Aisuru, the botnet known for unleashing several record-breaking DDoS attacks this year, has shifted focus. Instead of flooding networks with traffic, its operators are now renting out infected Internet of Things (IoT) devices as residential proxies. This move turns a once-destructive campaign into a profitable, quieter business model. The infected devices now serve as relays for customers seeking to hide their online activity, blending malicious traffic with that of everyday home users.
From Massive Attacks to Silent Rentals
The botnet first appeared in August 2024 and has since compromised at least 700,000 IoT systems, including routers, digital video recorders, and security cameras. At its peak, Aisuru was capable of generating attacks exceeding 30 terabits per second. In June, it launched a 6.3-terabit-per-second assault against KrebsOnSecurity, one of the largest attacks Google’s mitigation network had ever recorded.
Such attacks did more than target single websites, they caused collateral damage across entire Internet service providers. When Aisuru’s nodes were used for outbound DDoS traffic, the resulting data floods sometimes reached over a terabit per second per provider, overloading routers and affecting legitimate customers. Federal authorities and major ISPs in both the United States and Europe have since begun cooperating to identify and block the botnet’s infrastructure.
The Rise of the Residential Proxy Economy
Recent updates to Aisuru’s malware turned its infected devices into part of the residential proxy market. Proxy services lease access to these devices, letting customers mask their online traffic as if it came from legitimate household connections. While proxies have valid business uses such as price monitoring or web analytics, they are often abused to disguise cybercrime operations including ad fraud, credential stuffing, and large-scale scraping.
This market has grown explosively. Data collected from monitoring services indicates that hundreds of millions of residential IPs are now available for rent. Much of this surge is likely tied to botnets like Aisuru, which provide a steady influx of compromised devices. The abundance of residential proxies has become a valuable resource for data harvesting operations supporting artificial intelligence projects, particularly those training large language models on scraped content.
Exploiting SDKs for Bandwidth and Profit
Many proxy networks expand their reach through software development kits bundled into mobile or desktop apps. These SDKs often claim user consent but can quietly convert a device into a traffic relay. Infected devices under Aisuru’s control may be forced to install such SDKs automatically, allowing the botmasters to profit each time bandwidth from those devices is sold to proxy services.
Researchers have linked parts of this ecosystem to companies in China operating under collective brands like HK Network. These entities manage multiple proxy services that resell bandwidth among themselves, complicating efforts to track their true ownership and size. The structure allows them to market large proxy pools under different names while remaining largely anonymous.
Impact on the Internet and AI Infrastructure
This shift from DDoS to proxy operations has significant consequences. Instead of causing short-lived outages, the infrastructure now supports long-term, large-scale data scraping that burdens websites, APIs, and open-source projects. Some maintainers report that nearly all of their incoming traffic now comes from automated crawlers feeding AI systems.
The strain has grown so severe that companies like Cloudflare are testing “pay-per-crawl” systems to let website owners charge AI bots for access. Others, like Reddit, have begun legal action against proxy providers accused of enabling large-scale scraping in violation of platform policies.
Implications for Security Teams
For security operations centers and network defenders, this evolution demands new detection methods. Malicious traffic now originates from residential IPs, making it far harder to distinguish from legitimate user activity. Traditional blocklists and data-center IP reputation checks no longer suffice. Behavioral indicators—such as simultaneous long-duration sessions, abnormal bandwidth usage, or repetitive access patterns—are now key signals.
Monitoring outbound flows from IoT networks, enforcing segmentation, and maintaining strict firmware update policies are critical steps in preventing internal devices from being hijacked into proxy networks. Collaboration with ISPs and intelligence-sharing groups will also be vital as these hybrid proxy-botnets continue to expand.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
