From Mirai to Volt Typhoon, cheap connected devices have been recruited into botnets for years. Here's what that actually means for your network.
In 2016, a camera from a cheap IoT manufacturer helped take down Twitter, Reddit, Spotify, GitHub, and large portions of the internet for most of a day. In 2026, the FBI issued a formal advisory about ongoing router compromises tied to the same pattern of targeting unmanaged edge devices.
The threat has been building for a decade. In 2022, 250,000 MikroTik routers were conscripted into the largest DDoS attack ever recorded at the time. In 2024, Chinese state actors built a botnet of 260,000 devices — mostly home routers and IP cameras — that they used for espionage and infrastructure reconnaissance.
Your smart thermostat isn't just a convenience. It's a potential weapon. And whether it's a weapon pointed at someone else or a door left open into your own network depends entirely on how you've configured the network it's sitting on.
In the fall of 2016, three college students released Mirai — a piece of malware that did something deceptively simple: it scanned the internet for IoT devices running default credentials and infected them. No zero-day, no sophisticated exploit. Just automated login attempts using the default username and password combinations that ship from the factory.
The infected devices — IP cameras and DVRs, mostly hardware from Hangzhou Xiongmai Technology — were then used to launch distributed denial-of-service attacks against Dyn, a DNS provider. Because Dyn handled DNS resolution for a huge swath of the internet, taking it down took down everything that depended on it: Twitter, Reddit, Spotify, Netflix, The New York Times, PayPal, and hundreds of others. The peak attack traffic hit 1.2 terabits per second.
The fix was embarrassingly simple: change the default credentials. Most users never did — not because they didn't care, but because they didn't know there was anything to change. The camera worked. The DVR worked. Nobody told them there was an admin panel with a password that needed updating.
After Mirai's source code was made public, the playbook proliferated. A short history of what followed:
Moobot targeted MikroTik routers — capable enterprise-grade hardware that ends up in SOHO deployments running outdated firmware. Because MikroTik gear is powerful and commonly overlooked by IT teams who install it and walk away, it became a prime recruitment target.
Meris (2022) built on Moobot infrastructure and assembled roughly 250,000 compromised MikroTik routers into the largest botnet ever recorded at the time, launching record-breaking DDoS attacks against targets including Yandex and Cloudflare customers. The devices were often running firmware versions from years prior. This is the same dynamic described in the April 2026 FBI router advisory — consumer and SOHO hardware sitting unmanaged with outdated firmware is a target-rich environment.
AVrecon compromised 70,000+ Linux-based SOHO routers and pressed them into service as a residential proxy network — using infected devices to route traffic in ways that made it appear to originate from legitimate home IPs. This made it far harder for fraud detection systems to flag. Europol's Operation Lightning March in early 2026 dismantled the infrastructure — but only after the botnet had been operating for years. The same modem-level compromise techniques used in campaigns like Cable Haunt enabled persistent access that survived router reboots.
Consumer botnets are disruptive. Nation-state IoT operations are something else.
PRC Integrity Technology Group botnet — disclosed in early 2025, active since at least 2021. Chinese state-linked operators built a network of approximately 260,000 compromised devices — primarily home routers and IP cameras — that was used for espionage, credential harvesting, and reconnaissance against critical infrastructure targets. The network was massive enough that it provided meaningful anonymization for the operators, making attribution difficult.
Horse Shell — documented by Check Point Research, this was a TP-Link router firmware implant that arrived via supply chain compromise. The malware was installed in modified firmware images that replaced legitimate ones. Critically: it survived factory resets. If your definition of "clean device" is "press the reset button," that's not sufficient for firmware-level implants. This is the same persistence mechanism described in discussions of zombie modems — firmware-level infection that outlasts any software-level remediation.
Volt Typhoon — the Chinese state-sponsored group documented extensively by CISA and NSA in 2023 and 2024, used SOHO routers as relay nodes for espionage operations against U.S. critical infrastructure. Their goal was pre-positioning: establishing persistent access that could be activated for disruption if needed. The FBI router advisory earlier this year was partly in response to related activity.
"A $30 smart bulb and a $300 work laptop on the same network are not equally risky — but they have equally easy access to each other."
The economics are straightforward. IoT manufacturers compete on price. Security engineering costs money. Firmware update mechanisms cost money to build and maintain. Long-term support for hardware costs money. None of these things show up on a product listing.
The result is hundreds of millions of always-on devices with known vulnerabilities, reachable from the internet, that nobody's watching. From an attacker's perspective, it's a free recruiting pool.
The answer to the IoT problem isn't throwing out your smart devices — it's making sure they can't reach anything important if they're compromised. That's network segmentation, and specifically VLAN isolation.
A VLAN (Virtual LAN) is a logically separate network running on the same physical hardware. You can have your smart devices on one VLAN and your computers and phones on another, with a firewall rule between them that prevents traffic from crossing. If the smart thermostat gets recruited into a botnet, it can participate in whatever attack it's being used for — but it can't reach your laptop, your NAS, or anything else on the main network.
In UniFi, setting up an isolated IoT network is straightforward: create a new network, mark it as isolated (which blocks inter-VLAN routing at the firewall level), and move your smart devices to it. It takes a few minutes once you know what you're doing. The result is that your smart thermostat, cameras, and smart bulbs have internet access — they need that to work — but they have no path to your computers, your NAS, or anything else on the main network.
This segmentation is exactly the kind of thing that makes a managed UniFi deployment meaningfully different from a consumer router setup. A $60 router from the big-box store doesn't support proper VLAN isolation. A managed UniFi setup does — and it's the same approach I use when building networks for churches like the local church that needed guest WiFi completely separated from staff systems and AV equipment.
The short list:
The same principle applies to the network infrastructure those IoT devices connect to. If you haven't looked at your router firmware lately — or if you're running end-of-life hardware — the FBI's April 2026 router advisory is worth reviewing. And don't forget the modem upstream: modem vulnerabilities like Cable Haunt can undermine everything downstream regardless of how well your router is configured.
For small businesses and churches, this is exactly the kind of work WCW handles — not just the initial setup, but making sure the ongoing maintenance is actually happening. I've done this for churches running AV, guest WiFi, and staff systems all on the same network, for small businesses that needed enterprise-grade protection without enterprise complexity, and for remote clients who needed someone to handle it without a truck roll. IoT segmentation is always part of the conversation.
"If your smart devices are on the same network as your computers, that needs to change — not eventually, now."
The good news: the technical fix is well understood and not particularly expensive to implement. The hard part is just getting it done. That's what I'm here for.
WCW installs UniFi networks with proper IoT segmentation built in — for small businesses, churches, and anyone who needs their smart devices and their computers to stay out of each other's way.
Get in Touch 📅 Book a Free Consultation