Billions of internet-connected gadgets fill homes worldwide. Many sit forgotten in corners, their firmware untouched for years. Yet these very devices often serve as foot soldiers in vast criminal networks. Owners rarely notice the extra traffic. Or the spikes in their electricity bills. But security agencies have taken notice.
The Digital Trends report laid bare a troubling pattern. Cheap smart picture frames, streaming sticks and obscure TV boxes ship with hidden backdoors. These connect automatically to residential proxy services. Traffic from fraudsters, scalpers and ad farms flows through living rooms. It looks like it comes from ordinary households. That camouflage makes detection harder. And it turns passive consumers into unwitting accomplices.
But the problem runs deeper. Last June the FBI issued a stark warning. Cybercriminals exploit IoT devices on home networks through the BADBOX 2.0 botnet. The alert detailed how millions of devices manufactured mostly in China become compromised before buyers even open the box. Or during setup when they download apps from unofficial marketplaces. Once inside, the devices open backdoors. Criminals sell or freely share access to these residential proxies. The result? Account takeovers, malware distribution, click fraud and more. (FBI)
Short. Simple. Devastating.
Earlier this year Singapore’s Cyber Security Agency sounded its own alarm. A Mirai-based campaign targeted industrial routers alongside smart home gear. Attackers mixed zero-day exploits with known flaws. Their goal stayed clear: profit through powerful DDoS strikes against exposed targets. The list of victims included ASUS and Huawei routers, various DVRs, PZT cameras and even Vimar smart home products. CSA urged immediate patching. “Patching your vulnerable internet-connected devices is critical to ensure the security of your system or network,” the agency wrote. It added that such action prevents devices from joining malicious botnets used to attack others. (Industrial Cyber)
And the scale keeps growing. By early 2026 connected IoT devices exceeded 18 billion. Projections pointed toward 21 billion by year-end. Many run outdated software. Default passwords remain unchanged. Remote management stays enabled. These conditions create perfect recruitment grounds. Nokia researchers tracked residential proxy networks spanning more than 100 million hijacked home devices. Mirai descendants such as Eleven11 and Aisuru pull in DVRs, cameras and gateways at industrial scale. (SWIF.ai)
But recent enforcement shows progress. In March 2026 authorities from the US, Germany and Canada dismantled infrastructure for four major botnets: Aisuru, Kimwolf, JackSkid and Mossad. The networks had infected over 3 million devices, many of them webcams, routers and DVRs. Some attacks even hit Department of Defense sites. One combined assault reached nearly 31.4 terabits per second. That volume nearly tripled previous records. (Reuters)
Google went further. In July 2025 the company filed a federal lawsuit in New York against operators behind BADBOX 2.0. Working with HUMAN Security, Trend Micro and Shadowserver, researchers exposed a network of over 10 million compromised devices, the largest known botnet of connected TVs. The malware enabled ad fraud and sold proxy access. Many devices ran uncertified Android Open Source Project builds. (CGU Inland Cyber Defense Clinic)
So why do these attacks succeed so easily? Manufacturers prioritize speed to market and low cost. Security often comes last. Firmware updates prove rare. Many devices never receive patches after the first year. Consumers plug them in, connect to Wi-Fi and move on. They never check traffic logs. Or notice unusual outbound connections.
Researchers at Akamai documented fresh Mirai variants in April 2026. One called tuxnokill exploited a year-old command injection flaw in D-Link routers. Another, Nexcorium, hit TBK DVRs with a mix of brute force, persistence and multi-architecture DDoS capabilities. The code even contained a strange message: “AI.NEEDS.TO.DIE.” The campaigns ran in parallel. (Help Net Security)
Yet disruption efforts reveal a stubborn truth. Takedowns remove command servers. They do not fix the underlying weaknesses. Millions of vulnerable devices remain online, ready for the next variant. Kimwolf alone compromised more than 2 million Android devices and issued 1.7 billion attack commands in a three-day window. Its ties to Aisuru suggest coordinated actors behind the scenes. (CE Pro)
Home networks now serve as launchpads. A single infected smart bulb or camera can bridge to corporate VPNs when employees work remotely. Encrypted threats rose 93 percent in 2024, SonicWall reported. That trend hides malicious traffic inside legitimate TLS sessions. Standard routers and ISPs struggle to inspect it. The corporate perimeter dissolves.
But individuals hold power here. Strong, unique passwords beat defaults every time. Regular firmware checks close known holes. Network segmentation isolates smart devices from computers and phones. Avoiding bargain-basement brands from unverified sellers reduces exposure. Monitoring bandwidth for unexplained surges offers early clues. And skipping unofficial app stores prevents the very backdoors the FBI highlighted.
The industry has started to respond. Some manufacturers now promise longer support windows. Regulators discuss minimum security baselines. Yet adoption lags. Consumers still favor cheap convenience over verifiable protection. Criminals count on that choice.
Until habits change, the invisible tax continues. Homes become nodes in someone else’s criminal enterprise. Bandwidth gets siphoned. Privacy erodes. And the next record DDoS attack waits for the next unpatched device to join the fray. The evidence sits in agency alerts, researcher reports and courtroom filings. Ignoring it no longer works.
WebProNews is an iEntry Publication