A hot potato: For years, cloud providers and internet backbone operators have been able to absorb smaller-scale assaults. Whether their defenses can withstand the reach of today's massive botnets remains an open question as security researchers warn of attacks that could ripple well beyond isolated websites and into core systems supporting everyday internet access.

Federal law enforcement agencies and technology firms are confronting a new wave of cyber threats as criminal groups seize control of hacked internet-connected devices to build increasingly destructive botnets. The latest turn comes after authorities dismantled one such network, inadvertently leaving tens of thousands of hijacked machines vulnerable to takeover by rival operators.

Botnets have long been used for extortion schemes and competitive sabotage, typically targeting websites. But experts warn that the current generation of botnets has the potential to disrupt internet infrastructure on a much larger scale. These new systems utilize devices with significantly greater processing power and network bandwidth than those in previous waves.

"Before the concern was websites; now the concern is countries," Craig Labovitz, head of technology at Nokia's Deepfield division, told The Wall Street Journal.

The concern follows a federal indictment in August of a 22-year-old Oregon resident accused of using a botnet to knock the social media platform X offline earlier this year. The Defense Criminal Investigative Service led the case. Soon after the government action, security specialists observed that up to 95,000 previously compromised machines tied to the network were quickly incorporated into new campaigns.

UPDATE: The 11.5 Tbps attack in fact came from a combination of several IoT and cloud providers. While Google Cloud was one source, it was not the majority. Stay tuned for a full breakdown in our next report. https://t.co/MOBVRmmPqW – Cloudflare (@Cloudflare) September 2, 2025

According to Google engineer Damian Menscher, criminal operators scrambled to seize the freed devices "as fast as possible." A rival operation, known as Aisuru, captured more than a quarter and launched some of the largest DDoS attacks ever recorded.

Earlier this month, Cloudflare reported measuring a flood of malicious traffic at 11.5 trillion bits per second, a burst powerful enough to max out the combined bandwidth of more than 50,000 consumer internet connections. The company declared the attack a world record in terms of size. Analysts said its brevity – it lasted just seconds – suggested the operators were showcasing their network's capacity rather than unleashing its full force.

Denial-of-service campaigns have already featured in cyberwarfare. The United Kingdom has said Russia's GRU used this tactic against Ukraine's financial sector ahead of its 2022 invasion. Security experts now warn that weaponized botnets could be deployed to cut off access to broader portions of national networks.

Recent history shows how quickly these systems can scale. In July, Google informed a US court that it had dismantled a botnet that had grown from 74,000 Android TV devices in 2023 to over 10 million by this year. That network had been exploited to drive fake advertising clicks, but the company noted that it could have easily been redirected toward ransomware or DDoS attacks.

While most denial-of-service incidents trace back to collections of thousands or tens of thousands of devices, researchers are increasingly tracking larger formations. Nokia has identified a fraud-oriented network called ResHydra, which is estimated to have compromised tens of millions of machines. Chris Formosa, of Lumen's Black Lotus Labs, said that if mobilized for disruption, a botnet of that size could "do extreme damage to a country."