Botnets are being sold on the dark web for as little as $99

Botnet concept image showing multiple computers with skull symbols on screen.
(Image credit: Getty Images)

Cyber criminals are offering ready-made botnets on the dark web for as little as $99, according to Kaspersky, making cyber attacks cheaper and easier than ever to carry out.

Botnets like Mirai - which targets online consumer devices such as IP cameras and home routers - have individually tailored infection processes, malware types, infrastructure, and evasion techniques.

According to recent research from Cloudflare, 4% of HTTP DDoS attacks, and 2% of L3/4 DDoS attacks, were launched by a Mirai-variant botnet during the first quarter of this year.

"Mirai is one of the most infamous examples of a botnet. It scans the internet for IoT devices with weak default passwords, uses a set of known default credentials to gain access, and infects them," said Alisa Kulishenko, security analyst at Kaspersky Digital Footprint Intelligence.

"The infected devices then become part of the botnet, which can be controlled remotely to perform various types of cyberattacks."

Since the beginning of this year, Kaspersky researchers found more than 20 offers for botnets for hire or sale on dark web forums and Telegram channels. The lowest offers started at $99 and the highest reached $10,000, researchers said.

As well as being available as one-time purchases, botnets can be hired or acquired as leaked source code for between $30 and $4,800 per month, with custom botnet development also available in some cases.

Access to leaked source code can be obtained for free or a fee of between $10 and $50, based on information from approximately 400 dark web and shadow Telegram posts observed since the beginning of 2024.

However, Kaspersky said leaked botnets are generally deployed by less sophisticated actors, as they are more likely to be detected by security solutions.

"Potential earnings from attacks using botnets for hire or sale can exceed the associated costs. They allow for activities such as illegal cryptocurrency mining or ransomware attacks, and more," Kulishenko said.

"Open sources report that an average ransom payment is two million US dollars. In contrast, renting a botnet costs significantly less and can pay off with just one successful attack."

A threat actor can also commission a botnet to be developed from scratch, with development costs varying widely, but starting at just $3,000.

"Most of these deals occur privately, through personal messages, and partners are typically chosen based on reputation, such as forum ratings," Kulishenko noted.

Botnet activity is on the rise

Earlier this year, researchers at NetScout said they'd discovered a sharp rise in global botnet activity, spiking at more than a million devices.

Meanwhile, a Trustwave report last year found that botnets were responsible for more than 95% of all the malicious traffic on the internet, with the Mirai, Mozi, and Kinsing botnets accounting for almost all exploit attempts that were run over the HTTP or HTTPS protocols.

Global law enforcement action to tackle botnets has been escalating in recent years, with a series of high-profile takedowns crippling operations. But while these operations often inflict initial damage, history shows that many come back with a vengeance.

Qakbot, ranked among one of the most prolific botnets of all time, was taken down last year in a US-led operation. But within weeks of the sting operation, there were signs of recovery.


In October 2023, researchers at Cisco Talos warned that Qakbot-affiliated hackers still remained a pervasive threat, with threat actors in fact waging a devastating ransomware campaign that began “just before the takedown”.

Qakbot’s return isn’t an isolated example, either. Emotet, another notorious botnet, made a return after a law enforcement takedown.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.