- Largest botnet tracked expanded from 1.33 million to 13.5 million infected devices
- Sustained 2 Tbps attack lasted 40 minutes with repeated spikes above 1 Tbps
- Blockchain-based command systems complicate traditional botnet disruption and mitigation efforts
Security researchers tracking large-scale cyberattacks say the largest botnet ever recorded has expanded at a pace that vastly exceeds previous forecasts.
New data from Qrator Laboratories shows that the network grew from 1.33 million infected devices to 13.5 million in about a year, marking a tenfold jump that raises concerns about how quickly these systems can scale.
The majority of compromised devices are now spread across the United States, Brazil and India, although the United Kingdom has also entered the top five origins. That dispersion makes country-based blocking much less effective because traffic can originate from almost anywhere.
Article continues below.
DDoS attack exceeds 2 Tbps
One of the largest DDoS attacks in the first quarter of 2026 linked to the expanding botnet targeted an anonymous organization in the gambling sector, reaching more than 2 Tbps at its maximum intensity.
The sustained phase lasted more than 40 minutes, much longer than typical bursts that typically peak for only a few seconds.
Qrator researchers recorded 11 spikes during that period, four of which exceeded 1 Tbps. The repeated increases suggest that the attackers adjusted their methods mid-attack to maintain pressure on the target’s infrastructure.
Large attacks on this scale were rare not long ago. At the beginning of 2025, no incidents greater than 1 Tbps were recorded, but four appeared in the first quarter of 2026.
Activity patterns also show that attackers are resorting to multi-vector incidents that combine multiple methods at once.
The proportion of those attacks increased from 8.0% to 10.7%, while combinations of network layer and application layer traffic almost doubled.
Another development involves a botnet loader known as Aeternum C2, which uses the Polygon blockchain as a command channel. Commands are written to smart contracts and retrieved by infected devices through public endpoints instead of centralized servers.
That setup eliminates common points of failure. Without a central domain or hosting provider, traditional removal strategies become much more difficult to execute.
Security researchers also tracked increasing volumes of automated traffic unrelated to direct outages. Blocked malicious bot requests averaged around 2.5 billion per month, while an attack against an e-commerce target lasted more than two weeks and generated more than 178 million requests.
Network routing incidents also remained active, with seven global route leaks and one BGP hijacking recorded during the quarter.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
