You can now buy a Mirai-powered botnet on the dark web

Security experts are expecting to see similar offers in the coming weeks due in large part to the spread of a malware variant dubbed Mirai that helps hackers infect nontraditional internet-connected devices.
Image via Ryoji Ikeda

Digital tools like those used to disrupt the services of Spotify, Netflix, Reddit and other popular websites are currently being sold on the dark web, with security experts expecting to see similar offers in the coming weeks due in large part to the spread of a malware variant dubbed Mirai that helps hackers infect nontraditional internet-connected devices.

On Monday, a massive botnet, made up of 100,000 infected computers and other internet connected devices, was found by Daniel Cohen, head of RSA’s FraudAction business unit, for sale on the Alpha Bay marketplace.

A botnet of this size could be used to launch DDoS attacks in addition to automated spam and ransomware campaigns. The price tag was $7,500, payable in bitcoin. The anonymous vendor claimed it could generate a massive 1 terabit per second worth of internet traffic.

“Keep in mind that Mirai has only been public for a few weeks now. So not that many hackers have jumped onto the Mirai wagon yet. That said, it could be expected because of the ease of use in growing the botnet. Mirai will become a commodity, eventually,” said Cohen, “I think hackers will market the fire power and offer ‘try before you buy’ POCs to prove it. It won’t be the Mirai brand that makes the sale; it’s the actual fire power.”


It is believed that Friday’s headline-grabbing DDoS attack against managed DNS service provider Dyn, which affected multiple properties including Amazon Web Services and Twitter, was in the range of 1.2 terabytes.

It remains unclear if there is any relationship between the botnet discovered by Cohen’s research team and that used to attack Dyn’s systems.

“While most of the current IoT compromises have been around a very specific telnet exploit, I predict that botnet operators – eager to command multi-hundred thousand botnet nodes – will be searching for a larger inventory of IoT exploits to take advantage of,” Dale Drew, chief security officer at Level 3 Communications, told CyberScoop, “this could be the start of a surge of attacks against IoT devices in the consumer space.”

IoT refers to an emerging category of consumer and enterprise electronics; typically non-computer products that are connected to the internet, like routers, security cameras, smart home appliances and DVRs, among other things.

“We’re still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints,” Dyn executive vice president Scott Hilton said in a statement, Wednesday, ”we are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.”


The practice of selling and even renting botnets on the dark web is nothing new — in fact, it plays into a larger, more recent trend where vendors offer “hacking-as-a-service,” capabilities. But with the rise of Mirai, experts say the underground DDoS market is shifting as vendors now have the ability to supercharge all of their offerings; giving them an avenue to potentially find new profits and to sell more destructive DDoS cannons.

“Since many of the devices Mirai infects have hard-coded passwords which can’t be changed, anyone with the right skills can create their own botnet for free with the leaked Mirai source code,” said Mark Turnage, CEO of Dark Web intelligence firm Owl Cybersecurity, “this is very low-hanging fruit where a seller is being entirely opportunistic about the leaked Mirai source code.”

According to Ahmed Eissa, an intelligence analyst at Terbium Labs, DDoS has become one of the most common hacking products for sale on the dark web. “Many people want to take sites down, which may be for revenge, harassment, or to hinder a business competitor,” Eissa said, “Mirai, and other IoT malware, has great potential to mature/develop HaaS on the dark web.”

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts