Kaspersky Digital Footprint Intelligence experts analysed botnet sales on the dark web and shadow Telegram channels and discovered that attackers can acquire ready-made solutions starting at US$99. Besides one-time purchases, botnets can be hired or acquired as leaked source code for a symbolic price. In some cases, custom botnet development is also available.
A botnet is a network of devices infected with malware, ranging from smart toothbrushes to advanced industrial Internet devices that attackers use to organise automated mass attacks such as Distributed Denial-of-Service (DDoS) attacks.
“Mirai is one of the most infamous examples of a botnet. It scans the Internet for IoT devices with weak default passwords, uses a set of known default credentials to gain access, and infects them. The infected devices then become part of the botnet, which can be controlled remotely to perform various types of cyberattacks,” explains Alisa Kulishenko, security analyst at Kaspersky Digital Footprint Intelligence.
Botnets like Mirai are created by cybercriminals to sell and have individually tailored infection processes, malware types, infrastructure, and evasion techniques. The fraudsters sell them to other criminals on the shadow market, with botnet prices depending on quality; this year the lowest offers started at US$99 and the highest reached US$10 000.
An example of a dark web offer featuring a botnet for sale
Botnets are also available for hire. Prices range from US$30 to US$4,800 per month. “Potential earnings from attacks using botnets for hire or sale can exceed the associated costs. They allow for activities such as illegal cryptocurrency mining or ransomware attacks, and more. Open sources report that an average ransom payment is two million U.S. dollars. In contrast, renting a botnet costs significantly less and can pay off with just one successful attack,” adds Kulishenko.
Since the beginning of 2024, Kaspersky experts have observed more than 20 offers for botnets for hire or sale on dark web forums and Telegram channels.
Other options: Leaked bots and custom development
Besides purchasing a ready-made solution, there are cheaper ways for nefarious actors to access botnets. Just as legitimate data can be leaked, the source code of a botnet can also be publicly released by malicious actors. Access to this leaked source code can be obtained for free or a fee of US$10 to US$50, based on information from approximately 400 dark web and shadow Telegram posts observed since the beginning of 2024. However, leaked botnets are generally considered an option for less sophisticated actors, as they are more likely to be detected by security solutions.
A threat actor can commission a botnet to be developed from scratch. Development costs start at US$3000 and are not confined to any specific price range. “Most of these deals occur privately, through personal messages, and partners are typically chosen based on reputation, such as forum ratings,” Kulishenko said.