The last thing anyone wants is an army of computers weaponized to attack, called a botnet, directed at them. Forming the bedrock of DDoS and DoS attacks, botnets are never to be toyed with.
However, botnet attacks remain one of the most concerning cyber issues faced by public organizations, private companies, and individuals. That is why we dived into several weeks of research to unearth compelling and relevant data about botnets.
Top 6 Botnet Statistics (Editor’s Pick)
- Bad bots accounted for 27.7% of all web traffic in 2021.
- STRAAT had the most Q2 2022 detections in April.
- The Meris botnet was used for one of the most significant botnet attacks in August 2021.
- In Q2 2022, botnet command and control centers increased again in Russia.
- Namesilo and Namecheap were the two most abused domain registrars by botnet operators.
- Between 2021 and 2022, the US accounted for 48.49% of all botnet C&Cs.
General Botnet Statistics
1. There were over 1.6 million botnet events in Q2 2022.
This represented a 100.14% increase from detected botnet events in Q1 2022. Likewise, it accounted for a top share of the total detected 4.379 million malware events in the same timeframe.
2. Botnet detections reached over 19,000 daily in Q2 2022.
This was more than in Q1, and the weekly botnet detections by Q2 had climbed up to 135,582. There were also 39 unique botnet variants detected in Q2 2022
3. The Torpig.Mebroot botnet was the most dominant in April – June 2022.
In Q2 2022, this botnet accounted for 38% of all botnet activity detections.
It was followed by Sora (24%) and STRRAT (18%) in the top three.
|Botnet Packages||Detections in Q2 2022|
4. Botnet deployments in DDoS attacks averaged 4.6 terabytes to 51.65 terabytes average volumes in 2021.
The average attack also lasted between 3.65 – 8.72 hours.
5. The average Radware customer saw a 26% increment in botnet-sponsored DDoS attacks between 2021 and 2022.
Likewise, Radware blocked 37% more DDoS attacks per consumer in the same timeframe.
6. Between Q3 2021 to Q2 2022, botnet command and control (C&C) activity peaked in Q1 2022.
There were 3,538 unique botnet C2 detections in Q1 2022 alone.
This was higher than the 3,271 detections in Q4 2021 and 2,656 in Q3 2021.
The detections declined to 3,141 in Q2 2022, representing a drop over the previous two quarters.
7. Bad bots accounted for 27.7% of all web traffic in 2021.
This was up from 25.6% in 2020. In comparison, good bots (such as those from the Google search engine) made up 14.6% of all web traffic in 2021.
8. Evasive bad bots accounted for 65.6% of all bad bot traffic in 2021.
Moderately evasive bad bots made up 39.7% of this share, while advanced bad bots used in sophisticated botnet attacks claimed a 25.9% share.
9. There were over 2.2 million botnet events in Q4 2022.
These numbers were down 35.39% in Q3 2022. Likewise, 32 unique botnet variants were detected in the final quarter of 2022.
10. Q4 2022 experienced over 183,000 weekly botnet event detections.
This translates to about 26,223 daily botnet detections in the surveyed period.
11. Emotet, a notorious botnet family, was shut down by joint law enforcement operations in January 2021.
However, the botnet restarted its servers in November 2021 and continues to spread via its proprietary and third-party software options.
12. Linux botnet codes were evolving at a faster pace in 2021.
Only 2.2% of botnets attacking Linux devices in 2020 featured unique codes.
As of 2021, the number was at 9.3%.
Botnet Attack Types Statistics
13. STRAAT had the most Q2 2022 detections in April.
Reaching about 40,000 detections, the STRRAT botnet continued using phishing campaigns as its preferred mode of delivery to browsers and email clients.
Read Also: 30+ Phishing Statistics, Facts, and Trends
14. The Torpig Mebroot botnet had its highest Q2 2022 detections in June.
The banking botnet trojan reached almost 200,000 daily detections in June alone.
15. Qbot attacked 7% of global organizations in December 2022.
This prevalent botnet malware was followed by Emotet, impacting 4% of international organizations. In third place was XMRig, with a 3% global impact.
16. RATs accounted for 35% of botnet deliveries in Q2 2022.
Remote Access Trojans (RATs) unseated credential stealers from the Q1 top spot, where it accounted for 47% of botnet deliveries.
