Skip to Main Content
Home
Blog
Botnet explained: How cyber criminals hijack computers

Botnet explained: How cyber criminals hijack computers

Updated: October 14, 2025 by Oliver Buxton

3 years ago

When we think of cybercrime, we usually see a hacker who gains unauthorised access to a computer. This involves installing viruses, stealing information or paralysing computers. However, an attack is often not just aimed at a single person, but at setting up an entire network of infected computers. This is known as a botnet , an invisible digital infrastructure consisting of numerous infected devices that are bundled together and used for criminal purposes. In this article, you can read exactly what botnets are, how they are created and how they work and how you can protect yourself and your technical devices. You can also find out how Avira Free Security can help you navigate the Internet even more securely.

Download Avira Free Antivirus
Download Avira Free Antivirus
Install free Avira Mobile Security
Install free Avira Antivirus Security

 

What is a botnet?

A botnet is a network of many computers and generally internet-enabled devices (IoT devices) that have been taken over by criminals. Hackers control these computers remotely without the owners realising it. In this way, all individual ‘hijacked’ devices become part of a large, hidden network. Cyber criminals use these networks for various purposes. Above all, attacks to overload servers, data theft and spam are among the most common scams for which such networks are used.

How do botnets work?

Even though a botnet is always made up of many, often thousands of internet-enabled end devices, there are different types of these networks. Botnets differ from each other in terms of their structures, targets and types of communication. The most common types include centralised botnets, peer-to-peer botnets and hybrid botnets.

Centralised botnets

In centralised botnets, communication between the hacker (‘botmaster’) and the individual devices (‘bots’) takes place via a central control unit. The hacker gives his instructions to all the bots via one channel.

Advantage: Centralised, targeted communication makes it easier to coordinate and control the entire network.

Disadvantage: As soon as this one central server is switched off, the botmaster loses control of the entire network.

Peer-to-peer botnets

In a peer-to-peer botnet (P2P), communication does not take place via a central control unit, but is completely decentralised. The individual infected devices communicate with each other and give each other commands and instructions.

Advantage: Because communication is complex and takes place via many nodes, the network is very difficult to switch off.

Disadvantage: The coordination and control of networked devices is significantly more complex and demanding.

Hybrid botnets

Hybrid botnets combine the advantages of centralised and P2P botnets. Although the botmaster issues its commands via a centralised server, the bots still communicate with each other.

Advantage: Hybrid botnets are very flexible and resilient. Instructions reach many devices in a short time but are not completely dependent on a central server.

Disadvantage: This type of network is very difficult to programme and implement.

How do cybercriminals use botnets?

Hackers use botnets for various illegal activities with which they hope to gain unauthorised access to computers, data and information. The four most common areas of use include:

DDoS attacks

In a DDoS attack (Distributed Denial-of-Service), the botmaster directs the entire network of manipulated devices specifically at a website or application. The aim is to overwhelm the servers with the large number of requests so that legitimate requests can no longer be processed reliably. This either significantly slows down the respective service or even renders it completely unusable.

A DDoS attack is comparable to a huge rush on an online shop when a limited edition product goes online. Although most of the requests come from real users who are all trying their luck at shopping, the effect remains the same. The servers are overloaded beyond their capacity and collapse completely.

Spam & phishing

Another very popular scam among cyber criminals is phishing. This term refers to the mass sending of malicious emails. These are sent in large quantities with little or no personalisation. Phishing emails often disguise themselves as a legitimate email from a legitimate person or a well-known company. In addition to an urgent request, the messages almost always contain a link that leads to a malicious or manipulated website. The aim of phishing is always to steal sensitive information (such as login details) or to infect the device with malware.

By interacting with fake emails and malicious links to fraudulent websites, recipients often become part of a botnet themselves without realising it. The victims’ email accounts are used to send manipulated emails in their name to existing (or random third party) contacts. Anyone who receives spam messages from trusted people is much more susceptible to falling for the malicious content.

Data theft and identity theft

Cyber criminals use botnets not only for targeted remote control, but also for stealing data. Typically, malware programmed specifically for data theft is installed. The most common tools include keyloggers and spyware.

The theft of cookies is also a serious threat. Hackers do not need to log in to accounts if they use a session cookie in which the victim has already successfully logged in. In the victim’s active session, the victim is already logged in to online banking or an online shop, for example.

However, targeted searches for documents and files containing sensitive information are also conceivable in botnets. The computers are already infected and access to the content is possible. Popular targets for hackers are dates of birth, national insurance numbers, emails, photos and videos.

Mining cryptocurrency

The importance of cryptocurrencies such as Bitcoin and Ethereum has continued to grow since their introduction. So-called miners ensure that the system works. These are individuals and groups who provide their computing power to solve complex mathematical tasks. The miners’ task is to verify transactions within the blockchain. As an incentive for providing their computing power, the miners receive a share of the transactions (known as fees).

The botmasters use their botnets to provide the computing power of the manipulated devices on a large scale. In this way, they secure large and numerous shares of the respective cryptocurrency. The actual owners of the manipulated computers are unaware of this and do not receive a share of the fees. However, users notice the impaired computing power comparatively quickly, so they are more likely to become aware of the misuse of the device.

By the way: Detailed information on how mining and cryptocurrency work in general can be found in the article ‘What is Bitcoin?’.

How are botnets spread?

There are different ways in which botnets spread and expand. In each case, either human error or technical security vulnerabilities are exploited. The most common ways in which botnets spread include:

  • Malicious software: Infected email attachments, websites or drive-by downloads load and install malware on victims’ computers unnoticed.
  • Phishing: Cyber criminals send masses of emails with malicious links to seemingly legitimate websites. As soon as users click on these links, malware is installed in the background.
  • Security vulnerabilities: Hackers exploit known security gaps in networks and applications to gain unauthorised access to victims’ devices.
  • Brute force: This type of attack uses automated methods to crack passwords for systems or user accounts. A brute force attack is often successful, especially with weak passwords.
  • Social engineering: Attackers present a false identity and trick victims into installing malicious software on their computer. The most common hangers include necessary software updates and supposedly helpful tools.
  • Peer-to-peer: Criminals also spread their botnet malware between several unsecured computers within the same network.

What are the signs of a botnet infection?

As a botnet is set up unnoticed in the background, victims do not realise, or realise very late, that their internet-enabled devices have been manipulated. However, there are a few typical signs of a botnet infection:

  • Computing power: If programmes react more slowly or take longer to open, this may be an indication of an infection.
  • Network utilisation: High network utilisation that you cannot explain is also a possible sign of an infection. Unexplained upload and download volumes are an indication of unauthorised data traffic.
  • Task manager: As soon as your task manager shows you unknown or suspicious processes, you should react immediately.
  • Security software: Malware attempts to deactivate your anti-virus programmes, firewalls or other tools in order to remain undetected.
  • Outgoing spam: If your email account is sending spam messages to your contacts, you should also act quickly.
  • Blocked IP addresses: If you notice that you or your IP is blocked on a site, this may indicate a botnet infection. Computers that attract attention through malicious actions such as DDoS attacks are often placed on blacklists.

How do you protect yourself from botnets?

The best way to protect yourself against botnet infections is to be aware of how you use emails, links and the Internet in general. Most infections occur via manipulated downloads and links on malicious websites. Do not click on any links from e-mails that you were not expecting and that make a strange impression. Do not download any tools from pop-up adverts, even if they sound useful and harmless.

Also regularly update your operating system and all installed applications. Many software updates can also be installed automatically, so you don’t have to do anything. If you also monitor your network traffic for unusual utilisation and suspicious connections, you will significantly increase your security.

Additional protection thanks to Avira Free Security

If you are alert and aware of potential dangers on the Internet, you are already making a significant contribution to your security. With a reliable firewall and Avira Free Security, you benefit from additional protection that makes it even more difficult for attackers.

The tool recognises potential threats in real time and informs you about them. You also have the option of surfing anonymously and securely in unsecured networks thanks to VPN. This prevents hackers from finding you, even if you are surfing on a public network.

Download Avira Free Antivirus
Download Avira Free Antivirus
Install free Avira Mobile Security
Install free Avira Antivirus Security

Explore cybersecurity topics

This post is also available in: GermanFrenchItalian

Oliver Buxton
Oliver Buxton
Cybersecurity Writer
Oliver Buxton is Gen employee and cybersecurity writer focused on the social impacts of advanced persistent threats. Oliver’s work on cyberterrorism and cyberwarfare has been published in The Times, and he previously worked on digital safeguarding policy for higher education institutions. When not writing, Oliver is likely lost in a history book, practicing photography, or piloting drones.He holds an M.A. in History of Warfare from King’s College London, specializing in cyberwarfare and the role of digital communications in the evolution of insurgency, as well as certificates in Introduction to Cyber Attacks and Cyber Attack Countermeasures from Coursera.

Related articles

View all
Avira logo

Surf more securely with Avira Free Security – and protect your privacy.

Free download
Avira logo

Surf more securely with Avira Free Security – and protect your privacy.

Free download
Avira logo

Surf more securely on the move with Avira Free Security – and protect your privacy.

Free install
Avira logo

Surf more securely on the move with Avira Free Security – and protect your privacy.

Free install