Dominic Jainy stands at the intersection of emerging technology and digital defense, bringing a wealth of expertise in artificial intelligence, machine learning, and the intricate world of blockchain. As an IT professional who has spent years dissecting how these technologies can be both a shield and a weapon, Jainy offers a unique perspective on the shifting landscape of global cyber threats. His work often focuses on the resilience of infrastructure against increasingly sophisticated actors who leverage automation to scale their reach. Today, we sit down with him to discuss the alarming evolution of Mirai-based botnets, which have transformed from a singular malware strain into a sprawling, multi-billion-device threat ecosystem that challenges our fundamental concepts of network security.
Our conversation delves into the geographic migration of command and control servers and the technical nuances of high-velocity DDoS attacks that dwarf previous records. Jainy explains the monetization of compromised devices through social platforms and the specific vulnerabilities inherent in the Android-based IoT devices that fill our modern homes. We also explore the tactical shift toward decentralized, encrypted networks like I2P and the critical defensive measures—from protective DNS to credential management—that remain the most effective barriers against this tide of automated exploitation.
Botnet command and control servers have seen a massive surge, with the United States recently overtaking China as the primary host. What specific infrastructure shifts are driving this geographic migration, and how does this change the speed at which new malware variants can be deployed?
The surge we are witnessing is truly staggering, with botnet command and control (C2) activity jumping by 26% in the first half of 2025 and another 24% in the latter half of that same year. This migration to the United States reflects a tactical realization by threat actors that domestic infrastructure often provides more reliable uptime and lower latency for targeting Western targets. Because the Mirai source code is publicly available, the “barrier to entry” has vanished, allowing even low-skilled criminals to spin up a new variant in a matter of hours. This geographic shift means that the delay between a vulnerability being discovered and a malware variant being deployed against US-based IoT devices has shrunk to almost zero. We are no longer looking at overseas threats that can be filtered at the border; the call is coming from inside the house, so to speak, using high-speed American servers to coordinate chaos.
Recent DDoS floods have reached staggering levels of 31.4 terabits per second. Beyond sheer volume, how do these massive packet-per-second assaults bypass traditional mitigation strategies, and what metrics should organizations monitor to detect these high-velocity events in real-time?
When you look at an assault that hits 14.1 billion packets per second, you realize we have moved past the era of simple bandwidth exhaustion into a realm of pure computational overwhelm. Traditional filters often struggle because these Aisuru-Kimwolf floods are designed to saturate the processing tables of stateful firewalls before the actual bandwidth limit is even approached. It feels like a tidal wave hitting a sea wall; even if the wall stands, the spray is so intense that nothing behind it can function. Organizations must move beyond just monitoring “bits per second” and start obsessing over “packets per second” and “CPU interrupt rates” on their edge devices. If you aren’t tracking the rate of new connection attempts per millisecond, you will be blind to the onset of a high-velocity event until your entire network stack is already paralyzed.
Cybercriminals are increasingly using platforms like Discord and Telegram to sell access to compromised residential proxies. How does routing attack traffic through legitimate home IP addresses complicate the attribution process, and what steps can be taken to disrupt these decentralized criminal marketplaces?
Routing malicious traffic through a regular person’s home router is a masterstroke of evasion because it masks the attacker’s footprint behind the digital identity of a suburban family or a remote worker. When an attack originates from a residential IP, it carries the “reputation” of a legitimate consumer, making it nearly impossible for automated blacklists to block the traffic without causing massive collateral damage. These criminal marketplaces on Telegram and Discord have turned botnet management into a streamlined retail business where access to a million-host botnet is sold like a subscription service. To disrupt this, we need a two-pronged approach: aggressive undercover operations within these social platforms to identify the sellers, and better cooperation with Internet Service Providers to detect abnormal outbound traffic patterns from residential accounts. It’s a frustrating game of cat and mouse where the attackers are essentially “renting” the trust we place in everyday internet users.
Mobile-focused subvariants like Kimwolf are now infecting millions of Android devices and Smart TVs via automated install scripts. What unique vulnerabilities in mobile CPU architectures are these scripts exploiting, and how can manufacturers improve the default security of IoT devices during the initial setup?
Kimwolf is particularly insidious because it targets the diverse world of ARC and ARM-based processors that power everything from your smartphone to the smart TV in your living room. The malware uses automated scripts that download various .apk files, testing each one to see which architecture the device is running, effectively “feeling out” the hardware until it finds a way in. This has allowed it to compromise roughly two million Android devices globally, turning domestic convenience into a weaponized node. Manufacturers must move away from the “ease of use” obsession that leaves devices open to these scripts and implement mandatory, unique password setups that prevent automated logins. We need a sensory shift in how we view these devices; a smart TV should be treated like a high-end server with the same rigorous security protocols, rather than a plug-and-play toy.
Following recent infrastructure disruptions, some botnet operators have shifted operations to the Invisible Project (I2P) to anonymize traffic. Why is a decentralized, encrypted network like I2P so difficult for security teams to monitor, and what are the practical implications for future takedown operations?
The shift to I2P is a direct response to the successful DOJ and Google disruptions of IPIDEA infrastructure, showing that these operators are incredibly resilient and quick to adapt. Unlike a traditional server that has a fixed IP address you can seize, I2P is a decentralized “garlic routing” network where every participant acts as a router, making the command-and-control heart of the botnet invisible. It’s like trying to find a specific drop of water in a moving river; the data is encrypted and constantly shifting through different nodes. This move means that traditional “takedown” operations, like the one on March 19, 2026, which targeted Aisuru and Mossad, will become significantly harder because there is no central “kill switch” to pull. Future operations will likely require more complex “sinkholing” techniques and long-term infiltration of the decentralized nodes themselves to disrupt communication.
Organizations are encouraged to use protective DNS and consistent patching to defend against Mirai-based threats. Can you walk through a step-by-step framework for securing publicly accessible network routers, and why are unique, non-factory credentials still considered the most critical line of defense?
The first step in any defense framework is the immediate elimination of factory defaults; the vast majority of Mirai’s success stems from the fact that people simply never change the “admin/admin” credentials their router came with. From there, you must implement a “patch-first” culture where firmware updates are treated as critical events, especially for devices exposed to the public internet. Third, deploying a protective DNS service acts as a vital safety net, filtering out known malicious domains before a connection can even be established. Finally, disabling unnecessary services like Telnet or UPnP limits the “surface area” that a botnet can probe. Unique credentials are the “deadbolt” on the digital door; without them, all other security measures are like having an alarm system but leaving the front door wide open for anyone with a master key.
What is your forecast for Mirai-based botnets?
I forecast that Mirai-based botnets will move toward a “hybrid-autonomous” model, where the malware itself uses small, onboard machine learning models to identify vulnerabilities without needing constant instructions from a central server. We will likely see the 1 to 4 million host range become the new baseline as “smart” appliances continue to flood the market without adequate security regulations. As botnet operators lean harder into decentralized networks like I2P, we will witness a move away from massive, singular “takedowns” toward a more persistent, low-intensity war of attrition between defenders and these self-healing networks. Ultimately, the threat will become more localized and personal, with attackers focusing less on grand DDoS events and more on the lucrative exploitation of residential proxies to facilitate fraud and identity theft at scale.