17. Botnet accounts engineered for account takeover increased by 148% in 2021.
Advanced bad bots engineered 64.1% of account takeover attacks.
Likewise, over half (55%) of the attacks were aimed at the United States.
18. Botnets launched using Amazon as an ISP declined in 2021.
There were 7.95% of such bad bot activity using Amazon as an ISP in 2021, compared to 10.8% in 2020.
19. Mirai botnets accounted for over 7 million botnet detections in early 2022.
Mozi botnet has also seen significant growth since Q3 2021, with over 5 million detections in the early months of 2022.
20. The Meris botnet was used for one of the most significant botnet attacks in August 2021.
The sophisticated attack was aimed at a financial services organization, making over 17.2 million requests per second to overwhelm the victim’s servers.
This attack also engineered 20,000 bots from infected devices in 125 countries.
21. Emotet botnet detections increased over 10x year-on-year.
Emotet botnet was only detected 13,811 times in H1 2021. But that jumped to 148,701 detections in H1 2022.
22. The Mozi botnet caused 74% of all IoT attacks in 2021.
However, the Chinese government claimed to have arrested the botnet’s authors in June and August 2021.
23. Uniquely-coded botnets are growing faster against Windows systems.
14.3% of botnets attacking Windows devices in 2021 featured unique code, compared to 9.3% attacking Linux systems.
Botnet Demography Statistics
24. In Q2 2022, botnet command and control centers increased again in Russia.
Russia has seen a growth in botnet command and control centers volume for five consecutive quarters leading up to Q2 2022.
|Q1 – Q2 2021||19%|
|Q2 – Q3 2021||64%|
|Q3 – Q4 2021||124%|
|Q4 2021 – Q1 2022||24%|
|Q1 – Q2 2022||18%|
25. Moldova recorded an 81% increase in botnet C2s in Q2 2022.
Across Europe, other regions with a surge in botnet command and control centers included the Netherlands (13%) and France (5%).
26. Ukraine saw the most significant decline in botnet command and control centers in Q2 2022.
A 69% decline in botnet C2s in the area was welcome. Bulgaria also saw a 55% decline, followed by the UK’s 52% drop. Other notable mentions are Germany (17%) and Latvia (35%).
27. In 2022, Seychelles, Estonia, and the Czech Republic left the list of the top European companies by botnet C2 activity.
However, Portugal, Switzerland, and Romania debuted at positions 12, 19, and 20 to take the lost spots.
28. Uruguay-hosted botnet C&C servers declined by almost half in Q2 2022.
Brazil also saw a significant 70% decline in the botnet control servers operated from its region.
29. Domains with .cloud extensions were the most abused by botnet operators in 2022.
Q2 2022 data showed a 74% surge in the frequency of registering botnet control domains with this extension. The .sbs domain also departed from the top 20 monitored domains abused by botnet C2s in that period.
30. Botnet C2 .com domains surged again in Q2 2022.
While the .com domains associated with botnet operators fell by 75% in Q1 2022, it eroded those gains by increasing 134% in Q2 alone.
31. Namesilo and Namecheap were the two most abused domain registrars by botnet operators.
They remained in positions 1 and 2 from Q1 2022 to Q2 2022.
Likewise, Tucrows (the Canadian registrar) saw a 115% jump in botnet operators hosting properties on its servers.
32. Canadian registrars hosted the most botnet C&C servers in Q2 2022.
They accounted for 33.98% of all botnet-related domain registrations, leading US registrars (33.29%) by a small margin. However, the reverse was the case in Q1 when the US registrars led with a 30.57% share, and their Canadian counterparts came second with just under 30%.
33. Chinese registrars recorded fewer botnet C&C activities on their servers in Q2 2022.
Compared to Q1 2021, there was an 81% decline in the volume of botnet properties hosted on Todaynic. NiceNic also saw a 52% drop, while Alibaba positively improved its Q1 numbers by 26%. Dnspod is worthy of mention, seeing a 13% decline in the same timeframe.
34. Over 4 in 10 bad bot traffic attacks (globally) in 2021 were directed to the United States.
43.1% of the total bad bot traffic in the year made its way to the USA.
