- Largest tracked botnet grew from 1.33 million to 13.5 million infected devices
- The sustained attack at 2 Tb/s lasted 40 minutes with repeated peaks above 1 Tb/s.
- Blockchain-based ordering systems complicate traditional botnet disruption and mitigation efforts.
Security researchers tracking large-scale cyberattacks say the largest botnet currently on record has grown at a rate that far exceeds previous predictions.
New data from Qrator Laboratories shows that the network went from 1.33 million infected devices to 13.5 million in about a year, a tenfold jump that raises concerns about how quickly these systems can scale.
Most of the compromised devices are now spread across the United States, Brazil and India, although the United Kingdom is also among the top five sources. This spread makes country blocking much less effective, because traffic can come from almost anywhere.
Article continues below
DDoS attack reaches more than 2 Tbps
One of the largest DDoS attacks in the first quarter of 2026, linked to the expanding botnet, targeted an anonymous organization in the betting industry, reaching over 2 Tbps at its peak intensity.
The sustained phase lasted more than 40 minutes, much longer than typical bursts which usually only peak for a few seconds.
Qrator researchers recorded 11 peaks during this period, four of which exceeded 1 Tbps. These repeated surges suggest that the attackers adjusted their methods mid-attack to maintain pressure on the target’s infrastructure.
Not long ago, large-scale attacks on this scale were rare. At the start of 2025, no incidents above 1 Tbps were recorded, but four appeared during the first quarter of 2026.
Activity patterns also show that attackers are moving toward multi-vector incidents that combine multiple methods at once.
The share of these attacks increased from 8.0% to 10.7%, while the combinations of network layer and application layer traffic almost doubled.
Another development involves a botnet loader known as Aeternum C2, which uses the Polygon blockchain as a command channel. Commands are written into smart contracts and retrieved by infected devices through public endpoints rather than centralized servers.
This configuration removes common failure points. Without a central domain or hosting provider, traditional opt-out strategies become much more difficult to implement.
Security researchers have also tracked increasing volumes of automated traffic unrelated to direct outages. Blocked malware bot requests averaged around 2.5 billion per month, while an attack on an e-commerce target lasted more than two weeks and generated more than 178 million requests.
Network routing incidents also remained active, with seven global route leaks and one BGP hijack recorded during the quarter.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
