.
Definition maintained by Cointegrity. See our editorial policy for review standards on regulatory and compliance terms.
Explore the full Web3 Glossary — 2,094+ expert-curated definitions. Need guidance? Talk to our consultants.