Australia was second with 6.8% of bad bot traffic, while the UK rounded up the top three with a 6.7% share. Other notable mentions were fourth-placed China (5.2%) and Brazil (3.3%).
Bad bots generated 39.6% of all internet traffic from Germany in 2021.
Another 2.9% were caused by good bots, while humans accounted for the remainder, 57.4%.
Other countries in the top five for bad bot activity can be seen in the table below.
|Country||Bad Bot||Good Bot||Human Traffic|
36. Hong Kong experienced over 3,000 botnet events in Q1 2022.
The region enjoyed a -3% growth rate in botnet activities quarter-on-quarter, comparing the 3,097 events in Q4 2021 to 3,003 events in Q1 2022.
37. There were zero botnet command and control centers in Hong Kong from Q1 2021 through Q1 2022.
Still, the region recorded over 6,000 botnet activity detections in Q2 2021, the highest in the surveyed timeframe. The second highest count was in Q1 2021 (4,337 events), while the other quarters individually saw less than 3,500 events.
38. The Mirai botnet family detections dropped by 9% QoQ in Hong Kong in Q1 2022.
Still, it remained the most detected, accounting for 1,390 detections of the total 3,003 in the reporting period. Sality came second with just 405 detections, while Avalanche rounded up the top three (304).
39. Botnets were the most significant cyber security event type in Hong Kong.
Across Q1 2021 to Q1 2022, botnets took the lion’s share of all regional cyber threat detections. They accounted for just over 3,000 of the 4,527 malware detections in Q1 2022 alone.
40. Sality, Tinba, and Bankpatch were the highest-rising botnet family types in Hong Kong.
A comparison between Q4 2021 and Q1 2022 shows that Sality detections rose 356% to 405. Tinba also rose 23.5% in the same timeframe, while Bankpatch saw a 5.6% jump.
41. Between 2021 and 2022, the US accounted for 48.49% of all botnet C&Cs.
The Netherlands was in second with 9.17% of botnet C&Cs, then Germany (8.69%) was in third place.
42. Emotet botnet was detected more in Japan than in any other region in H1 2022.
Of the total 148,701 detections in the first half of 2022, Japan accounted for 107,699. The US came second with a smaller 4,837 detections share.
The top five countries by Emotet botnet detections in H1 2022 are shown below:
43. In Q2 2021, over 11 million botnet events were detected in Kenya.
The number jumped over 4x by Q3 2021, with more than 49.8 million cyber threat detections attributed to botnet and DDoS attacks alone.
Only 278 similar advisories were issued in Q2 2021 due to the slimmer threat profile.
45. Microsoft thwarted a 2.4Tbps botnet attack in October 2021.
The attack was believed to have stemmed from 70,000 bots engineered from infected devices in the Asia-Pacific region.
Botnet Statistics by Industry
46. Bad bots generated 57% of internet traffic to the sports industry in 2021.
This represented a 23.4% increase in the 2020 values. However, the gaming and gambling industry had the highest growth between 2020 and 2021, with its 26.2% jump (to 53.9%) in bad bot traffic.
47. Law and government establishments saw a 1% reduction in advanced bad bot traffic in 2021.
However, it still made the top five industries attacked by advanced bad bots in the year, scoring 14.3% of all advanced bad bot traffic.
48. The travel industry accounted for 70.3% of advanced bad bot traffic in 2021.
That was an unwelcome 10.6% growth from 2020.
2021 data shows that most of these industries were in the United States.
In second place was the sports industry (34%), and retail (18.1%) in third.
50. Advanced bot traffic jumped almost 73% in 2021 to disrupt e-commerce promotions.
There was also an 8% spike in botnet traffic between Thanksgiving/Black Friday and Cyber Monday.
Ransomware (36%) was the highest in this category, followed by server access (18%) and DDoS attacks, which could also use botnets, in third (11%).
Stay Protected: No Ifs, No Bots
While there are good bots on the web, most of the bot traffic is from bad bots.
And as botnet hackers get more sophisticated with advanced options that avoid detections, we must be prepared.
These botnet statistics, facts, and data trends shed more light on where the botnet movement is shifting, how they are delivered, and everything in between.
Likewise, learn to protect yourself against DDoS/DoS attacks that may be launched using these bad bots.