On February 10, 2025, something extraordinary happened across the global internet — or, more precisely, something stopped happening. Telnet scanning traffic, the persistent background hum of automated botnets probing vulnerable devices on port 23, plummeted by more than 60% in a single day. It was as if someone had flipped a switch on one of the internet’s most reliable — and most malicious — phenomena.
The sudden drop, first documented and analyzed by the threat intelligence firm GreyNoise, represents one of the most dramatic and unexplained shifts in global internet traffic patterns in recent memory. For cybersecurity professionals who have spent years tracking the relentless growth of Internet of Things botnets and their scanning operations, the silence was deafening — and deeply puzzling.
A Decades-Old Protocol Becomes the Canary in the Coal Mine
Telnet, a protocol dating back to 1969, was designed for remote terminal access in an era when network security was an afterthought. It transmits data, including passwords, in plaintext. Despite being long superseded by SSH and other encrypted alternatives for legitimate use, Telnet remains deeply embedded in the fabric of the internet — not because anyone should be using it, but because millions of poorly secured IoT devices, routers, IP cameras, and embedded systems still expose it by default. This makes Telnet port 23 one of the most heavily scanned ports on the internet, overwhelmingly by botnets seeking to recruit new devices into their armies.
According to GreyNoise Labs’ detailed analysis, global Telnet scanning traffic had been remarkably stable for months leading up to the event. Daily unique IP addresses observed scanning port 23 had hovered consistently in the hundreds of thousands. Then, beginning on February 10, 2025, that number cratered. The drop was not gradual. It was precipitous, immediate, and sustained over multiple days before any partial recovery began.
The Numbers Behind the Disappearance
GreyNoise’s global sensor network, which operates thousands of passive listeners across the internet designed to observe and classify scanning behavior, recorded the decline with striking granularity. The firm reported that the number of unique IPs conducting Telnet scans fell from a baseline of roughly 500,000 per day to fewer than 200,000 — a reduction of more than 60%. The drop was not confined to a single geographic region or autonomous system. It was global in scope, affecting traffic originating from networks across Asia, Europe, South America, and North America simultaneously.
What made the event particularly notable was its selectivity. While Telnet scanning collapsed, traffic on other commonly scanned ports — including SSH (port 22), HTTP (port 80), and HTTPS (port 443) — remained largely unchanged. This ruled out broad-based explanations such as a general internet disruption, a widespread ISP filtering event, or a change in GreyNoise’s own sensor infrastructure. Whatever caused the drop was specific to Telnet and, by extension, to the botnets that dominate Telnet scanning activity.
Botnet Takedown or Infrastructure Collapse?
The cybersecurity community has been actively debating several hypotheses. The most prominent theory centers on the possibility that a major botnet — or a small number of very large botnets — experienced a simultaneous disruption. Botnets like Mirai and its countless variants have historically been responsible for the vast majority of Telnet scanning traffic. These networks operate by scanning the internet for devices with default or weak Telnet credentials, compromising them, and then using the newly recruited devices to scan for still more targets in a self-perpetuating cycle.
If the command-and-control infrastructure of one or more dominant Mirai-family botnets was disrupted — whether through a law enforcement takedown, a rival botnet operator’s attack, or a simple infrastructure failure — the result could manifest as exactly the kind of sudden, global drop in scanning that GreyNoise observed. The Mirai ecosystem is notoriously fragmented, with dozens of variants operated by different threat actors, but a handful of particularly large variants can account for a disproportionate share of global scanning volume. GreyNoise’s analysis noted that the geographic distribution of the decline was consistent with the known footprint of major IoT botnets, which tend to be heavily concentrated in regions with large populations of vulnerable consumer-grade networking equipment, particularly in parts of East and Southeast Asia, Latin America, and Eastern Europe.
The ISP Intervention Theory
A second hypothesis involves coordinated action by internet service providers. In recent years, several large ISPs, particularly in India and China, have implemented or expanded filtering of Telnet traffic at the network edge. If one or more major ISPs in a country with a large population of compromised devices began aggressively blocking outbound Telnet scanning traffic around February 10, the effect could ripple across global statistics. However, GreyNoise’s data suggested the drop was too geographically dispersed and too sudden to be fully explained by ISP-level filtering, which typically rolls out gradually and affects traffic from specific autonomous systems in identifiable patterns.
A third, more speculative possibility is that a significant vulnerability was patched or a widely exploited device model reached end-of-life in sufficient numbers to meaningfully reduce the pool of scannable and compromisable devices. While this kind of organic attrition does occur, it almost never produces the kind of cliff-edge decline observed in the data. Device turnover is a slow, continuous process, not a discrete event.
Historical Precedents and Why This Matters
The February 2025 Telnet drop has some historical parallels, though none are exact matches. The 2016 takedown of the original Mirai botnet’s command-and-control infrastructure by law enforcement and security researchers produced a measurable but temporary decline in scanning activity, which quickly recovered as new variants filled the vacuum. Similarly, periodic disruptions of large botnets like Emotet and TrickBot have produced observable dips in their respective traffic signatures, though these were typically on different protocols.
What distinguishes the February 2025 event is its scale, its specificity to Telnet, and the fact that, as of GreyNoise’s reporting, no law enforcement agency or security firm had publicly claimed credit for a takedown operation that could explain it. Major botnet disruptions are typically accompanied by press releases, court filings, or coordinated public announcements from the agencies involved. The silence from the law enforcement and intelligence communities has only deepened the mystery.
Implications for Defenders and the Broader Threat Environment
For network defenders and security operations teams, the event carries both encouraging and cautionary implications. On the encouraging side, a sustained reduction in Telnet scanning traffic means fewer automated compromise attempts against vulnerable devices, buying time for organizations that have been slow to disable Telnet or segment vulnerable IoT devices. On the cautionary side, the event underscores how much of the internet’s baseline threat activity is driven by a relatively small number of large botnets. The concentration of scanning capability in a few dominant networks means that the threat environment can shift dramatically and without warning.
There is also the question of what happens next. If the drop was caused by a botnet takedown, history suggests that the vacuum will eventually be filled. The Mirai source code has been publicly available since 2016, and the barrier to entry for building new IoT botnets remains extraordinarily low. If the cause was ISP filtering, the effect may be more durable but also more geographically limited, potentially pushing botnet operators to adapt by shifting to other protocols or using VPN and proxy infrastructure to circumvent blocks.
An Internet Mystery Still Unfolding
GreyNoise has committed to continued monitoring and analysis, and the firm’s researchers have called on the broader security community to share data and observations that might help pinpoint the cause. The event has also prompted renewed discussion about the state of IoT security and the persistent failure of device manufacturers to ship products with Telnet disabled by default — a practice that security experts have been calling for since at least the mid-2010s.
As of mid-2025, the full explanation for the February 10 Telnet collapse remains elusive. The data is clear: something significant changed in the global botnet ecosystem on that day. Whether it was the result of deliberate human action, infrastructure failure, or some combination of factors is a question that continues to occupy some of the sharpest minds in threat intelligence. What is beyond dispute is that the event laid bare, in stark numerical terms, the sheer scale of automated malicious activity that constitutes the internet’s background radiation — and how quickly that radiation can change when the sources go dark.
For an industry accustomed to tracking slow-moving trends and incremental shifts, the Telnet silence of February 2025 was a rare, sharp reminder that the internet’s threat dynamics can change overnight, and that the most important signals are sometimes not the ones that appear, but the ones that suddenly vanish.


WebProNews is an iEntry Publication